# Safe To Use Wifi At The Rv Site?



## TimU (Aug 26, 2014)

Well, I saw a YouTube video, done by some "experts" discussing the safety of using Wifi at an RV site to do your sensitive banking, shopping, etc. I won' say who it was, but it was done late last year, if I recall.

First - I am NOT an internet security expert. I HAVE spent 35+ years programming, and being a sysadmin for Unix systems. So - while I do not consider myself an "expert" in security (my experience is that that job is really a 24x7 job, and highly specialized), I do know a thing or two about computer security in general, securing systems (*nix systems specifically), and hardening systems. I also spend at least 15-20 minutes a day going over what I term "aggregate" tech news sites, so I keep in touch with what's going on, new, etc. Making your living from technology means you can NEVER stick your head in the sand, and you NEVER know it all (my personal belief is that with the spread of technology, you simply can't "know it all" anymore). So, I stay up with what's going on. Especially as it relates to internet security.

Now, on the the subject matter at hand. I felt it important to simply let others (all of you) know that what the two in the YouTube video stated is not only wrong, it is flat-out wrong, and if you continue doing what they espouse - you ARE vulnerable, and your information will probably be gleaned from an MITM (Man In The Middle) attack. I'm not sure how those people stay up with what's going on - but it really seems they just don't. So, I'll break this up into two separate thoughts here:

First - we've been told for YEARS, and I mean YEARS that simply hooking up indiscriminately to wifi "hot spots" is a bad idea. Why? Well, I can take my Linux laptop, and with about 10 minutes of downloading some software and a bit of configuration, make my laptop _appear_ as a hot spot, waiting for you to connect. Let's say the REAL hotspot name is "xyzRVCampground". I decide to name mine "xyzRVCampground2". "Gee, isn't this campground nice? They made TWO hotspots for me to connect to". Meanwhile, I simply make my laptop a "pass-through" device, so I connect to the REAL hotspot, you connect to me (because I've got a MUCH stronger signal), and I see EVERYTHING YOU SEND. Right now, you are thinking "oh you silly boy - that's what HTTPS is for - it's _SECURE_." Uh-huh. Since you aren't in the business, I'll forgive you for not knowing. Please Google "Heartbleed". Came out last year. It turns out that since it's inception, there's been a bug in SSL (the HEART of HTTPS), and it ain't so secure. In fact, once you know how to exploit it - it's a snap. And this was something that was on the *SERVER* side of the communication. At it's height, basically the entire world was vulnerable (it was at first thought that Windows was immune - however, turns out EVERY Operating System was affected). Nothing you could really do about it. It's been patched - however, there was a test just a month or so ago, still showed that about 30-40% of the web servers running STILL HADN'T BEEN PATCHED.

So - you weren't safe, I could read ALL of your HTTPS traffic with my "Man in the Middle" attack, sitting in my camper two sites away from you. See your account number, password, etc. Oh, and a new one emerged about a month ago. Turns out that all that encrypted traffic, that's supposed to have all these unique keys to encrypt the traffic - turns out that software on the servers took a lazy approach, and cached those encryption keys (the keys take a bit of processor overhead to generate each time), so they wouldn't have to work so hard. So, they used the same key. Turns out it was fairly simple to get that too, and use it - to YOUR disadvantage. Please note - that was a separate vulnerability from Heartbleed.

Now, on to the hardware itself - the actual router that is used by the kindly RV campground staff. First - please don't think I'm trying to paint any of them as evil, or out to get you. They are hard working people just like us. But remember, expect for extremely rare occasions, they aren't up on technology either. Not their bailiwick, so to speak. And, most of them simply get this installed by some local computer company, or their internet provider. I'm going to link to articles here (all I did was a quick Google search for "wifi router vulnerability"). Some of these are a few years old, some are extremely new. A few of the articles deal with "home" wifi routers. Please don't think that the RV sites are going to use the much more expensive business wifi routers. Some of these can go for several hundred dollars. I've got more high-end home routers, and they are $200 each. Most campgrounds (and what gets installed at most of these sites) are home-grade under $100 wifi routers. You read and decide for yourself:

Two new tools exploit router security setup problem

Top Wi-fi routers easy to hack, says study

Asus, Linksys router exploits tell us home networking is the vulnerability story of 2014

Your Router's Security Stinks: Here's How to Fix It

 Offline attack shows Wi-Fi routers still vulnerable

Flaw lets hackers break your WiFi router's security with one guess

Wi-Fi router security: Assessing the vulnerability of backdoor attacks

Big Vulnerability in Hotel Wi-Fi Router Puts Guests at Risk

Ok - so what do you do?

First - assume you will be hacked. Sorry to say it - it's GOING to happen. No matter who you are, no matter if you only have $50 in your account, etc. At some point, you will be hacked. So - assume it. All the time.

Second - do what you can to protect yourself. Honestly - it's doggone little these days. BUT, you can at least attempt to obscure your traffic. Use a PROFESSIONAL VPN SERVICE. I'm not going into the details of a VPN, or explain it, but you look it up and decide if it's for you. Services don't cost a lot - but the professional ones DO cost.

Instead of a VPN - you might use TOR. www.torproject.org. Now, before you jump on the bandwagon here - realize that TOR still _generally_ seems "safe", but because of it's known properties, it is used by terrorists and criminals. SO - using TOR might make you "a person of interest" to the FBI/NSA/whoever else. And no, I'm not kidding - so consider that before you download and install it. Also - you really need to pay attention to what the TOR site tells you to do to be safe. That means a lot of what you might normally do - you shouldn't do with TOR, since it "exposes" you.

Third - wait until all the vulnerabilities are fixed, and it's safe to go "back in the pool again". This goes back to the "Red Book" of security. It means you physically secure your computer (like in Fort Knox), you remove all floppy drives, networking, bluetooth, USB ports, etc. NO CONNECTIONS TO THE OUTSIDE WORLD. NO POSSIBILITY TO LOAD ANYTHING OR COPY ANYTHING OFF THE COMPUTER. Simply put - this ain't gonna happen. Ever.

So - what to do? You can't stop using (you junkie, you), generally speaking, in today's world. So, here's some friendly advice:


NEVER connect to any wifi router, without confirming it's the one provided by the hotel/RV campsite, etc.
Even though it was hacked (now mostly fixed), use HTTPS whenever you can. NEVER DO ANY TRANSACTIONS OF ANY KIND (buying, banking, etc.) WITHOUT IT.
Make sure your system is FULLY PATCHED, INCLUDING YOUR BROWSER. If you are still using Windows XP or Vista - UPGRADE! Yes, I know Windows 8.x sucks (I left Micro$oft after using DOS/Windows for over 25 years and went to Mac)
KEEP YOUR PERSONAL WIFI ROUTER UPDATED AS WELL. If there are no further updates from the manufacturer, check into some alternatives - Tomato router, etc. Several alternative embedded operating systems to install on those little boxes - but not ALL those little boxes.
Seriously consider a professional VPN service - and use them - along with HTTPS, and your fully patched computer AND browser.
Oh, did I mention KEEP YOUR SYSTEM PATCHED AND UP TO DATE - everything. Your browser, etc.

Now, other than sounding the alarm (in case you weren't until after you read this), I'm NOT GOING TO ADVISE YOU. Again, I don't consider myself an expert, but I do consider myself knowledgeable and very well-read on the area. I leave it to you to read some sources for yourself (most of those links do have links to other sources), and to do some research. If you can't update your home/RV wifi router - you might give SERIOUS consideration into purchasing a new one (I have NO stock in any tech company, unless my little bit of money market account does. I mostly go for "indexed" stuff these days). And DO YOUR RESEARCH to make sure that the router you purchase is supported by some alternative software (Tomato, DDWRT, etc.) that gives you the ability to keep it updated when the vendor decides not to any longer (about 3 weeks after you buy it...)

So - please use this as a more common-sense approach than that espoused on the YouTube video. It's dangerous out there. Quite frankly, if I were one of the "black hat" type guys, I'd seriously consider targeting some of those RV sites "down south" for those snowbirds that live there 6 months out of the year. Get close to some of those Class A rigs, "bus" conversions, etc.

Please be careful - always think "they're out to get me" (even paranoid schizophrenics sometimes actually have people out to get them), keep in touch - some of those sites I listed above are "aggregate" sites, that have lots of tech news/articles from a variety of sources. And, treat the internet like one of those dark alleyways in (pick the crime-ridden city of your choice).

Be safe.


----------



## egregg57 (Feb 13, 2006)

I go to campgrounds to relax. Banking is the last thing on my mind and most of the campgrounds I have visited have thier WiFi throttled. Not much good for much more than surfing...slowly.

I leave business at home.


----------



## TimU (Aug 26, 2014)

ob277rl said:


> TimU with our cell plan, while away, we use the GB on our phones. Because we use Wi-Fi at home and our plan has rollover on the unused portion of our GB, we stay away from Wi-Fi services. If for some reason we need more GB the automatic up charge is still a cheap price for piece if mind. Good Luck.
> 
> Robert


This might be one of the better options. Especially if your connection with your phone is bluetooth. Limited range (30 ft. max - supposedly, although I've never achieved that much distance).

My home wifi is "relatively" secure - or as secure as you can think it might be. I live in the county - suburbia, if you will, and the nearest neighbor's house is 100 yards away (lots of 4 acre tracts). I go out and test mine frequently to see just how far away from my house my wifi can be seen, and how far to connect. Usually only 30 or so feet outside of my house, and after that, you can't see it. Could easily still be seen and connected to with the old "Pringles Can" antenna trick (Google "cantenna"). Cantennas can allow connections, depending on signal strength, atmospherics, the hardware, and the drivers - of up to a mile or more (line of sight). Several years ago, the University of New Zealand created a "cantenna" setup that went across the bay(?), about 19km (if my memory serves).

Or use an old satellite dish, with a cantenna as the horn, or concentrator.

So - always a good idea to go around the outside of your house, and get an idea of just how far your wifi signal can be seen.

Anyway - my post wasn't to frighten anyone (maybe shock a few out of their cozy, safe thoughts) - but to get people thinking about the realities of this form of communication. And, as a hopefully informative counterpoint to the video I saw.


----------



## Leedek (Nov 28, 2010)

Not proud of the fact I used to use the neighbors wifi connection. It always amazed me the anyone would have an unsecured network. It was a decade or so in the past. People seem to be a bit more tech-savvy today.

I appreciate your post Timu. It made me go and log into my router and check a couple of things. It won't be long before THE major internet crash takes place. My bet is there will be a failure in the grid and our nation will go dark. Grid failure is likely as there are way too many vulnerable targets for those bent on our destruction.

Gee.... such delightful talk on this Sunday morning. Now go have a great day!







( That's me in the middle with Robert on my left and Timu on my right! )


----------



## TimU (Aug 26, 2014)

Leedek said:


> Not proud of the fact I used to use the neighbors wifi connection. It always amazed me the anyone would have an unsecured network. It was a decade or so in the past. People seem to be a bit more tech-savvy today.
> 
> I appreciate your post Timu. It made me go and log into my router and check a couple of things. It won't be long before THE major internet crash takes place. My bet is there will be a failure in the grid and our nation will go dark. Grid failure is likely as there are way too many vulnerable targets for those bent on our destruction.
> 
> Gee.... such delightful talk on this Sunday morning. Now go have a great day!


Yeah. I'm amazed at this point - that it hasn't happened already. While I'm sure several will think that I am an idiot for believing such things - to be honest - you have NO idea how much more fragile our society has become by accepting so much technology. We could lose our entire power grid - for years - just due to the sun "burping", much less an EMF burst. Oh - and in that event - you lose your phones, computers, your car won't start anymore, your money is gone (except for what you buried in the back yard in Mason jars (grandparents may not have been so nuts afterall?). The list goes on. EVERYTHING we depend on in our everyday lives - gone in a flash. Don't mean to sound so apocalyptic - but the "West" has an EXTREMELY fragile society built on these devices - which are also now proving to be extremely insecure.

We've lost so much information (and VAST amounts of common horse sense), and "how to do" things.

*sigh*

But - i don't dwell on it - one day at a time.
I still live for the future - the past is so - yesterday.
And my hope is we all grow up (no matter how old you are), and realize this is a pretty small dust mote in the universe, and change our behavior.


----------



## Leedek (Nov 28, 2010)

It really doesn't take EMP or solar flares to bring down the power grid. A few marksman could do it. Read this report: U.S. Power Grid Vulnerable to Attack: Congressional Research Service

I guess we're way off RV forum material but the information here is important. It really comes down to a survival mode of living should the grid go down for any length of time. A few bottles of water and some MREs may not be enough. I pray it doesn't happen but the possibilities should not be ignored.

Oh... Robert... spitting-image..... yep!


----------



## TimU (Aug 26, 2014)

Just saw this update this morning:
D-Link says sorry for shoddy security and sloppy patching of its routers


----------



## JerryCamper (Apr 9, 2015)

TimU said:


> Be safe.


Thanks Tim, this is great information and most people have no idea the security risks.
If I need to do banking while camping I will use my phone and turn WiFi off. I figure that the cell phone towers are safer than some campgrounds security who may or may not be aware of security issues.
I do however, use the campground WiFi for Netflix and music and looking stuff up, usually camping related.


----------



## TimU (Aug 26, 2014)

JerryCamper said:


> Be safe.


Thanks Tim, this is great information and most people have no idea the security risks.
If I need to do banking while camping I will use my phone and turn WiFi off. I figure that the cell phone towers are safer than some campgrounds security who may or may not be aware of security issues.
I do however, use the campground WiFi for Netflix and music and looking stuff up, usually camping related.
[/quote]

Well, may need to rethink that. Just found this today:

1,500 iOS apps have HTTPS-crippling bug

Don't think iOS is alone. Android's got issues too.

Might want to use this site to lookup vendors for your apps on your phone - see if they're patched or not Patched apps

As I said - you may as well assume your security is broken. I change my passwords (and even my userids - when allowed), every month or two on all my sensitive accounts.


----------



## TimU (Aug 26, 2014)

TimU said:


> Well, may need to rethink that. Just found this today:
> 
> 1,500 iOS apps have HTTPS-crippling bug
> 
> ...


Oh - to be clear (I wasn't thinking of those who aren't "into" this stuff)- your SYSTEM is not compromised - only what you transmit using the specific application. So, if "thatspecialappIuse" is part of the issue, then "Itunes" on the device isn't compromised. Just so it's clear.


----------



## TimU (Aug 26, 2014)

JerryCamper said:


> Be safe.


Thanks Tim, this is great information and most people have no idea the security risks.
If I need to do banking while camping I will use my phone and turn WiFi off. I figure that the cell phone towers are safer than some campgrounds security who may or may not be aware of security issues.
I do however, use the campground WiFi for Netflix and music and looking stuff up, usually camping related.
[/quote]

Also - just FYI. Google "Stingray". Your cell traffic is easy to intercept too. While mostly used by Law Enforcement (and spy agencies, etc.) - there were devices capable of being owned by "induhviduals", if you will, who could do some things like "sniffing" cell traffic. Not as sophisticated as the FBI's Stingray device (as I recall), but more than adequate for uses to gain info.

I know several who might say, "if you have nothing to hide, what do you care?". The point is - I'm not doing anything illegal, and it's none of their business. I do NOT believe in "security at any price". Just like there is no internet security, or anything that can stay ahead of the bad guys - the same applies to any other type of security. I'm not gonna get political about this - both parties are a part of the problem.


----------



## TimU (Aug 26, 2014)

ob277rl said:


> TimU you have me convinced, I have decided to go back to using encrypted smoke signals LOL. GoodLuck.
> 
> Robert


That'll work!


----------



## TimU (Aug 26, 2014)

All,

Here's what I do to attempt to keep myself as secure as I can:

ONLY use the internet on "known" devices - primarily YOURS. Do NOT use those kiosk terminals for anything that you need to login for - ANYTHING.
On your system - depending on browser and OS - install a browser cookie/database/etc. cleaner. I use a Mac and generally Safari, so I use SweetPProductions "Cookies". It isn't 100% (none of them are) so ALWAYS check online to see where other nooks and crannies are that cookies/cache/etc. are stored - and delete them. I have "Cookies" set to delete everything everytime I quit the browser.
I quit my browser after EACH AND EVERY connection to ANY secure site. Which deletes my cookies, etc. 
If you have a "continuous" backup (I have TimeMachine on a Mac) - exclude those folders/files where all the cookies/cache/etc. are stored. Export your bookmarks for backups, delete about everything else.
Use some type of program that is a "packet sniffer" on YOUR machine. On a Mac - I use "Little Snitch". It informs me of ANY in/out bound traffic, and asks me to approve it. Basically, a firewall YOU configure. If anything looks suspicious, I disallow it, etc. Sometimes, I just force shut-down my system - just to be sure.
KEEP EVERYTHING UPDATED. You might wait a day or so when updates come out to see if any updates have hammered systems (they do from time-to-time), but KEEP IT UPDATED.
Change passwords and userids (if you can) FREQUENTLY. I change mine every couple of months for SECURE sites.
If you are on Windows - GET MALWAREBYTES.ORG utility! Make a bootable DVD/USB so you can boot a clean system from that device, and run MalwareBytes utility on it. You will need to update that frequently too. This is one of the better free solutions to ridding yourself of the majority of virii (you may have some and not even know it right now).
RESEARCH, RESEARCH, RESEARCH. Don't take my word for it - CHECK THIS STUFF OUT BEFORE YOU USE IT.
Get an anti-virus and keep it up to date. Stay with one of the better known ones - not obscure. On windows systems, I've used Avast.com's antivirus. It's free. It isn't easy to find the free one - but you can find it.
And finally - apply some common sense. DO NOT DOWNLOAD UTILITIES, DRIVERS, ETC. except from the REAL vendor. Don't use the downloads at CNET.COM, or BrotherSoft, or any of those other sites. Almost all of them inject at least adware into the downloads, and several inject actual malware into the downloads.

And finally, sleep tite and don't let the bed bugs bite.

This may seem ridiculous, but in over 35 years of computing, I only got ONE virus on a Windows box - due to using Outlook, and the preview pane that would actually execute code when it hit the preview pane in Outlook (that was 17 years ago or so). I haven't had anything on my Mac. (Macs and Linux are architected a bit differently, and they are generally affected far more by trojans, than "drive-by" malware).


----------



## TimU (Aug 26, 2014)

ob277rl said:


> Tim something scary happened last night while using the web. I typed Oriley auto parts into the address bar to find their website. Without paying good attention to the first item on the list that had Oriley in the heading it was one of those websites that has listing to several possible choices. Realizing this wasn't the Oriley website to the online store I was looking for I hit the back button to go back to the original list and choose more carefully. Here is where things got weird, a so-called security pop-up appeared and froze the browser. It claimed to be Microsoft and I needed to call this number to get a fix from a Microsoft service agent. (1-888-711-5651) Realizing the screen was froze I went down to the task bar and brought up MacAfee to start a security scan and it did. Next I disconnected the computer from the internet and looked up the phone number in Safari on my I- phone. I always use the website 800notes.com to find out what a phone number is about. People ask questions and post their findings and experiences with a particular number. As it turned out several people have had this happen to them also and I found the answer to how to correct the fix I was in. Turns out the easiest fix was to bring up task manager and turn off/ remove the popup there. I let MacAfee complete its scan which turned up negative for viruses. I did a complete delete on the browser history, a complete disk cleanup, and had McAfee do a Quick Clean which looks at the registry and many other important areas. So far everything appears to be ok. Good Luck.
> 
> Robert
> 
> PS: The McAfee Site Advisor indicated that the first selection I went to was a safe site, so I don't know where or how the scam popup appeared.


Glad you got out of it. That's what I meant by "shut down my PC". A few of those occur, and most of the time, it seems, just shutting down the browser and the PC keeps it from hitting you. I avoid ALL advertised Google/Bing/whatever sites. They've obscured it a bit, but it's still easy to tell the ads from the non-ads. Stay away from the "top ads".

No offense to anyone, but I've never been impressed with McAfee. Not all that good IMHO. Kaspersky comes out on top the majority of the time. Might check these links:

http://www.pcmag.com/article2/0,2817,2372364,00.asp

http://www.pcmag.com/article2/0,2817,2372364,00.asp <- Best free

I've decided to put the links this way - so you can see what the link is. You'll have to copy/paste the linkee-poo.


----------



## TimU (Aug 26, 2014)

This just in this morning:

http://gizmodo.com/security-bug-lets-attackers-crash-any-iphone-or-ipad-wi-1699376518


----------



## TimU (Aug 26, 2014)

Just want to point out to those who are scared to death - this all is actually GOOD news. Regardless of your feelings towards Edward Snowden, he's gotten computer security people checking into every nook and cranny on computers, networks, etc.

They've found and fixed DOZENS of security issues. Many are still being worked on. So - good news is - they are finding and fixing them. Bad news is - ALL software has bugs, regardless of manufacturer - some disastrous.


----------

