secure wi-fi within campgrounds

[Terabytes]

Lots of good info in the replies in this post.

I am using a Wifi Ranger solution, which includes their GoAC WiFi router and Weboost for improved cellular reception. As stated previously, campground WiFi networks typically do not have the bandwidth necessary to support the WiFi traffic across the sites so I wanted a reliable cell connection for use as a hotspot as necessary. This combination has worked very well for me with typically 2-3 users all hitting my cell-phone hotspot at a time during the day. I have also streamed Netflix & Prime Video in remote locations without issue.

VPN notwithstanding, at a minimum, it is imperative to setup a private WiFi connection, complete with strong encryption and password access, for all of your users, whether at home or on the road. There are many options for routers in the marketplace that will support this approach, e.g. LinkSys, Netgear, etc. I simply chose to use the WiFi Ranger GoAC router since my primary use is for the Weboost functionality and the user interface and support for the router cannot be beat.

Once you establish a private WiFi network, the next step in hardening security is the implementation of a VPN. For simple data, e.g. surfing, banking, email access, etc., you don't need to pay for a service like NordVPN or ExpressVPN (my preference). You can simply turn on VPNs supported in applications like your antivirus solution, for example, for this purpose. I believe most Apple devices may have built in VPN capability, but I am not an Apple user so I could be wrong on the pervasiveness of VPN access on these devices. Of course, you will need to turn on VPN service on each of your individual devices with this approach.

Alternatively, services like ExpressVPN or NordVPN allow every device that passes through your network to leverage the VPN without need to turn it on at each device, assuming your router supports this functionality. The advantage is all traffic is protected by the VPN and generally, the performance will likely be better since these services have more servers in the VPN supporting their users (you get what you pay for).

HOWEVER, a word of caution, if you want to do a lot of streaming via Netflix or Prime Video, carefully assess the ability of your VPN provider to support these services, not all do well in this regard. In fact, these streaming services often force you to use specific servers provided by the VPN provider. This complicates the implementation. But as time rolls on, the VPN service providers are getting better at this...

Hope this helps!

[LarryB.]

Quote:

Originally Posted by UK Cards Fan

What router do you use in motor home to make it secure? ... I'm looking for a repeater for stronger signal and "our" own secure wi-fi within our motor home. ... It has also been recommended to get a VPN account, Tunnelbear. ...

As several folks have pointed out here, any router or access point will provide security from your device to it. That security is designed to protect the wireless link between your computing device and the router/access point. However, the router/access point does not encrypt your internet traffic as it leaves your router/access point to/from the internet; that data is clear text.

So, if you use a router/access point in your RV, you have security in/about your RV. But your internet data between the router/access point and the campground's wireless connection is not secure.

HTTPS is an "accepted" level of security once you make a connection to a web site.

As Ray pointed out:

Quote:

Originally Posted by NXR

..., a VPN prevents people using the same Wi-Fi or cellular network from even seeing that the packet is flowing from your computer to the bank.
......
You are establishing a VPN (virtual private network) connection to the computers of the VPN service. They in turn then send your communication to the bank using HTTPS.
...
Despite all of the hype about using a VPN for privacy, all you've really done is shift all of your Internet usage every time you use the VPN service to the VPN service so they become the privacy weak point.

VPN gives you an added level of security between you and the campground's wireless service to and including the VPN provider, but not beyond the VPN provider to the web server that you are (ultimately) connecting to.

A wireless router/access point is not the solution to wireless security within a campground.

[harleyfltri]

Quote:

Originally Posted by NXR

WARNING: long dissertation follows.

As a previous person noted, when a Wi-Fi point shows as "unsecure" it simply means the access point does not require a password. It may require a login through a "portal page" but your device usually cannot detect those.

"Unsecure" or "Insecure" with respect to a Wi-Fi access system does not mean it is inherently insecure from an information protection perspective.

A Wi-Fi or cellular system simply provides the mechanism for "data in motion" to occur but the vast majority of data breaches occur from "data at rest". By far the most common method is to somehow get malicious software installed onto your device, steal your credentials or to hack the company you're connecting to and steal the "data at rest" directly from them.

If you decide to use a free VPN service, remember that someone has to pay for it. It's usually the company selling your metadata. The term TANSTAAFL has been around since at least the 1930's and is still 100% true today. "If you're not paying for the product, you are the product that company is really selling."

• Critical point: The company running the equipment where your VPN connects can, if they want, see any of your unencrypted "data in motion". No matter how much they say they won't do it.

There are technical tricks that the company providing the site can do to help lock everything down and protect you, such as "certificate pinning". Some companies, particularly financials like the larger banks, do that but most do not because it's a cost-complexity-benefit issue. (I used to lead the operational IT security team for a large bank before I retired.)

There are a few things you can do to easily protect yourself no matter what type of Internet access system you use:

• If your browser gives you a warning about a certificate problem, STOP! "Data in motion" thefts commonly occur through the use of fraudulent security certificates. People who routinely click through those warnings are setting themselves up for a problem through their bad habit. Thankfully legitimate certificate warnings are far fewer than they used to be.
• On ALL accounts (bank, credit card, loans, everything) set up alerts for all transactions. For withdrawals or card usage, set the transaction limit to zero so you get an email and/or text 100% of the time your card or account is used. Think about it; it's your card. You should know every time it gets used, right?
• If you do not have online access set up for an account, either do it or call the company and have them disable the access. The former is preferable. Why? It's not too difficult for a fraudster to figure out the information needed to register your online account for you. They then become you as far as that company is concerned.
• If you absolutely must have a debit card (I do not), set up two bank accounts at your bank. One is your primary account that accepts payroll and other direct deposits. Call the bank and tell them to deactivate the debit card on that account (they are ALWAYS enabled by default at account creation).
  
  Open a second account with a debit card. Use the bank's online banking to move some money from the primary deposit account into the debit card account as needed.
  
  Why do this? Debit cards can be used to completely clean out your account. Most banks will take up to ten business days to investigate and return your money, which they usually do. If you have no deposits coming in, you have zero cash for up to ten days. If the fraudsters clean out the debit card account you still have money in your deposit account.
• On a semi-related matter, if you have a LinkedIn account, do not accept requests to link unless you know the person. This is a common tactic to gain access to a third person, one that you know. The miscreant uses you to establish credibility that they are who they say they are. Their real target knows you and since you know the miscreant, the real target may let their guard down a bit. This is a fairly common espionage tactic. Even though you may no longer be working it's likely you still have LinkedIn contacts that would be valuable to someone else.

HTH,

Ray

Excellent information and explanations. For those that are serious about security look into the Bitdefender Box 2 for the home which includes a subscription to their Total Security package. This not only has unlimited installs for all of your devices, laptop, desktop, phones and tablets including Apple products, but also protects every Smart Appliance connected device in your home. I also use the VPN client when ever I'm connected to WiFi and it works great. It is a separate subscription but can also be applied to all of your devices. I can honestly say I have never been hacked. Prior to going to Bitdefender I had multiple lifetime subscriptions to Malware Bytes which not only adds another layer of protection but it has never failed me in cleaning any computer that has become infected because someone felt antivirus software is just another scam.

[WolfPup2018]

Just to be clear on what a VPN does. Using a VPN on an open WIFI at a campground is no different than the same protection you get from using VPN at home. A VPN is a proxy and simply Redirects your communication through other servers and hides your tracks to a degree FROM THE ISP

keep in mind the VPN service you are using can see all of your traffic and recently several VPN apps were found spying on your traffic , developers from Russia being one. Send all your browsing traffic to unknown places and countries? I would caution you using a VPN, specially the free ones. Who know maybe the government runs a lot of these services and your just giving all your traffic to them.

ISP’s commonly aren’t monitoring your traffic unless your doing something that triggers a red flag. Using a VPN your ISP won’t be able to see much.

An open WIFI at a campground is the same linkSys, Cisco, netgear router Hardware with all the same protections built in that we all use at home... the KOA WiFi is just running off the local ISP in the area. So why are we all scared of using these open WiFi? The webpage your going to is encrypted, passwords won’t be captured (unless your some super hacker sitting in a 26 ft WOLFPUP trailer At a KOA LOL!!! The difference between an Open WiFi vs a password protected WiFi is the hacker either can access the network without a password (free for all) or the hacker already has the password and is using the network.


“ So before you trust that highly rated VPN with a million installs on the Google Play Store, know that there's a list of shady Android VPNs that grab more permissions than they actually need, putting your privacy at risk. ”

https://www.cnet.com/news/7-android-...-privacy-sins/


Remember that guy from ATT that got caught routing the internet traffic through a server he built and was hidden in a closet?

VPN’s are simply “slurping up your data”

[WolfPup2018]

Quote:

Originally Posted by UK Cards Fan

I didn't think all routers needed to be connected to modem. I have been given conflicting information. I actually did chat with Asus and they recommended the 1900. I will GO BACK to the computer store and make sure I get someone who knows what they are talking about. It seems to me, a router can pick up a wireless signal within RV! This has been my thought all along, it's just getting the right product. Depending on how secure I can make the router, with an outlandish password, I'm not sure I need a VPN account. Thanks for the help!

The router CAN operate w/out an internet connection. Sometimes on new routers it requires the active internet to go through the set up, when it doesn’t connect to the internet it won’t complete the set up.

I think you may be confused, a router can be placed in AP mode but that won’t accomplish what I think you want to do. Simply having a router in your RV will broadcast a WiFi signal with NO internet. Your simply connecting to a modem, or you could bridge it with another wireless connection in AP Mode, but withou the devices hooked up with a wire there is a special/more complex set up that probably most consumer routers don’t have and you would need access to the other device

Having a router broadcasting a WiFi signal in your RV wouldn’t do much unless you have internet. You could use an Apple TV or chrome cast and stream movies from your phone or iPad to your TV which is a great IDEA.

You could run a Plex server out of your RV and let all the other campers stream of the computer in your RV.

[NXR]

To clarify a bit of this:

Quote:

However, the router/access point does not encrypt your internet traffic as it leaves your router/access point to/from the internet; that data is clear text.

The data is not converted to clear text by your router. If you visit an HTTPS website in our browser your router will maintain that HTTPS connection all the way through.

The only exception to this is if you have specifically configured your router (or your PC's security software) to intercept, decrypt and re-encrypt your data. This is typically done to look for malicious traffic inside of an HTTPS connection.

Quote:

So, if you use a router/access point in your RV, you have security in/about your RV. But your internet data between the router/access point and the campground's wireless connection is not secure.

HTTPS is an "accepted" level of security once you make a connection to a web site.

Same thing here.

Think of this as you, your garage and your car.

As long as your car (your computing devices) is in your garage (accessing your RV's Wi-Fi network) it's probably reasonably secure. It all depends on whether you close your garage door and lock it (secure your own network).

When you pull your car on to the street (your computing device attempts to connect to a website on the Internet), your security is now dependent on both your driving skills (how you have your computing devices configured) and every driver and obstacle out there (everyone and everything on the Internet is a potential adversary) including the condition of the roads (the Internet).

HTH,

Ray

[WolfPup2018]

If anyone wants to see the data, download Wiredshark. Run it on your computer and watch it as your going to websites. If the site is HTTPS, your going to see not much more than

JdjrjejfnfirirjtjrirnxnMalalalwfjgitititkdji&:&&$-&38384!4!,&3847;!,!,!/838484848jeneicneifnejdnskalalwlqqqksksnfncjrnfjfi end

You may see some ads that come up not encrypted


Now go to another regular http site.

[rockfarmer]

Lots of good info here - maybe too much for a novice like me. Interesting to get perspective of some very knowledgeable people and all of the options available. I think that I will use my hotspot for sensitive transactions - if I have a cell signal. So I think that a booster will be my next purchase.

[NXR]

Quote:

Originally Posted by rockfarmer

Lots of good info here - maybe too much for a novice like me. Interesting to get perspective of some very knowledgeable people and all of the options available. I think that I will use my hotspot for sensitive transactions - if I have a cell signal. So I think that a booster will be my next purchase.

Here are the longish basics:

• Your device needs to connect to something for Internet access whether it's to your router OR directly to the Internet service provider, which may be a campground or your home provider or a hotel or a cellular hotspot or whatever.
  
  
• Your device can connect wirelessly to the "something" (using Wi-Fi or Bluetooth) or connect with a wire. We'll presume Wi-Fi for this discussion.
  
  
• What does a router do? It takes the radio signal from your device and sends it somewhere else. Home routers also provide a barrier between your home devices and the big, bad Internet. This barrier usually includes a rudimentary firewall built into the router and possibly other protections.
  
  
• Home routers also put your devices on a separate "network" from the Internet. This is also known as a "private network" although "private" in this context has nothing to do with "privacy" as people think of it. Just accept this for now.
  
  
• That private network, in conjunction with the router's firewall, keeps bad things on the Internet from starting a connection directly to your devices. This separate private network is (to me) the main reason why you should always use some type of router.
  
  
• Note that every cellular hotspot I've ever seen has a built-in router that provides that separate network. If a hotspot allows more than one device to connect to it, it is providing that separate network.
  
  
• BUT not all hotspots turn on their built-in firewall by default. For example, the FMCA Sprint Franklin R910 hotspot does not have the firewall turned on by default. Why? It's a "security versus convenience" thing again. Without a firewall your stuff just works even it is more exposed. Their support costs go down...

This is the typical RV Internet setup:

Your device -> the campground's Wi-Fi via wireless -> the campground's Internet provider


Note the lack of a router between your device and the campground Wi-Fi. That's because most people I've talked with do not have a router in their RV. They simply log every device into the campground's Wi-Fi separately each trip. While the campground certainly has a router no one knows how well it is configured.

Because every person doing the above is connected to the same campground Wi-Fi, every one of their devices is now on the same campground "private network".

• That is where the "campground Wi-Fi" risk is, everyone on the same campground private network. This risk is limited to the people and devices connected to the same campground Wi-Fi network.
  
  
• With the proper tools it is possible that RV "A" could see what RV "B" is doing but not if it's HTTPS.

• But there is a much bigger risk unrelated to someone snooping on what you're doing. If just one of the multitude of devices has some bad network-aware malicious software on it and your devices do not have their own properly configured built-in firewall, that malicious software could automatically spread to your devices.
  
  
• This malicious software could steal your credentials, encrypt all of your files with ransomware, etc.

"Could" does not mean "will". If you keep your software updated the chances of that happening are less.

A properly configured firewall running on each of your devices will help stop malicious software from infecting your devices. Do your TV's have firewalls? Who knows? How about your Alexa or Siri or Google Home devices? What about your security cameras?

This is why having a router in your RV makes a big difference. The router will provide your devices with their own private network and home routers are usually configured by default to keep the bad stuff out.

The problem with installing a plain old home router in your RV is that they usually require you to plug in a cable to the Internet provider and campgrounds don't provide wired Internet. That's a whole different discussion.

Do you need your own home router plugged into your cellular hotspot? Not usually unless you have so many devices that you exceed the hotspot's "maximum number of connected devices" limit. In that case the the hotspot will only "see" the home router as one device regardless of how many devices are connected to the home router.

Confused yet, or still?

Ray

[tyler811]

A range extender or router (in access point mode) can connect to the campground wireless. Even though you set a secure connection to your router/extender, you are still on the campground and the passwords are rarely changed and often given out the people outside the campground. Someone who has access to the campground wifi can use what is called a packet sniffer, all data is sent in packets which contain where it is coming from, where it is going and the information you sending to put it plainly. The packet sniffer is can tell a person exactly what you doing. Anyone on the campground wifi will see you with the right software even connected to your router/access point

A vpn connection will encrypt your information making it harder and unlikely that your information will be seen. With that said yes, the vpn connection can see your banking info but ISO home and the your carrier so what the difference?

I would rather have the vpn see my information then someone sitting 3 campers down stealing my information. If you use an HTTPS web site enabled site like your bank or credit card then your fine.

Do not pass over cert warnings on websites.

Here is a list of VPN provider reviews if you are interested, using a public wifi you should be.

[LCraddock]

Or download Burp Suite, install the burp suite certificate and set your browser up to proxy through it. Then you can see all your browser traffic ... including https.

[NXR]

Quote:

Originally Posted by LCraddock

Or download Burp Suite, install the burp suite certificate and set your browser up to proxy through it. Then you can see all your browser traffic ... including https.

I've used Burp Suite Pro during pen tests. It is software installed on your device and does not sniff anything off the air from another device. You have to install a root certificate created by Burp fand explicitly allow it for that to happen. This is in no way what happens on any WI-Fi network.

Ray

[NXR]

Quote:

Originally Posted by tyler811

Someone who has access to the campground wifi can use what is called a packet sniffer, all data is sent in packets which contain where it is coming from, where it is going and the information you sending to put it plainly. The packet sniffer is can tell a person exactly what you doing. Anyone on the campground wifi will see you with the right software even connected to your router/access point.

True but only if the web site you're connected to is using HTTP and with the exception for these forums I rarely see HTTP-only sites with login pages. (Yes, this is pretty close to negligence by website operators especially since LetsEncrypt has been providing free HTTPS certs for years but whatever).

I'm sure I have hundreds of hours experience with Wireshark, its predecessor Ethereal as well as some commercial products that cost the company thousands of dollars last century. It's also why the networks I used to configure used private VLANs where possible because that provides user-to-user isolation even when everyone is on the same subnet. Campgrounds probably could also do that easily but they would have to know to ask their network company that question.

This discussion is getting too down in the weeds. IMHO the reality is that the risk of someone sniffing your credentials off the Wi-Fi in a campground with maybe a few hundred spots is exceedingly small. With a few basic precautions people can take that risk almost to zero.

Using a VPN provider eliminates the risk of campground sniffing but opens you up a much larger risk, that of the VPN company seeing and being able to decrypt 100% of your Internet access without your knowledge. Unless you have the contractual right to perform an onsite audit of the VPN provider, and you actually do it, you have no idea what they are really doing.

Here's one discussion on this risk: https://security.stackexchange.com/q...ion-of-root-ca

Ray

[LittleBill]

Quote:

Originally Posted by LittleBill

When I was at the Rally in Goshen, King was there and their system seemed impressive. Supposedly even though you get connected to a public WiFi the King treats your setup as your own private network with encryption out and back. Most of all the Forest River new units that were on display had King WiFiMax's in them. I am seriously thinking to have one installed with the directional antenna. What are you thoughts on the King WiFiMax?

^ My post #24.
Still looking for information on how well the King WiFiMax will keep you secure vs other brands/options?

[LCraddock]

Quote:

Originally Posted by NXR

I've used Burp Suite Pro during pen tests. It is software installed on your device and does not sniff anything off the air from another device. You have to install a root certificate created by Burp fand explicitly allow it for that to happen. This is in no way what happens on any WI-Fi network.

Ray

Actually, I never said anything about sniffing traffic over the air. Someone earlier suggested using wireshark to monitor their own traffic but correctly pointed out that they would not be able to see the https (ssl encrypted) traffic.

I simply suggested that by using burp suite and installing their certificate, they could monitor all browser traffic, including https.

And a proxy sits between your browser and whatever your wan connection is ... wifi or otherwise.

[rockfarmer]

NXR, (Ray), thanks for the more simplified explanation. I still think that any sensitive information (like banking) I will do via hotspot on my phone if cell signal is available.

[NXR]

Quote:

Originally Posted by LittleBill

^ My post #24.
Still looking for information on how well the King WiFiMax will keep you secure vs other brands/options?

https://kingconnect.com/product/king...ender-kwm1000/

If it's the one in the above link it can't. And actually, none of them can. The reason is simply that everyone in the world is connecting to the same public network called The Internet. As soon as any unencrypted traffic leaves the WiFi Max and hits the Internet it's vulnerable to some extent. "Vulnerable" does not equal "Risk". Never has and never will.

Excerpt:

"How it works:

The KING WiFiMax Wi-Fi Router and Range Extender creates your own personal, private, and secure Wi-Fi network, just like you have in your home. When you are in range of an available Wi-Fi source, or a private network you have the password for—such as a visitor center guest network, coffee shop, hotel, or any other available source—you simply configure the WiFiMax to connect to that network. Then, it extends the internet access from that Wi-Fi source to your own private Wi-Fi network, giving you internet just like you’d have at home. You can connect all your Wi-Fi-enabled devices, such as laptops, cell phones, tablets, smart TVs, appliances, and more!"

Ray

[NXR]

Quote:

Originally Posted by LCraddock

Actually, I never said anything about sniffing traffic over the air. Someone earlier suggested using wireshark to monitor their own traffic but correctly pointed out that they would not be able to see the https (ssl encrypted) traffic.

I simply suggested that by using burp suite and installing their certificate, they could monitor all browser traffic, including https.

And a proxy sits between your browser and whatever your wan connection is ... wifi or otherwise.

Yup, too far down in the weeds now. I agree you did not however we're discussing campground Wi-Fi so I got confused. Have you (or anyone) been to a campground that offered wired Internet? I haven't seen one of those in many years.

And even if it's wired, it could still be connected to a hub and not a switch so the same sniffing problem would still exist. And the broadcast address of a switch offers up a lot of valuable information.

The bottom line is that encryption (and two-factor authentication on all accounts) is the only preventative measure for the end user, and that includes email accounts.

Ray

[LCraddock]

Quote:

Originally Posted by LittleBill

^ My post #24.
Still looking for information on how well the King WiFiMax will keep you secure vs other brands/options?

None of them can extend security beyond your local network. If you setup security properly you can protect traffic on your wifi but not really any further. If the camp wifi is your wan provider then cleartext traffic can be sniffed.

If ALL of your access to internet services is via web browser, traffic to https sites is protected. If you don't use your browser as a client for other clear text protocols such as ftp, then your only exposure is http websites.

If you are concerned about that traffic your only(?) recourse is to research and locate a reputable vpn provider. The best option is a site to site vpn if your router supports it. If not, you'll need to install vpn clients for each device you want to protect.

My 2 cents: You'll take a small performance hit and a bigger $$ hit for the vpn option. Most services these days (and to my knowledge, all that do financial or medical info transactions) use ssl. I use a vpn for job related reasons. If it weren't for that, I'd probably not use a vpn, just be a little more cautious, and never communicate sensitive information over cleartext protocols.

[NXR]

Agreed. For clarification "WAN" means "Wide Area Network" which in this context means "The Internet".

A critical app for most people is email. You have password reset links and hints sent to it, you have financial statement summaries sent to it, etc. Yet there are still email providers who do not provide encryption for the emails sent to and from your device.

When you look at your email account configuration if it says "port 110" and POP or POP3 on that screen, none of the emails sent to you are encrypted and all are vulnerable to snooping.

If it says "port 25" and SMTP, the emails you send from your device are 99.9% guaranteed to be unencrypted and vulnerable to snooping. (the .01% covers "TLS email" which is almost never used by a device and usually only used for email server to email server communications.

If it says "port 143" and IMAP, none of the emails sent to you and sent by you are encrypted and all emails are vulnerable to snooping.

There are encrypted versions known as IMAPS, POP3S and SMTPS that use different port numbers, so don't get confused.

And it makes precisely zero difference what super-duper whiz bang megabucks equipment you buy and install. The problem is that the email provider is not using encryption so you cannot encrypt your emails. Even a VPN only partially helps because when the emails arrive at the VPN company they are unencrypted in either direction. And there is precisely zero possibility that VPN providers are not being targeted and compromised. None, because attackers (governments and all others) know that they handle sensitive data.

For example, my @roadrunner.com email account, which I use for nothing, is still configured by Time Warner/Spectrum to use unencrypted email POP3 and SMTP. My Gmail and Outlook email accounts both force their customers to use encrypted email.

Ray

PS: Yes, it is possible for you to install special dedicated encryption software such as PGP but both the sender and the receiver need the same software and need to configure it. Regular humans do not do that and it simply cannot be done for 100% of your emails.