Opened 7 years ago

Closed 7 years ago

#9463 closed enhancement (fixed)

WiFi auto-connect = ticket to jail

Reported by: ASoftwareHatingFurry Owned by: axeld
Priority: normal Milestone: R1
Component: Network & Internet/Wireless Version: R1/Development
Keywords: connecting open unencrypted default automatically automatic hacking security associating associated ssid Cc: HubertNG@…
Blocked By: Blocking:
Has a Patch: no Platform: x86


Neighbour is polishing the barrel of his shotgun, I'll keep this quick..

The automatic connection to the first open network Haiku sees at boot up is potentially very dangerous. My network is WPA. It is really easy to forget to select the correct network, and end up walking right into sticky situations:

  • Checking e-mail: plaintext password has been splattered all over the RF spectrum.
  • Checking FurAffinity, even more stuff splattered all over, and if the neighbour has logging enabled on their router I'm done for.
  • Downloading ISOs, two and counting.
  • Trying to FTP into my private server. Of course it fails, but if my neighbour happened to be watching, they could theoretically delopy an FTP server and trap me, taking my password as I attempt to log into it.
  • Luckily the neighbour's network has not been used for private IRC chat yet. If that sort of stuff gets leaked, I'm just going to dig a hole and bury myself.
  • May end up in prison or at least fined, connecting to a neighbour's network is technically illegal, especially if you steal gigabytes of their bandwidth.

Filed as an enhancement rather than a bug because there seems to be a workaround by using the commandline to connect, and putting it in the user boot script (I haven't tested this yet)

I do hope this behaviour will be changed before R1, I can't really see the utility of connecting automatically to some random network that you have no idea about, but clearly there is potential for harm by connecting.

Change History (5)

comment:1 by axeld, 7 years ago

Point taken.

Out of curiosity: where are you living? At least where I live (Germany) the owner of the network has full responsibility of the traffic that goes over it, and it's legal to connect to an open WLAN; why should it be open otherwise?

comment:2 by umccullough, 7 years ago

At least in the U.S. I don't think it's yet a crime to connect to someone else's open wifi network... perhaps your neighbor should spend more time securing his router rather than polishing his guns ;) There may be some jurisdictions that consider connected to a "public" connection without permission is a crime, but I can't imagine that would hold up in an appeal.

However, it is certainly a security concern to connect to 1) an unencrypted router, and 2) one that you don't trust.

I like that most OSes auto-connect to SSID's they recognize from previous user-initiated connections, and the ability to "forget" a connection you no longer wish to connect to automatically. It also makes sense to prefer an encrypted connection over non-encrypted, and warn the user when they're connected to a non-encrypted SSID.

comment:3 by ASoftwareHatingFurry, 7 years ago

axeld - I'm in the UK, where it's supposedly a crime to do this. Here's some interesting articles on the subject, it appears it's illegal in quite a lot of places:

In all seriousness I'm not really worried about legal action, but it does seem like the software should try to do the right thing. For some people it might be a more serious issue.

umccullough - SSID-remembering would definitely fix the problem, it wouldn't even have to remember the password (yet), just dump the SSID of the last-used network into a text file and use that.

For remembering multiple networks, how about something like this?

  • Each network successfully manually connected to has a file written into a special folder in ~/config/settings
  • The file has the SSID, MAC address and other relevant information recorded as attributes on the file
  • The password could be stored as an attribute too. This gets password saving up-and-running without having to wait for a password manager. And when the password manager is ready, just encrypt the password stored in the attribute and use the password manager to decrypt it. The password manager is then just an encryption/decryption service rather than a big opaque storage blob.

This would have the advantage of being able to easily manage "remembered" networks in Tracker, with a particular set of attribute columns selected for that folder in Tracker. Right-clicking the network deskbar applet and selecting "manage networks" would simply open this folder, much like clicking the mail icon opens the inbox folder. IMHO this would be more Haiku-like than some kind of monolithic network manager program to edit the data stored in a custom settings file or database. For a long time in Ubuntu I couldn't change the settings for any of the wireless networks because Network Manager would crash. It would have been so much easier to just go in and edit or delete the appropriate single network file without having to wipe the entire configuration!

I also wonder if this same mechanism could be used to actually configure the networks, including the wired network. Attributes for IP address, subnet mask, DHCP on/off, etc.? Or is this taking it too far? In general I like the idea of using Tracker to view or edit data such at this, as far as practically possible. It's an app the user already knows how to use, and that counts for a lot!

comment:4 by Hubert, 7 years ago

Cc: HubertNG@… added
Version: R1/alpha4.1R1/Development

ASoftwareHatingFurry +1

I personally know this problem for two years. No matter where I live is. Some people do not even know they have a unsecured routers. I will not be running around the neighborhood and looking for a neighbor who does not know what it is WPA. In addition on my district is open network, which logs in the browser and I have that 4 access point near. Of course Haiku always grabs one of them which to me is unnecessary because Im not use them.

comment:5 by diver, 7 years ago

Resolution: fixed
Status: newclosed

Fixed in hrev45435.

Note: See TracTickets for help on using tickets.