Free Wi-Fi is pretty much everywhere these days – it’s available in hotels, café’s, restaurants, and some businesses are even offering it for their customers. But could you be putting yourself at risk by “signing on” to that “FREE” service?
What you probably don’t realise is how easy it is for hackers to take advantage of your willingness to use FREE Wi-Fi so they can steal passwords, credit card details, your identify, and infect your computer so that it can be used later in their botnets.
The simplest way that a hacker can compromise public Wi-Fi services is to perform what we call a “man-in-the-middle” attack.
There’s several ways a hacker can perform a man-in-the-middle attack, with the simplest being that the hacker connects to the same public service as you, and uses software that tricks other computers on the connection to believe their computer is the Internet router/gateway.
We call this trickery “spoofing”, and it is a relatively easy process thanks to the availability of several programs that do all the hard work for you!
For example, just Google “DROIDSHEEP” you’ll find a nifty little Android application which you can run on a mobile device to gather Facebook account details for anyone connected to the same wireless network as yourself. (This can be overcome by simply turning on the option in Facebook that requires HTTPS/Secure connection to their services.)
Here’s another one for you. Google “SSLSTRIP” and you’ll find a tool that demonstrated how easy it was to fool computers on a connection to pass all their data through it, and strip out the “secure” connections so you can gather account details.
And let’s not forget about that “little” Heartbleed SSL exploit they discovered earlier this year which made HTTPS/SSL secure connections worthless for a scary number of commonly used websites.
This method requires a little more effort, with the hacker setting up a piece of physical hardware which either acts as a free public Wi-Fi service or mimics an existing or nearby one.
With a Honeypot, the hackers are the physical device you are connecting through, so it makes it even easier for them to grab and dissect the data your computer is sending. What’s more, they can even trick you in to “paying” a small fee for Wi-Fi access (when it isn’t “free”), tricking you into giving them your credit card details!
If you’re sceptical on this, just Google “Wi-Fi Pineapple” and you’ll find a ready-made device for security professionals to use in penetration testing – which is a process of testing a business’s security using a range of tools, including social engineering.
Whilst it’s promoted for security professionals, don’t think there’s not some crim out there leveraging this piece of kit for their own uses.
What can I do to protect myself?
There are so many ways you can have a personal, secure, mobile internet service that you’d have to have rocks in your head to want to use a potentially insecure public service to save a few dollars.
You could simply tether (connect) your laptop or tablet with your mobile phone to gain internet access, obtain a broadband USB dongle, or a personal “MiFi” mobile broadband hotspot, to name but a few of the options that are a thousand times better than risking a public service.
But what if I’m overseas?
I travel overseas quite a bit for business and have absolutely no interest in paying Telstra the ridiculous rate of $3.00 per MB of data I use.
I did this once when I visited New Zealand on a snow holiday and found out pretty quickly how even a single check of the weather reports each day on my mobile phone resulted in a $300.00 “International Data” charge!! Never to be repeated again.
If you’re heading overseas, grab yourself a SIM card for the region you’re heading to and either use it in your own mobile phone, or an unlocked mobile broadband hotspot.
You can usually find mobile phone stores in most airports on your arrival, however if you’d rather not take the gamble you can use a service like MrSimCard (www.mrsimcard.com) who will ship a SIM card to your hotel for you to pick up when you check-in. (I use MrSimCard a lot and highly recommend them!)
What if I’ve got no other option?
To avoid putting yourself at risk, get your IT guy to install an “IPSec” VPN capable firewall for your business and set up a link on your devices to connect to this VPN, requiring all your Internet traffic to go through the encrypted channel back to your office.
This way, even if you’re forced to use the only public Internet service available to you, you can rest a little easier knowing that you control the security of the connection!
Have a technology related question? Either post in the comments box below or drop me a line.