An Experiment to Prevent Malicious Actors from Compromising Private Digital Assets Over a Public Network

— In the current millennium, human society has immensely improved its ability to obtain and distribute information. This change on the other hand, has caused the majority of daily routines to actively involve the usage of computers and mobile devices, which in turn has made people rely heavily on the availability of internet access. This fact was taken advantage of, causing a massive increase in public networks by people or businesses to draw in customers or just as simple public service. This increase gives both ease and risks which this paper will address, specifically on the security measures in network devices that are nearby, and the solution proposed to provide complementary insight on securing the technologies. The authors of this paper supply the main point of the research through experimental efforts i.e., by testing the solution in a real-life scenario. The solution itself involves the configuration of a Raspberry Pi into a VPN server and rerouting all traffic into the Raspberry server so that it will be encrypted and safe from the dangers that will be mentioned in later parts of this paper. The result of the experiment shows that the proposed solution can successfully encrypt the targeted packet so it can’t be read by malicious attackers. Although the solution works it can’t be simply applied to every public network due to internet connection protocols and its inconvenience. Future research will involve the improvement or rework of the solution until the issues mentioned above are solved.


I. INTRODUCTION
In this current era of modernization, none can argue that the current lifestyle of the average human is bound to the internet, be it communicating with people, utilities, and entertainment services.As such, people have come to need reliable and easily available access points to be able to surf the internet.This is where public Wi-Fis comes into play on how they provide convenient internet access in certain public spaces such as cafes, restaurants, and learning institutes (Maimon et. al, 2017).However, using these public Wi-Fis exposes users to various potential risks that compromises their private digital assets.
Based on the reviews done on similar research, the current statistics show an increasing spread of public Wi-Fi worldwide i.e., 94 million in 2021 and is expected to rise to 549 million by the end of 2022.This dramatic increase in number is caused by the massive number of new computing devices each year (Lotfy et. al, 2021).Therefore, a change of perspective regarding mobile security can be expected in the following years as a result of combating the dangers of computer vulnerabilities that occur when utilizing public networks (Breitinger et. al, 2020).
Throughout the reviews done for this paper, a few possible threats over browsing requests done on public Wi-Fi has been enlisted, such as internet-based services, email, social networking, ecommerce site, and many more.Such dangers include exposing sensitive data like credit card information, credentials, activities, etc. Said potential attacks can occur due to either vulnerable access points or a disguised attacker network imitating the real public Wi-Fi (Choi et. al, 2021).
The 2 nd section after the introduction consists of the literature review that focuses on the definition of networks and discovering possible dangers that come along with public networks.In the 3rd section i.e., methodology, this paper proposes a solution which involves configuring a Raspberry Pi as a VPN server and routing all traffic into it, which as a result encrypts and protects any sensitive data from being intercepted.Following the proposal of the solution, the methodology also explains what kind of experiment was used to prove the solutions' effectiveness and an explanation regarding what parts/tools were used in the experiment.The last 2 sections of this paper will respectively be about the results of the experiment and the conclusion of this paper.
Before moving any further, there is a question that must be asked "what is a network?"Specifically, a computer network.The definition is that it's a distributed system that consists of multiple computers and other devices that are loosely coupled, which results in said devices gaining the ability to communicate with one another as long as they are following the set of rules or communication protocols configured in the network.Computer networks can be categorized based on their coverage or size (Kizza, 2020): Wi-Fi is included in the LAN category, reason being LAN is a network that is confined to a small geographic region that has more than one computer or device, and their resources connected by a communication medium that's using the same communication protocols (Kizza, 2020).Then why is Wi-Fi included in LAN? Wi-Fi itself stands for Wireless Fidelity which is one of a kind in the family of network protocols authorized by the Institute of Electrical and Electronics Engineers (IEEE), specifically article 802.11 published in 1997.Wi-Fi has the capability to exchange information between devices across radio waves, thus eliminating the need to stretch long lines of cable from room to room, therefore its practicality being the reason it powers most of the LAN in modern computer practice.Creating a LAN subdivision where the communication medium uses high-frequency waves instead of cables called Wireless LAN (WLAN) (Fikriyadi et. al, 2020).
In the past 10 years, mobile devices have been growing rapidly at a speed unthought before.The advent of smartphones would not exactly be as great as they are if it were not for the invention of fast and reliable internet broadbands, thus much of the credit goes to Wi-Fi protocols and their improving implementation over the years (Jain et. al, 2019).
However, there are still dangers/risks that remain when using random public Wi-Fi.To understand how hotspots/public Wi-Fis expose consumers to a whole array of privacy risks, it is important to understand what defines a hotspot; "a hotspot is any location where [wireless internet access] is made publicly available" (Shahin, 2017).
According to a Symantec study, results show that 46% of the 15,532 users will immediately connect to a public Wi-Fi network and 60% of them believe that their data/personal information isn't at risk while using said network.Hotspot access is usually deployed in three forms, such as the following (Ali et. al, 2019): Open access and password-protected networks are self-explanatory, Captive portals on the other hand are hotspots where the user would be directed to a webpage that usually contains the hotspot/Wi-Fi providers' privacy policy and/or their Term of Service (TOS), and a login page where users can register their personal data I.e., name and email, to be granted access to the internet services of the Wi-Fi (O'hanlon et. al, 2017).
The convenience of free internet is but a two-edged blade if one is not wary, the dangerous aspects include being prone to certain hacks that are usually done to collect personal information such as (Shahin, 2017): 1. Sniffing: Sniffing "allows hackers to passively intercept data sent between a web browser and web servers on the Internet." 2. Evil twins: "(a)n evil twin is a rogue Wi-Fi access point that appears to be legitimate but actually has been set up by a hacker to fool wireless users into connecting a laptop or mobile phone to a tainted hotspot."Typically, mobile devices will scan for available networks and connect automatically to certain Wi-Fi with known SSIDs that the device has connected to once before, even without human interactions.Thus, a rogue Wi-Fi could reuse common SSID names publicly available and so various information / requests will be transmitted over the malicious spoofer unknowingly.This often leads to leakage of private attributes such as banking, identity, affiliation, etc (Maimon et. al, 2017).
3. Man-in-the-middle-attacks: "intercept and modify" data going between the user and the hotspot server.
Throughout the histories and origins of current networking technologies, there has yet been any protocol worthy of the achievement of being completely resistant to MITM attacks on its own i.e., no administrative action needed (Schofield, 2019).This is such a concern since every single company / institute will either route their network properly, not at all, or in between.Such inconsistencies are keys for perpetrators to take advantage of.Common MITM attacks include spoofing based, TSL/SSL based, BGP based, and FBS based (Bhushan et. al, 2017).
4. Side jacking: an attack that uses a program that can "intercept or log traffic passing over a digital network, to steal a session cookie containing usernames and passwords from a variety of websites, such as Facebook or LinkedIn."

II. METHODS
For this section, the qualitative method will be used to analyze the effectiveness of the proposed solution by comparing the packets that are sent to the router when using a public Wi-Fi with and without the solution.The proposed solution involves utilizing a lightweight, network capable device such as the Raspberry PI, specifically the Raspberry PI 3 model B as a redirecting medium that provides full encryption of traffic coming in and out of the local network space while the interface socket connected to the public Wi-Fi router is only utilized to retain connectivity and routing.The experiment will be done on a website used by residents of a certain apartment, said website is used to find information related to their stay such as laundry quotas, whether a package has arrived, etc.To use this website, the residents are required to login using their IDs and password which will be the target/key of this experiment.We will be comparing the visibility of the target while using a public network that's applying the solution and a network that isn't, the results will be recorded with a packet capture of the network using a network analyzer tool called Wireshark.
The following will be the explanation of the parts used for the solution:

Server
For this experiment, the Raspberry Pi 3 Model B was used.A raspberry Pi is a small-single board computer commonly used for general-purpose computer development.The Raspberry Pi 3 Model B is the latest version of the Raspberry Pi computer and the most powerful among the other models of Raspberry Pi (Taib et. al, 2019) this technology discloses the user to the security threat.Barely users are sensitive that their data are being monitored by Internet Service Providers (ISPs).

Traffic encryption or virtual private networks (VPN)
The virtual private network (VPN) be it the service or client that were used for this experiment are as follows (Karaymeh et. al, 2019), (Iqbal & Riadi, 2019):

OpenVPN
Runs as a network service on the medium device to enable encrypted communications between devices.In this specific demonstration, the supported version for the Raspberry Pi is reasonably named PiVPN.The PiVPN was implemented with a self-triggered basis on each startup so that it continuously serves connectivity to the local devices while actively routing public connections in and out through trusted VPN services.With this setup, any destined network packet sent either way will be resistant against prying actors whether locally or throughout the globe.

OpenVPN client
As opposed to the previously mentioned PiVPN, the client-side service of OpenVPN compliments the protocol by enabling any devices to easily load-and-go connections with any configuration files generated by the server.This enables any daily kits like the smartphone, laptops, TVs, etc. to be a member of the PiVPN network with a simple tap on the 'connect' button after the initial configuration.Once connected to the secure tunnel, any packet sent and received by the particular device should not be readable by none other than the source / destination peer as the right encryption key is required to reconstruct the integrity.

III. RESULTS AND DISCUSSION
For the traffic analysis part of the experiment, Wireshark was used.Below, the authors showcase the difference between conventional routing of local traffic and the one implementing the proposed solution.By regular means, it is possible for a third party to sniff packets within a local network as they could spoof the network to believe that all the traffics are meant for a particular device, in this case, by poisoning the ARP cache.Thus, a malicious perpetrator would be able to monitor the entire pool.In this case, as seen from Figure 4 it is possible to find a certain packet from the targeted network that contains the POST request sent to login.aspx.

Figure 5. Sensitive information in intercepted packets
Although some packet transmission protocol comes with its own measure in terms of security, some services still address their availability by primitive methods, such as HTTP.As seen in Figure 5, following is the content of a particular request coming from a local device.The request appears to be a login probe to a web server, specifically a resident web platform to administer information regarding their stay.Into the request body, the victim's username and password can be clearly seen in simple plain text.Thus, this goes to show how an open public network could leak their users' sensitive personal data.However, with the presented solution the packet capture that can be seen from Figure 6, shows that the captured packets are encrypted and as a result the attacker will be unable to read the contents of the traffic.Thus, the solution can be seen as successful as it eliminates the potential risk when using a public network or to at least minimize it as an option for those who requires it.

IV. CONCLUSION
From the results, the proposed solution works as intended, however the current internet connectivity protocol doesn't easily allow a straightforward application of the proposed solution, such that it will nevertheless require a network user to install the OpenVPN client and import its configuration manually on the first connection.Therefore, the solution itself can't be imposed by default, which might be a matter of convenience.
For future approach to the same problem, the authors suggest user activity as the first in consideration, as it could greatly affect how quickly the researchers could identify a convenient protocol, i.e., one that is natively available across platforms so to integrate the solution seamlessly, eliminating user's obligation to follow specific instructions which is of no inherent cognitive memory they have built alongside the long-term usage of their mobile technologies so far.On the other hand, it could be very challenging nevertheless as known protocols are persistent to their standards and are not expected to easily approve of new patches, especially in short term.

Figure 4 .
Figure 4. Wireshark capture without the solution

Figure 6 .
Figure 6.Wireshark capture with the solution