Tales from the Certified Hacker: Would you like free WiFi with that, sir?

01 Sep 2016

Free public WiFi: would you throw your wallet into a fire just because it is there?  Using free public WiFi is fraught with even worse dangers.  While it may be convenient to use a city, airport, shop or fast food restaurant's free WiFi system to catch Pokemons or perform any other action on a mobile device instead of using a Telco plan’s data, beware of hackers

It is relatively simple to set up a man-in-the-middle attack on unsuspecting free WiFi users (marks).  All it takes is a hacker with a small WiFi transceiver configured with the same SSID (Service Set Identifier) as the target free WiFi system, such as ‘shopname’ free WiFi.  This WiFi transceiver is connected to a computing device, such as an Android/Linux/Unix/Windows phone or tablet, which is finally connected to the ‘shopname’ free WiFi.  The mark/customer connects to the hacker’s WiFi transceiver due to the stronger signal than the free public WiFi transceiver.  The connection then goes via the hacker’s device to the correct public free WiFi system, and the mark is none the wiser.

The connection path is: mark’s device -> hacker’s WiFi -> hacker’s computer/device -> free public WiFi.

This gives the hacker the ability to inspect, capture and change the entire communications between the mark’s device and the endpoint web server bank or email system the mark is connecting to; simply by using packet inspection software such as Wireshark (Windows/Unix/Linux) or Packet Capture (Android).

The end result is that by using public WiFi, the mark is opening the device up to interception, hacking and having trojans, worms, keyloggers or viruses placed on it; obviously without the knowledge of the mark.

Moral of the story?  Don’t use public WiFi, regardless of how desperate you are to save the data on your phone or other device.  Especially, do not use public WiFi for internet banking.

Are you protected by Certified Ethical Hacker?

Terry