This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSL stripping detected - security warning (android on home wifi network)

The Sophos app on my android phone gave me a security warning saying that it has detected SSL stripping on my home wifi network.

Is anyone else having this issue? I'm wondering if it's a false positive, as the same issue happened last month (Dec 2018), and at the time Sophos had said it was a problem with the app (which they fixed, and they published a definition update resolving the issue: ).

Is it the same issue now, or am I actually experiencing a security threat? Many people were posting about it in the forum when it happened last time in December 2018 (such as here: ), but I haven't seen any new posts this time. (Though the Sophos forum website has been slow today and doesn't seem to load at times, so I don't know is that is affecting other people posting.)



This thread was automatically locked due to age.
Parents
  • Hi  

    We do not see any outbreak for this issue as of now. I would like to confirm a few points here.

    1. Please make sure that you have the latest AV Engine updates installed as per this article.

    2. Is this happening with all the networks?

    3. Is this error is shown again when connected with the same network(where this error was shown)? 

    4. Disconnect from the network. Forget the network and connect it to it again via your smartphone. Is the error shown again?

    5. Is this happening with Android or iOS devices? Please let us know the OS running on these devices as well.

    Thanks,
    Yashraj Singha
    Manager | Global Community Support
    Are you a Sophos Partner? | Product Documentation | @SophosSupport | Sign up for SMS Alerts
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
  • Hi Yashraj,

    Thanks for your message! In answer to your questions:

    1. Yes I believe I have the latest updates (the sophos app says it was last updated today).

    2. I don't know if this is happening with other wifi networks, as this is the only one I use (besides using data on my phone). Though it should be noted that I always use a VPN, and I was using one at the time I received the security warning.

    3. & 4. I haven't tested if I still receive the security warning on this network, as I disconnected the Wi-Fi on my device and unplugged the router (just to be safe until I figure out what to do, and in the meantime I'm only using my phone data). If I turn them back on to test, won't that put me at risk? (I have a lot of things that will start running in the background of my phone once the Wi-Fi turns on - email downloads, updates, etc. Is there a way to test the Wi-Fi without that happening?)

    5. This is happening on an Android phone (Samsung Galaxy S5, OS version: Android 6.0.1). I don't know if this is happening on other devices, as my phone is the only device on this network that uses Sophos (though there is an iPhone that shares this network that hasn't received any of its own security warnings, but its Wi-Fi is now currently turned off as well to be safe).

    I've been wondering if it's a false positive, because we've recently taken measures to secure this wifi network (before this incident), including:

    - using a VPN (NordVPN)

    - changed network name and password

    - changed router sign-in password

    - changed from WPA to WPA2 personal AES security type 

    I'd appreciate any further advise! Should we change our network and router passwords again? Do you recommend we take other steps to secure the wifi network? (For example, I googled articles about securing wifi, and I see that there are things we haven't tried yet - such as updating the router firmware/software.)

    Thanks for your help!

  • Hi  

    Are you still facing this issue after changing the network name and password? Have you tried accessing the WiFi without using your VPN service? 

    Yes, I believe you should upgrade your router firmware to be as secure as possible. 

    Thanks,
    Yashraj Singha
    Manager | Global Community Support
    Are you a Sophos Partner? | Product Documentation | @SophosSupport | Sign up for SMS Alerts
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
  • Hi Yashraj, thanks for your response.

    I had changed the network name and password before this incident - should I change them again and upgrade the router firmware BEFORE testing the wifi?

    But I assume I need to turn on the router and Wi-Fi in order to make those changes, correct? Will my device be put at risk while I'm temporarily using the Wi-Fi to make those changes?

    I haven't tested the wifi at all since the incident, as I immediately turned off the wifi and unplugged the router, and have just been using my phone data without Wi-Fi since then.

    But do you think it's safe to turn on the Wi-Fi to make those changes?

  • Hi  

    You can download the new firmware via mobile data and make sure that there is no internet connection available in the router. (Basically a wireless network without internet connection.) Then proceed towards upgrading the firmware and changing the name and password. This guide might help you out. 

    Thanks,
    Yashraj Singha
    Manager | Global Community Support
    Are you a Sophos Partner? | Product Documentation | @SophosSupport | Sign up for SMS Alerts
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
  • Thanks Yashraj!

    I successfully updated the router firmware without having to use the Wi-Fi network first (I connected a computer by ethernet cable, and then downloaded the update by tethering a phone as a hotspot to the computer and used its data).

    And I then changed the router password, and also the Wi-Fi network name and password.

    I then tested the Wi-Fi, and my Sophos app no longer gives me the security warning, yey!

    Are there any security measures I should take, in order to protect the Wi-Fi network in the future?

    Also, if I was indeed a victim of SSL stripping, what would be the protocol? Should I change my passwords for personal accounts I logged into on the day the warning? (Or should I go back further than that?)

    Thanks for your help!

  • Hi  

    Glad that you are no longer alerted about SSL Stripping attack. [:)] I ended up liking this article after a quick google search for securing WiFi connections. (Although there are many more articles and mostly all of them suggest the same things.)

    SSL Stripping- A user is made to believe that the connection is secure and the data he/she sends is encrypted. But in reality, the connection is insecure and data is sent in plain text, stripping off the encryptionHence, I believe you should change your passwords for the accounts you accessed when you were alerted of the SSL Stripping attack. 

    Thanks,
    Yashraj Singha
    Manager | Global Community Support
    Are you a Sophos Partner? | Product Documentation | @SophosSupport | Sign up for SMS Alerts
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
Reply
  • Hi  

    Glad that you are no longer alerted about SSL Stripping attack. [:)] I ended up liking this article after a quick google search for securing WiFi connections. (Although there are many more articles and mostly all of them suggest the same things.)

    SSL Stripping- A user is made to believe that the connection is secure and the data he/she sends is encrypted. But in reality, the connection is insecure and data is sent in plain text, stripping off the encryptionHence, I believe you should change your passwords for the accounts you accessed when you were alerted of the SSL Stripping attack. 

    Thanks,
    Yashraj Singha
    Manager | Global Community Support
    Are you a Sophos Partner? | Product Documentation | @SophosSupport | Sign up for SMS Alerts
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
Children
  • Thanks!  When you say "you should change your passwords for the accounts you accessed when you were alerted of the SSL Stripping attack", do you mean just the accounts I was accessing at that very moment? Or also earlier before I received the security warning? ( I don't think I was actively using the internet at the time I received the warning, but I was logged into accounts running in the background on my device at that time, and I had used some accounts earlier in the day before the security warning came.)

    Can the SSL stripping affect apps that are running in the background? Or does it only affect things when there's transfer of data/info? (e.g. logging in, surfing the internet, checking accounts, etc)

    Would the Sophos app have given me the security warning immediately when the attack happened, or could there be a delay in when it detected it?Y

  • Hi  

    I believe you should change the passwords of the accounts you were using at that time. SSL Stripping will strip off the encryption in your connection. So, the middle man will be able to look at your traffic in plain text. Please check if you notice any suspicious activities in any of your accounts and change those passwords. Sophos should detect it soon after the attack was initiated.

    Thanks,
    Yashraj Singha
    Manager | Global Community Support
    Are you a Sophos Partner? | Product Documentation | @SophosSupport | Sign up for SMS Alerts
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
  • Thanks Yashraj!

    To clarify, when you say "you should change the passwords of the accounts you were using at that time", does this include apps running in the background that I was logged into (e.g. email app on my phone)? Or only accounts I was actively using at the time?

  • Hi

    If the accounts in the background were being used, then it is a good idea to change the password for them. 

    Thanks,
    Yashraj Singha
    Manager | Global Community Support
    Are you a Sophos Partner? | Product Documentation | @SophosSupport | Sign up for SMS Alerts
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids