What data is accessible on a public wifi?

Pratyr

I'm going abroad for a few weeks for work, and i'll have no other option than using the hotel's public wifi. So i'm wondering what's left and what third parties can access on a GOS phone and tab.
I'm using ProtonVPN and have the "block connections without VPN" option On.
My threat model is pretty high.
Thank you in advance!

Edit: can the device's footprint be collected (IMEI, MAC) ? Can third parties have access to some internal data despite the use of a VPN?

de0u

Pratyr My threat model is pretty high.

With all due respect, a threat model includes which information you wish to protect against which attackers and how much time/effort/money it makes sense to spend on protecting what from whom.

It is probably worthwhile for people with a high threat level to write down a threat model, because otherwise it may be hard to focus effort where it will be most useful. It's not possible to protect all information from everybody, especially not cheaply, and especially not while carrying around a smartphone.

Using a VPN shifts information: more is concealed from one's ISP, but more is shared with the VPN operator. If a device shows up at a hotel and accesses Snapchat from the hotel Wi-Fi without a VPN, the hotel will know the device accessed Snapchat. But if the device accesses Snapchat from three different continents using the same VPN, then the VPN operator will learn that the device's owner is committed to Snapchat.

de0u

Pratyr Can the device's footprint be collected (IMEI, MAC)?

The device's IMEI is shared fairly freely with cell sites. It is not shared with Wi-Fi access points, and it is not generally shared with apps, though it can be (for example, if Google Messages is used and a permission toggle is enabled).

A Pixel device has multiple fixed MAC addresses (for example, Wi-Fi and Bluetooth). By default a GrapheneOS device will not share the fixed Wi-Fi MAC address with access points. Some information about that is in the Usage Guide.

Pratyr Can third parties have access to some internal data despite the use of a VPN?

Which third parties, which data?

Using a VPN will will conceal from an Internet service provider (in this case, the hotel) information about which Internet servers the device is communicating with. A VPN is probably not concealing the data itself, because these days almost everything is already encrypted by TLS. A VPN may or may not conceal information about who a device is communicating with from other hotel guests, because the hotel may already be concealing this information from other guests (this is called "access point isolation"). If the device is sharing information with Snapchat, then a VPN will do nothing to stop the device from sharing the information with Snapchat.

de0u

Pratyr Overall, if the situation involves a high threat level, it would be best to write down a draft threat model and use that as the basis for consulting a security professional. If the situation is "I don't want other hotel guests to know whether or not I use Snapchat but I'm ok with Proton knowing that", ProtonVPN should be fine.

Developer-Dude

@de0u , I have a question that I'll throw at ya. :) since we're talkin' public WiFi here, would you say that public WiFi is safe? I try to avoid public WiFi, but I really truly don't know. Is public WiFi safe to use? I don't have a high threat level.

de0u

Developer-Dude Would you say that public WiFi is safe?

Safe compared to what? Safe against what?

Imagine a serious threat actor wants the contents of your phone and has a Wi-Fi firmware zero-day. Now any Wi-Fi access point that the threat actor can control is a serious threat. Standing up a fake Wi-Fi access point with the same network name as your hotel's network name in the room next to your room could be serious.

Now imagine a serious threat actor wants the contents of your phone and has a cellular firmware zero-day. If the threat actor can temporarily set up a cellular site pretending to be your carrier in a remote area where you'll be hiking, that could be serious.

Now imagine a serious threat actor wants the contents of your phone and has zero-day for a messaging app that you use....

Developer-Dude

de0u Safe compared to what? Safe against what?

I mean compared to password protected, personal home WiFi, how much safer is public, non password protected WiFi?

Developer-Dude

de0u Imagine a serious threat actor wants the contents of your phone and has a Wi-Fi firmware zero-day. Now any Wi-Fi access point that the threat actor can control is a serious threat. Standing up a fake Wi-Fi access point with the same network name as your hotel's network name in the room next to your room could be serious.

Now imagine a serious threat actor wants the contents of your phone and has a cellular firmware zero-day. If the threat actor can temporarily set up a cellular site pretending to be your carrier in a remote area where you'll be hiking, that could be serious.

Now imagine a serious threat actor wants the contents of your phone and has zero-day for a messaging app that you use....

Thanks for the explanation. :) so I take it that if a hacker wants access to a network, with the right skills and tools, any WiFi is at risk?

de0u

Developer-Dude I mean compared to password protected, personal home WiFi.

Safe against what?

It's not easy for your next-door neighbor to tell which web sites you're browsing on your home Wi-Fi without knowing the password, but it isn't all that hard for an eavesdropper on an open Wi-Fi network to know. "Coffee-shop Wi-Fi", with a password next to the cash register isn't really better against eavesdropping.

This looks plausible: https://security.stackexchange.com/questions/8591/are-wpa2-connections-with-a-shared-key-secure

If you use "Enterprise" authentication (with a RADIUS server) each client gets its own symmetric key with the access points: https://kernelblog.com/posts/4-way-handshake-in-802.11-wi-fi/#msk---master-session-key

DNS cache poisoning is harder than it used to be, and these days almost everything uses TLS, so risks are reduced.

A VPN is arguably prudent, but the question isn't really that answerable without a threat model.

de0u

Developer-Dude So I take it that if a hacker wants access to a network, with the right skills and tools, any WiFi is at risk?

Any anything is "at risk". It's not clear that "at risk" is a productive way to think about security.

Developer-Dude

de0u I'll put it this way. I wouldn't use public WiFi to do banking or other things that require personal information. I'd maybe use public WiFi to update/download apps, or browse the web (non personal info sites such as shopping, car part websites, etc). I'd use a VPN the whole time

de0u

Developer-Dude I wouldn't use public WiFi to do banking or other things that require personal information. [...] I'd use a VPN the whole time

What threat to banking over a VPN is envisioned on a public Wi-Fi network?

Perhaps the greater threat compared to banking from home would be somebody recording unlock PINs in public.

Developer-Dude

de0u What threat to banking over a VPN is envisioned on a public Wi-Fi network?

I just thought that if I do banking on public WiFi, I may be more vulnerable to my banking info being attacked, if that's possible for someone to figure out that I'm doing banking

Chipper

Developer-Dude As long as connecting to the VPN is the first thing you did after connecting to the public WiFi,
and your DNS queries are being resolved in the tunnel, and you have "block connections with out vpn" toggled, or some equivalent of this (ie correctly configured firewall on a desktop)
And you are 100% sure that you are at the correct domain for your banks login page.
And your device is not already hosting some malicious hardware/software.. Ie keylogger
And no one happens to be waiting to steal your device as soon as they see you log in.

Then the biggest threat to your banking as de0u eluded too, would be the cameras overhead or some person nearby catching your keystrokes and getting your credentials this way... Of course if your using a password manager that can also be mitigated.