How to avoid being the victim of DroidSheep?
Une new Android application is slightly chilling: DroidSheep allows, within a local network (Wi-Fi), to connect to the open sessions of other users (ex: Facebook), without having to enter a password. pass. With a simple smartphone, and a single click… How does the application work, and how do you protect yourself against it?
Do you remember Firesheep and FaceNiff? Droidsheep roughly offers the same “service”: connected to a Wi-Fi network, the Android application can “sniff” all the sessions opened by other Internet users connected to the network, and allow its user to go on these sessions for them : Facebook, Twitter, Yahoo, Live, Flickr, etc.
DroidSheep therefore goes further than its cousins Firesheep and FaceNiff, in the sense that:
- It is a smartphone application (and therefore very mobile), and not the extension of a web browser
- It allows you to connect to many separate accounts, and is no longer content with just Facebook
- One click is all it takes to start impersonating.
How does DroidSheep work?
When an Internet user wishes to connect to one of his Internet accounts, for example the professional social network Linkedin, he must first enter his identifiers (pseudonym and password). Then, he navigates freely on his personal space. But in reality, for each action carried out on this space, the user must confirm his identification . As it would be slightly painful to have to authenticate every 5 seconds, the site (here Linkedin) sends and stores on the computer a cookie, ie a small text document which memorizes the identifiers , or any other information “ useful “. Thus, the site regularly asks the cookie to confirm the authenticationof the user, without the latter noticing. Today, almost all websites use cookies.
Once connected to a Wi-Fi network, DroidSheep can intercept all cookies exchanged on this network, by other users. The application appropriates the connection identifiers and proposes to usurp the identities collected on the sites used: social networks, commercial sites, messaging services, forums, etc. The trick is played in one click , and here is what it can give:
Is DroidSheep effective on encrypted networks?
The application works on all the networks to which the Android smartphone is connected: of course all the open networks (unencrypted), such as the hotspots of certain restaurants for example, but also all the encrypted networks (WEP, WPA, WPA2) for which the user has the key (password). In short, as soon as a DroidSheep user is connected to a Wi-Fi network, it can “sniff” the cookies of all other users on that network , and potentially impersonate them.
How to avoid being the victim of DroidSheep?
DroidSheep does not really change the situation on the security of Wi-Fi networks:
- If you’re on an open network (which doesn’t require a password to connect), all the information you receive and send travels “in the clear” through the air. They are therefore easily interceptable.
- If you are on an encrypted network , all information received and sent can be intercepted by other users on the same network (because they also have the decryption key).
There are not many ways to maintain a certain confidentiality on these networks:
- Radical : avoid connecting to public or semi-public networks. Or by forcing themselves not to send any personal information: identification, email, etc.
- Simple : use the HTTPS version (and not HTTP) of the sites. HTTPS is a secure version SSL Certificate that will avoid many disappointments. It is still necessary that the desired site offers this alternative…
- Technique : use an encrypted VPN, ie a protected tunnel to circulate your information in a completely hermetic way between the computer and the targeted Internet server.
The author of the DroidSheep application claims not to have developed the program with a view to stealing identities. According to him, his approach consists in proving the weakness of the security devices which surround certain popular sites like Facebook. Unstoppable argument to release oneself from any responsibility