Utilizing a VPN or SSH tunnel to secure your data on a public hotspot
Recently I had a client call me in a panic asking what to do about their hacked Yahoo account. Of course, the first thing anyone should do is CHANGE YOUR PASSWORD ASAP! Assuming the hacker hasn’t already changed it and locked you out of your own account, changing the password puts you back in control. But without knowing how the hacker gained access, they may just hack it again.
After a short discussion we discovered that the trouble started when my client had connected their Android phone to a public hotspot to check email. This was done through an unsecure connection. No password was required to access the wifi connection, and no HTTPS was used to access the email.
A little history: Last year a programmer named Eric Butler released a program, for free download, designed to illustrate how easily the login information of users on public hotspots can be stolen. This program is widely available now. Many people have downloaded and tried it out it because they are curious about what it can do, or want to take measures to safeguard their data. But others are out to do harm or take advantage of having easy access to your facebook, twitter, yahoo, etc accounts.
See:
- en.wikipedia.org/wiki/Firesheep
- mashable.com/2010/10/28/firesheep-vpns/
- http://www.tuaw.com/2010/10/26/how-to-guard-yourself-and-your-mac-from-firesheep-and-wi-fi-snoo
So I set out to find a way of easily and inexpensively protecting myself and anyone interested against identity theft. I like the convenience that public hotspots provide, so I still want to use them, but do so in a secure and easy to use way.
The method I chose is the tried and true do-it-yourself project. It was not easy, but the knowledge I gained in the process is invaluable. After a small investment in hardware (~$50) I now have a system in place that I can use indefinitely.
What are the general steps? Note, this is not intended to be a step by step guide. These are just some of the important discoveries I made. Contact me if you have questions.
- Purchase one of the routers on this list: http://tomatousb.org/doc:build-types
I chose the WRT54GL v1.1 since it’s the one used in most online guides. Though there are nicer, newer, and faster routers with more internal flash memory. - Flash the tomato firmware onto the router, replacing the stock firmware and adding the needed functionality for protecting our Internet traffic i.e. SSH and VPN. I chose the newer Victek firmware, but tomatousb will work too. http://victek.is-a-geek.com/tomato.html
- Next I connected the WAN port on my shiny new tomato router to one of the available LAN ports on my existing (EnGenius) router. Like many newer routers, the EnGenius has a feature for assigning DHCP reservations. It’s nice because you can name your devices and prevent their IP address from changing. Then it’s easier to setup port forwarding of necessary Internet traffic related to SSL and VPN tunnels.
- Then I utilized a cool little program called PuttyGen to generate the SSH key pairs using RSA 1024-bit encryption. I did this for each of my devices that I might want to connect to a public hotspot like my Android phone and my laptop. The public keys go into the tomato router and the private keys get assigned to the remote device. There’s also a nice little conversion tool in PuttyGen to convert your private Putty key to the OpenSSH standard for use with Android phone apps like SSH Tunnel.
- For my laptop I used the plain Putty app. What’s interesting is how it establishes the SSH tunnel using the port I chose to forward earlier from my EnGenius router to the tomato router for SSH traffic, but then also creates a “source port” for use by other programs on your computer like Firefox or Chrome. 127.0.0.1 and the source port are used in the proxy settings of the browsers to utilize this SSH tunnel that Putty has established.
- If all you care about is protecting your web browser traffic, an SSH tunnel is all that’s needed. But for encrypting everything else that might communicate over the public hotspot, a VPN connection will handle that. I chose OpenVPN since it works well with the tomato firmware and is completely free. I followed this nice howto guide through the first seven bullets:
http://www.openvpn.net/index.php/open-source/documentation/howto.html
After putting the proper key files into the tomato router and also each remote device, the VPN connection worked like a charm! It was a lot of fun to see it connect and work. - On Android I found two nice apps called OpenVPN Installer and OpenVPN Settings that made it much easier to establish the VPN connection. Once I found the right tun.ko file to use for my Liquid Smooth ROM (version 3.2), and utilizing Android Terminal Emulator to create symlinks in two places, it worked!
- Next I learned how to configure the OpenVPN connection on my laptop to use the SSH tunnel through Putty. HA! I’d like to see a would-be hacker try to steal my data now. :P
