In May of 2016, a newspaper columnist reported he became a member of the mile-high hacked club while using American Airlines’ Gogo inflight internet service. USA Today’s Steven Petrow says a fellow passenger dropped a bombshell bit of information on him after the flight.
“I hacked your email on the plane and read everything you sent and received. I did it to most people on the flight.”
In related news, a 7-year-old girl recently showed how easy it is to hack unprotected public Wi-Fi hotspots by using information and techniques readily available on the internet. The girl hacked a Wi-Fi hotspot in a South London coffee shop in just 10 minutes and 54 seconds after watching a YouTube tutorial.
In 2015, in the U.K. alone, there were almost 170 thousand instances of identity fraud – a 49% increase from the year before. 53% of all frauds were identity fraud. Bank accounts were the most attractive fraud targets, with a 60% rise in attempts.
In total, 86% of identity fraud in the U.K. was committed online.
There’s something really freeing about taking your laptop or mobile device down to your local coffee shop, grabbing a cup of your favorite brewed beverage and sitting down to surf the web.
But are you aware of how vulnerable you are when you’re using your favorite Wi-Fi hotspot?
Most Wi-Fi networks that are created for home and business uses are password-protected and encrypted. However, most public Wi-Fi hotspots are set up strictly for convenience – not security. The idea is for customers to be able to connect, browse the web and hopefully stick around long enough to purchase another Grande, iced, sugar-free, vanilla latte with soy milk.
When you’re using an unprotected public hotspot, whatever you do online while connected to the internet is wide open for viewing by bad guys, hackers, government agents and other various creeps. That means your messages, emails, banking and shopping information, and every login under the sun is an open book to anyone who knows how to intercept your wireless connection.
In addition to electronically eavesdropping on you, bad guys can also set up a network honeypot to entice you to connect to it, thinking you’re connecting to the usual free wireless hotspot. They can then steal your logins and passwords, trick you into giving up other information and more. Even IT pros like myself can fall for something like this if we’re not careful.
In this post, I’ll be sharing tips on how to avoid such an embarrassing – and possibly very costly – situation.
In addition to the bad guys, you also have to look out for your fellow users. You can’t count on them being smart. It sounds mean, but you don’t know if they’ve kept their operating systems up to date, or if the last update they ran was when some guy from Texas was in the White House.
While we’d like to think everyone runs anti-virus and has their computer’s firewall turned on, you know there’s always that one guy who’s still running Windows XP – and who knows what nastiness he’s got gunking up the gears in his machine.
Researchers discovered in 2014 that it is entirely possible for a computer virus to spread via Wi-Fi. Think of it as if you are computing with everyone the other Wi-Fi users computed with, and everyone they have computed with, and everyone they have computed with, and…
Even if you run antivirus, practice safe computing and never stick your network connection anywhere it shouldn’t go, we have to remember other users might not be as conscientious – and who knows where their connections might have been.
In this article, we’re going to discuss the dangers of connecting to an unprotected Wi-Fi hotspot. We’ll also discuss how you can protect yourself by staying aware of the dangers and what you need to know in order to stay clear of said dangers.
We’ll take a look at some of the software and hardware tools the bad guys use to try to steal your data and personal information. We’ll also take a look at the best practices and tools you can use to foil their nefarious schemes. (Sorry, I always wanted to use “nefarious schemes” in a sentence.)
Don’t worry if you’re not an IT expert. I’m going to explain everything without using too much tech talk and instead try to keep everything on a level that even your folks would understand.
By the end of this article, you’re going to be able to walk into any internet cafe, coffee shop or airport boarding area, open up your laptop, and laugh in the face of the guy running the “Free Airport Wi-Fi” honeypot on his computer.
The Dangers of Using an Unprotected Wi-Fi Hotspot
The dangers of using an unprotected Wi-Fi hotspot, such as those found in coffee shops, airport boarding areas, hotels and other public areas are many.
You must assume that any traffic you send or receive via a public Wi-Fi hotspot can be monitored by other parties. That includes every personal message or email, login and password, or funds transfer from your bank account.
When you are using an unprotected Wi-Fi access point, you are leaving yourself open to a number of attacks by the bad actors of the world. We will discuss them in this section.
Account and Password Information Capture
If your apps or a website you connect to do not use an encrypted connection, instead sending login and password information via clear text, it’s child’s play for a hacker to intercept the transmission and capture that login information. Once a hacker has that info, they can access your personal accounts at their leisure.
Intercepting Messaging and Web Site Traffic
Unencrypted instant messaging apps and requests sent to websites can also be intercepted. The bad actor can then monitor that traffic, gleaning useful information from the data stream between you and the other party.
While most popular messaging apps and commercial websites now encrypt their traffic, there are some that don’t. Make sure your messaging app is protected by encryption.
As an example, WhatsApp and Apple’s Messaging app provide end-to-end encryption, with both companies claiming they couldn’t decrypt a protected conversation even if faced with a court order. Meanwhile, a normal SMS text message is not encrypted.
Make sure the messaging app you use is from a reputable developer. Do some research before making a choice as to which messaging app to use. Stick with the big guys like Apple and WhatsApp, and you’ll be fine.
If a hacker can intercept the traffic between two points, they can also change the data being sent.
This could be something as simple as changing your personal “I love you” message to your significant other to something like “I can’t stand you, you stink.”
What you said
What they actually saw
It could also be something as horrible as intercepting delivery information, so that new laptop you just ordered is delivered to their doorstep instead of yours.
Accessing Data on Your Machine
This one is particularly dangerous to users of unprotected hotspots. If you have file sharing turned on, anyone on an unprotected Wi-Fi network could connect to your computer and copy files to or from the device’s hard drive.
Hackers can use this hole to steal files from the folders on your computer’s drive, or to drop malicious files onto the drive and use them to take over your machine. Your computer would be used for their nefarious schemes, while you were none the wiser.
The Types of Attacks Used by Hackers
In this section, we’ll discuss the types of attacks a hacker could use in an unprotected Wi-Fi environment like those you’d find at your local coffee shop and other locations.
These include the Fake Access Point “Evil Twin” attack, the “Man-in-the-Middle” attack, and other methods hackers use to steal your personal information or place malware onto your machine.
We’ll also take a look at the “Pineapple Wi-Fi” device, which is a $99 piece of consumer hardware readily available on the web.
The Pineapple can be made to appear as a real Wi-Fi hotspot and can collect data or run scripts and other software to appear as a respectable website in order to steal login and other personal and business information.
Afterward, we’ll discuss the ways you can protect yourself from these attacks.
The Fake Access Point “Evil Twin” Attack
The Fake Access Point attack is also known as the “Evil Twin” or “Honeypot” attack. This type of attack involves a hacker setting up a fake Wi-Fi connection in order to steal login credentials and other important personal and business information.
This attack method involves the hacker setting up their own “free Wi-Fi” access point that appears similar to the genuine access point set up to allow patrons of a business to access the internet while they drink a coffee, wait for a plane or browse a store.
Hackers will set up an access point and name it an inviting label so users will feel comfortable accessing it. Such an access point might be named “Starbucks Free Wi-Fi” or “Target Guest Wi-Fi.”
If you see an access point with a name such as this while you’re blowing the foam off of your cappuccino or trying on that new blouse, you’re liable to connect without a second thought.
Once the user’s computer or mobile device is connected, the fake access point can then monitor and collect login information, banking information and more.
It can quietly sit in the background and collect the data as it passes through, or it can actively try to fool you into thinking it is the website or service you are attempting to connect to. It does this via the “Man-in-the-Middle” method.
The Man-in-the-Middle Attack
Apple reports concerns that a man-in-the-middle attack may be stealing iCloud users’ login credentials. The U.S. National Security Agency is reportedly running man-in-the-middle attacks that imitate Google’s servers. British spies use a form of the attack to target employees of the Global Roaming Exchange.
These are only a few of the real-life examples of how everyone from crooks to the government (am I being redundant?) are using this form of attack against internet users.
Typically, communication flow occurs between a server and a client, and is authenticated in various ways.
A well-known scenario of this type is when you’re connected to Amazon or another online merchant to browse products. In order to purchase anything from an online merchant, you are usually required to send your login information (username/password) and the Amazon server checks your credentials and sends back either a confirmation of your successful login or a notification to re-enter your info.
Once you’re logged in successfully, Amazon then allows you to purchase and pay for any merchandise you order via the payment information you have on file. It will then ship your purchase to the address it has on file for you.
The “Man-in-the-Middle” attack is when an attacker secretly intercepts and relays the communication between two parties that believe they are directly communicating with each other.
In the case of our Amazon example, the attack can intercept the flow of data between a user and Amazon, possibly changing the data along the way. It can also collect information that is sent back and forth between the two parties, such as the user’s login and password information, the order information, credit card info or where the order is to be delivered.
This is only one form of the “Man-in-the-Middle” attack. There are other ways to use this type of session-hijacking to benefit the bad actor. Users can also change the data sent between the two parties or sniff data packets to steal cookies and gain access to the genuine user’s session with the server.
Both of the attacks above can be performed using a devious little piece of hardware called the “WiFi Pineapple.”
While supposedly sold for the purpose of network auditing to test a network’s security setup, it is mostly used by budding hackers to set up false access points in order to perform man-in-the-middle and evil-twin types of attacks.
The WiFi Pineapple connects to a hacker’s machine via USB or an Ethernet connection, and with just a web browser and an internet connection, it can pose as a wireless access point. This allows the bad guy to monitor all of the unprotected data traffic of any user who connects to the fake access point.
By using the WiFi Pineapple, and making use of a number of readily available scripts and apps created for the Pineapple, anyone can easily steal information from an unsuspecting user. The Pineapple offers an easy-to-use web-based interface that allows even novice hackers to easily set up an attack on unsuspecting users.
The WiFi Pineapple is available for as little as $99.99, which gets the buyer a WiFi Pineapple NANO, and for as much as $250 for the Pineapple TETRA TACTICAL. The devices are available from the WiFi Pineapple website and can be purchased by anyone.
There are a number of websites out there where new Pineapple owners can get information about using the device for all sorts of unsavory purposes. This makes it particularly dangerous, as any reasonably-informed computer user can set up and make use of a Pineapple device, with no previous hacking knowledge required.
While sales of the device to the general public have led to claims that their are no legitimate uses for the device, Darren Kitchen, one of its creators, says to tell that to the government agencies and corporate IT penetration testers the company has sold the devices to.
You’ve likely seen the terms and conditions agreement many companies require Wi-Fi users to “read” and agree to in order to connect to the free access point. This is generally a good thing to see, indicating that in most cases, the Wi-Fi access point is legit. However, the WiFi Pineapple can also be set up to convincingly mimic the legitimate agreement page, making the “evil” connection appear to be the usual legal mumbo-jumbo page with the button that everyone clicks to accept the terms without ever reading them.
In a 2014 experiment, several Britons agreed to a Wi-Fi hotspot terms and conditions agreement that actually contained a “Herod clause” which said the Wi-Fi was provided only if “the recipient agreed to assign their first born child to us for the duration of eternity.”
Do you think they actually read the terms, or were their children just that horrible?
Good Practices to Protect Yourself
The aim of this article is not to warn users of using unprotected Wi-Fi hotspots altogether. After all, an unprotected hotspot might be your only internet connection option if your wireless provider has lousy coverage in the area you’re in. However, I cannot stress enough how dangerous they are.
Luckily, there are a number of good practices you can follow to protect yourself when you’re connected to such a hotspot.
Find Out the Name of the Genuine Hotspot
This is probably the easiest way to ensure you don’t fall victim to connecting to a fake hotspot. Ask an employee what the name of the hotspot is. Sure, they’ll probably roll their eyes and scoff a bit, but they’ll tell you – or, at the very least, point to the sign on the wall. (Oh yeah, many businesses will post the name of the Wi-Fi hotspot on the wall, or maybe the menu board. If you’re lucky, they also include a password, which means it’s encrypted.)
Usually when you check into a hotel or motel that offers free in-room Wi-Fi, they’ll hand you a slip of paper with a network name and password you can use to connect once you’re settled in. If all they tell you is a network name, be sure to make use of the following ways to protect yourself while connected. While being alone in your room might make you feel a bit more secure, you are still connected to a Wi-Fi hotspot being shared by everyone else. It’s just spread out over a much larger area.
Use a VPN
Once upon a time VPNs were for the rich or were used mostly for corporate network access by employees working from home or from the road. However, this has changed in the last few years. There are numerous companies that offer great protection to the average computer or mobile-device user at a reasonable price.
Wait, what’s a VPN? Good question, you there in the front row. A VPN is a Virtual Private Network. A good VPN provider offers a number of excellent protections for the average internet user.
However, there’s just one protection we’re interested in right now: the ability to encrypt an internet connection.
An encrypted connection protects the data you send and receive over any internet connection. The VPN app on the user’s device encrypts the data being sent and received on the device, and the encrypted data stream is sent to the VPN provider’s server, where it is then forwarded to the intended recipient, be that a website, email server or other web-based service.
Many VPN providers also provide browser extensions that allow users to toggle VPN protection on and off directly from their browser. Also, if all you care about is protecting your browser traffic from prying eyes, and you don’t want to pay for a VPN, be sure to look into downloading Opera’s latest browser, which includes a built-in free VPN.
Encryption prevents any outside party from viewing the information you are sending and receiving. While it’s true that no level of encryption is completely unbreakable, I’d venture to say that most hackers are looking for an easy mark, and when they see that you’re using an encrypted connection, they’ll move on to the next prospect. Remember, the main reason the hacker is poking around on the Starbucks Wi-Fi access point is because it’s unencrypted.
Here on Pixel Privacy, we’ve studied the best VPNs for public Wi-Fi hostpots. Be sure to take a look at that article once you’re finished with this article for more information about the highest-rated VPN providers.
Enable Your Computer’s Firewall
When using your home Wi-Fi, your computer is protected by a firewall. (More about that a bit later.) However, an unprotected Public Wi-Fi Access Point usually offers no firewall protection at all. If you’re not using a VPN to protect your connection, make sure your computer’s firewall is enabled before connecting to a Wi-Fi hotspot.
Click Here to Learn How to Turn on the macOS Firewall
- hashtagTo turn on your Mac’s firewall, click the Apple in the upper left-hand corner of your Mac’s desktop. Click “System Preferences…” in the pull-down menu.
- hashtagNext click “Security and Privacy” in the System Preferences icon menu.
- hashtagClick the “Firewall” tab, as shown below, and then click the lock in the lower left-hand portion of the window to make changes.
- hashtagNext, click the “Turn on Firewall” button to enable your Mac’s firewall. Click the lock again to prevent any further changes. (If the button instead says “Turn Off Firewall,” the firewall is already enabled.)
- exclamation-circleNote: You may have to enter an Administrator password after you click the lock.
Click Here to Learn How to Turn on the Windows Firewall
- hashtagClick “Start,” then scroll down to “Windows System.”
- hashtagUnder Windows System, click “Control Panel.”
- hashtagIn the Control Panel, click “System and Security.”
- hashtagIn System and Security, click “Windows Firewall.”
- exclamation-circleYou could be asked for an administrator password or to confirm your selection. Next, select the networks you want to change settings for, then click “OK.”
Keep “Sharing” Turned Off
When you’re connected to a public Wi-Fi network, even one that is actually protected by a password, you won’t want to be sharing anything stored on your computer. That means you’ll want to make sure things like file sharing are turned off in your settings. Windows users will find those settings in the Control Panel, while macOS users will find the “Sharing” settings in their System Preferences.
Here’s how to turn off Sharing in Windows 10/8/7 and macOS/Mac OS X:
Click Here to Learn How to Turn Off Sharing in Windows 10
- hashtagClick on the Windows icon, then click “Settings” -> “Network and Internet” -> “Wi-Fi.”
- hashtagNext, scroll down until you see the Advanced sharing settings.
- hashtagClick “Turn off network discovery” and “Turn off file and printer sharing” to turn them off. Save your changes.
Click Here to Learn How to Turn Off Sharing in Windows 8
- hashtagGo to the Control Panel and click “Network and Internet” -> “View Network Status and Tasks” -> “Change Advanced Sharing Settings.”
- hashtagTurn off “File and Printer Sharing” and “Network DIscovery.” Save your changes.
Click Here to Learn How to Turn Off Sharing in Windows 7
- hashtagGo to the Control Panel and click “Network and Sharing Center” -> “Change Advanced Sharing Settings” -> “Home or Work.”
- hashtagTurn off “File and Printer Sharing.” Save your changes.
Click Here to Learn How to Turn Off Sharing in macOS/Mac OS
- hashtagClick the Apple icon in the upper left-hand corner of your Mac’s Desktop.
- hashtagClick the “System Preferences…” menu option. When the System Preferences window opens, click the “Sharing” icon.
- hashtagMake sure the “File Sharing” option doesn’t have a check mark next to it. If it does, click it to clear the checkbox. Close the window.
Windows users can also disable Sharing by choosing the “Public” option when connecting for the first time to a new network. Windows will take care of temporarily turning off sharing while you’re connected to the selected networking.
Use SSL Connections for Websites
If you don’t have the ability to connect to the internet via a VPN, you can still make use of encryption to protect at least some of your data via an SSL (Secure Sockets Layer) connection to the websites you use. Most banking, shopping and other websites that require you to verify your identity before using them offer an SSL connection.
When you’re connecting to a secure site, you’ll see a little green padlock in the address field, as seen above. If you click the lock, it will display the information about your encrypted connection.
SSL is a layer of encryption used in web browsers to protect your data.
One means of access hackers use to steal your information is to divert you away from an SSL-protected website following your login, or to spoof the address with an unencrypted website, which steals your login credentials before forwarding you to the real website.
You can ensure you’re protected by forcing your browser to always use HTTPS on websites you frequently access that require a login. The way to do that is to use the HTTPS Everywhere extension, which is available for the Firefox, Chrome and Opera browsers. HTTPS Everywhere automatically activates HTTPS encryption for all known supported parts of websites that support HTTPS.
After collecting a user’s login information, hackers can try the login on various websites in an attempt to gain access to all of the websites a user may frequent. They attempt this due to the fact that too many users re-use their login information on multiple websites. This is a bad habit to fall into. Always make sure to use at least a different password on each site, and if possible, never re-use the username.
Keep Your Wi-Fi Turned Off When Not Using It
If you don’t currently need an internet connection for your computer or device, turn off the Wi-Fi connection. Even if you aren’t actively pulling data down from the internet, your computer is still connected to the unprotected access point, and hackers could gain access to your device – especially if you’ve left Sharing turned on. (See above.)
By disabling your device’s Wi-Fi capabilities when not in use, you turn it into an isolated island, preventing access by anyone who doesn’t have physical access to your computer. As an extra benefit, you’ll find that by turning off the Wi-Fi radio on your computer or mobile device, you’ll also extend the battery life just a bit. I’m not talking hours here, but sometimes even a few extra minutes of battery life can make a difference.
Install Malware Scanners and Antivirus Apps
While most folks think malware scanners and antivirus apps are strictly for the Windows crowd, it’s a fact that macOS computers are becoming more and more attractive to hackers due to their increased popularity. While macOS is a fairly secure operating system, it still doesn’t hurt to install a malware scanner and maybe an antivirus app.
Connecting to an unprotected Wi-Fi hotspot is similar to having unprotected sex. You are running a good risk of catching something. It may not make your hard drive fall off, but it could still screw up your life. (Remember that guy I mentioned earlier who’s still running Windows XP? You KNOW he’s got something nasty to share with everyone.)
How to Protect Yourself at Home
While you should feel safe in your own home, you also shouldn’t lull yourself into a sense of false security either. When using your own Wi-Fi connection at home, make sure you keep it safe from prying eyes.
Sure, everyone wants to be a great guy and help a neighbor out, but I always draw the line at leaving my Wi-Fi router’s signal unprotected. I always have my network password protected with WPA2 encryption, and you should too. I’ll help a buddy out and supply the guest network password to most of my friends and family when they visit. But there’s no way I’m going to allow my next-door neighbor or someone walking down the street to access my private network.
In addition to leaving yourself open to outside attacks that could possibly steal your data and corrupt your computers and other devices connected to your network, you also leave yourself open to being responsible for an unauthorized user’s actions.
Home Wi-Fi network owners have literally found themselves being dragged out of bed early in the morning by the police. They have had their computer equipment and other electronic devices confiscated due to suspicion of being involved in stealing copyrighted content, or even worse – child pornography.
In one documented case, it was discovered that a nearby neighbor had used a family’s unprotected Wi-Fi signal to download child porn. You do not want to go through that!
Take the following steps to protect your home wireless network so that you and your family can rest easy.
Change the default administrator login and password
Most wireless routers use a default username and password to allow you to access their settings right out of the box. This default login information is well known for most, if not all, manufacturers and is readily available on the internet. In some cases, directly from the manufacturer’s website.
Change this immediately!
Turn on network encryption
All but the oldest wireless routers support some form of encryption. If it doesn’t, throw it away and buy a more modern router. Set your router to WPA or WPA2 encryption, following the instructions you received with your router. This will help keep any unauthorized parties from tapping into your wireless network.
Change the router’s default SSID
A router’s SSID (Service Set Identifier) is simply the name of the network. When you’re at Starbucks and you look for and connect to their wireless network, which is named “Starbucks Free Wi-Fi,” that name you look for in the network listing on your device is the SSID of the router.
A network that is still named the same as when it came out of the box indicates the owner of the network might be a bit lax and slacked a bit on things like security too. It’s almost the same as sending out a “please hack me” message to the world.
When you rename your wireless router, name it something fun. Don’t just name it “Johnson_WiFi,” name it something cool like “FBI_Surveillence_Van_2371” or “Pretty Fly for a WiFi.” It’s not a requirement, but it might make that scamming neighbor of yours at least think twice before trying to connect to your wireless network.
Make sure your router’s firewall is enabled
While most routers come out of the box with the firewall turned on by default, it is simply a good practice to double-check that it is indeed enabled.
WHEW! We’ve covered a lot of ground in a short amount of time, so let’s go back over the highlights to make sure we’ve covered everything. (Don’t worry though, there won’t be a test.)
As we’ve learned, your connection to unprotected public Wi-Fi can be easily monitored or intercepted, allowing the bad guys to steal your personal and business information. We’ve also learned what you can do to foil a hacker’s nefarious schemes.
Recap: The Best Ways to Protect Your Public Wi-Fi Connection
Make sure you know the name of the genuine free Wi-Fi hotspot in a coffee shop, hotel or other public location.
This cuts down on the chances of connecting to a similarly-named or “Free Wi-Fi”-spoofed connection.
Use a VPN app.
Installing a VPN app allows you to connect to any unprotected Wi-Fi network, secure in the knowledge that your connection is encrypted and kept safe from the prying eyes of anyone attempting to monitor or steal your logins, banking information and other important info.
If you don’t have a VPN app, at least make sure your computer’s firewall is turned on.
It just takes a few clicks on any Windows 10 or macOS computer to enable the firewall. This keeps the bad guys from probing vulnerable ports that could be used to access your computer.
Turn off sharing.
Always make sure you have Sharing turned off when using your computer to access an open Wi-Fi connection. Believe me, you don’t want to share anything on your computer with anyone who uses a public Wi-Fi hotspot.
Always use SSL connections to any websites you use while on a public hotspot.
This keeps any information you’re sending or receiving encrypted. This is especially important for any banking or shopping sites where you’ll be exchanging sensitive info such as checking or credit card account info.
Install antivirus and malware apps on your computer.
Allow them to scan your computer on a regular basis. Yes, even if you use a supposedly “safer” Mac computer.
Keep your computer’s Wi-Fi turned off if you’re not using it for the internet.
If you’re writing the next great American novel in Word, you don’t need an internet connection. Besides, it’ll probably improve your productivity without any distractions. Plus, you get the side-benefit of better battery life!
Have Fun But Stay Safe!
Public Wi-Fi hotspots offer a great way to stay in touch with friends, family and business associates. While it sometimes seems like it’s a 21st-century “wild west” out there, using open hotspots can be safe – as long as you follow the advice we’ve laid out here.
Be sure to practice safe computing while you’re out and about, and you’ll be able to keep your personal and business information safe and sound.