86
What are the risks of connecting to public wi-fi
In the backpack, my friend, 34-year-old Wouter Slotboom, wears a small - a little more than a pack of cigarettes - device black with an antenna. I meet Wouter by chance in a cafe in central Amsterdam. The day is sunny and almost all the tables are occupied. Some visitors talk while others work behind laptops or play games on smartphones.
We ask the waitress for two coffees and a local Wi-Fi password. Wouter turns on the computer and this gadget, runs some programs, and the screen begins to fill with rows of lines. Gradually, it becomes clear to me that Wouter’s device connects to laptops, tablets and smartphones of people sitting in a cafe. On the screen begin to appear titles like “iPhone Joris” and “Macbook Simon”.
Sometimes the names of these networks consist of numbers and random letters, which makes it difficult to determine their location. But in most cases, names give out a place. We learn that Joris was recently at McDonald’s, spent a vacation in Spain (many Spanish names of networks), on arrival entertained on the track (he connected to a network owned by a famous local karting center). Martin, another cafe visitor, connected to the network of Heathrow Airport and U.S. air carrier Southwest. In Amsterdam, he most likely lives in the hostel "White Tulip", and prefers breakfast in the coffee shop "Buldog".
The waitress brings coffee and a wi-fi password. Slotboom's plugging in. He can now distribute wireless internet to all cafegoers and redirect traffic through his little interceptor.
Most smartphones, tablets and laptops automatically search for wireless networks and connect to them. They usually choose the network they previously connected to.
A list of available networks pops up on my iPhone screen – including my home provider’s network, work network, and a list of chains of cafes, trains, hotel lobbies, and other places I’ve been. My phone automatically connects to one of these networks, which in fact all belong to a little black device.
Slotboom can distribute the Internet from a fictional point, making visitors believe that they are connected to the official network of the place where they are. For example, if the name of a given network consists of a random set of letters and numbers (such as Fritzboxxyz123), a Slotboom may create a name network (such as Starbucks). He says that people are much more willing to connect to it.
We are seeing more and more people connect to our fake network. A small black device lures them like siren songs, and few can resist. We have 20 laptops and smartphones in our hands.
I let him hack me so he could show me what he was capable of, but you can do it with anyone whose smartphone or laptop is looking for a wireless network to connect to.
You can hack everything, with very few exceptions.
There are almost one and a half billion smartphones in the world, and more than 150 million people use them in the United States alone. More than 92 million American adults use tablets and more than 155 million use laptops. Every year, the global demand for laptops and tablets is growing. In 2013, about 206 million tablets and 180 million laptops were sold worldwide. And for sure, every owner of portable devices has ever connected to public wi-fi – whether in a cafe, train or hotel.
But after spending a day with Wouter Slotboom, you’ll realize that almost anything, and almost anyone, connected to a wireless network can be hacked. According to a study conducted by Risk Based Security, more than 822 million personal records were available online in 2013, including credit card numbers, dates of birth, medical information, phone numbers and social security card numbers, addresses (normal and electronic), passwords and names. 65% of this information was published by Americans. According to Kaspersky Lab, in 2013, about 37.3 million people around the world — and 4.5 million Americans — were victims of phishing and pharming attempts, meaning data for online payments were stolen from hacked computers, smartphones and various websites.
There are more and more reports that suggest that fraud and interception of personal data are becoming an increasingly common problem. Hackers and cybercriminals have a whole arsenal of tools, but the prevalence of an open and insecure wi-fi connection makes their lives a hell of a lot easier. The National Cyber Security Center, a division of the Department of Homeland Security, has issued a recommendation that warns against using open wireless networks in public places, and advises avoiding financial transactions and discussing business issues when using them.
Slotboom describes himself as an “ethical hacker,” that is, he considers himself one of the “good guys” – IT fans who want to show the potential dangers of the Internet and high technology. It gives information protection advice to both individuals and firms. He usually does it like he does today, demonstrating how easily technology can do harm.
I will refrain from describing in more detail some of the technical aspects (names of devices, programs, and applications) that a hacker needs.
Armed with Slotboom's magical backpack, we move into the coffee shop, which is famous for the flowers adorning the foam of the local latte. This place was chosen by freelancers who work here for laptops. Now the coffee shop is full of people, and everyone is staring at their screens. Slotboom includes gadgets. The same algorithm of actions, and in a few minutes two dozen devices are connected to our network. And again, we see the names of their Macbooks and their connection history, sometimes their own names. At my request, we are taking the next step.
Slotboom launches another program (which can also be easily downloaded), allowing it to extract even more information from laptops and smartphones connected to the network. We see the technical details of the Samsung Galaxy S4 phone models, language settings and the operating system version (iOS 7.0.5). The latter can be valuable information for an attacker: if the device has an outdated version of the OS, then there are always already known “bugs”, holes in the protection system that can be easily exploited. This information allows you to hack the operating system and establish control over the device.
Now we’re looking at which sites the wireless network users around us are accessing. So, someone from the macbook browsing the news site Nu.nl, many send documents through the service WeTransfer, and some upload them to Dropbox. There's been some activity on Tumblr, someone just dropped by to read the tips on FourSquare. His name is also lit up, and by Google, we recognize the face of a man sitting just a few meters away.
Flows of information come even from those who are neither busy with work nor aimless browsing the Internet. Many applications and email services are in constant contact with servers, so the device can receive emails. In some cases, we can see exactly what information is sent and to which server.
Let’s stop there, but, in fact, it is not difficult to find out who owns this phone. By the way, we also see someone’s phone connect to a server in Russia and send a password that we could intercept.
Many applications, websites and programs use some kind of coding technology. They are necessary in order to ensure that the information that is sent and received by your device is not accessible to other people’s eyes. But once a user connects to Slotboom’s wireless network, these security measures can be relatively easily circumvented with decryption software.
To our surprise, we discover an app that forwards personal information to an online advertising company. Among other things, we see the location of the phone, its specifications and information about the wireless network. In addition, we now know the first and last name of a woman who uses the social bookmarking service Delicious. Basically, the pages that Delicious users share with each other are public, but it’s hard to get rid of the feeling that we’re spying on this woman once you realize how much we can learn about her.
First we google her name, and immediately we understand what she looks like, and we also identify where she is sitting in our coffee shop. She is a foreigner (though born in Europe) and has only recently moved to the Netherlands. With the help of Delicious, we learn that she visited the website of Dutch courses and bookmarked a page about courses for beginners.
In less than twenty minutes, we find information about where she was born and where she studied, learned that she is interested in yoga, bookmarked a website selling anti-snoring mattresses, recently visited Thailand and Laos and is actively looking for online tips on how to save relationships.
Slotboom shows me a few more hacking tricks.
We checked that it worked. Try another trick: anyone who opens a site containing images will see the pictures chosen by Slotboom. Everything sounds funny enough if you just want to joke, but nothing prevents you from uploading pictures of, say, child pornography to other people’s smartphones, and having such images on your phone is a criminal offense.
We're going to another cafe. Now I ask Slotboom to show me what he can do if he wants to seriously hurt me. He asks me to go to live.com and enter a random login and password. After a few seconds, the information I just entered appears on his screen. "Now I have the information to log into your email account," Slotboom says. The first thing I will do is change my email password and point out on all the services you use that I have forgotten my password from them.
We're doing the same thing with Facebook: Slotboom quite easily intercepts the login and password that I enter.
Another trick is to redirect Internet traffic. For example, when I go to my bank’s website, a hacker-created program redirects me to his page — a clone that looks just like the real site, but unlike him, is completely controlled by Slotboom. Hackers call this DNS spoofing. The information I entered on the site is stored on the Slotboom server.
I don’t know about you, but after what I’ve seen and experienced, I never want to connect to free Wi-Fi again.
Credit Moritz Martin
P.S. And remember, just changing our consumption – together we change the world!
Source: /users/1077