Free WiFi: Price? All your personal information

Sitting in an airport you rarely frequent, you grab your laptop and snap out a couple e-mails to send, and look, there’s a free WiFi hotspot. Bang, you connect and send, and are off on your way. What you don’t know is the free WiFi may come with a price: your login credentials and network traffic being sniffed and captured before sending them along to the real WiFi hotspot, and your information stolen enroute, undetected.

The unsuspecting business traveler or coffee shop hounds will use WiFi wherever they find themselves. Usually the establishments they frequent will have a WiFi hotspot for customers. Airports often have free WiFi for travelers, supported by the business community who may have a splash page with ads when a user logs in, to offset the cost of providing the service. Usually these type services are clearly posted in some conspicuous location, which clear instructions for use. Many times (though not all), “official” hotspots will be secured using some kind of authentication, so you may have to enter a passphrase to login, which is a “good thing”, meaning the communication is more secure.

What raises the flag of awareness is when there is a hotspot with a name you don’t recognize, or that is very similar in SSID (name) to the official one, maybe one character off. Be especially aware of “unsecured” hotspots, ones where you don’t need to enter a password to gain access. Most of the time, scammers will create an unsecured WiFi hotspot for their shenanigans using common laptop hardware and a couple crafty applications, but it normally won’t require a passphrase, making it “easier” to use for unsuspecting travelers.

The magic happens through a proxy technology, which intercepts your WiFi communication, captures and stores a copy locally on the scammer’s laptop, then sends your information on to a “real” WiFi hotspot. This will slow down your traffic a little, but with congested networks, it’s hard to tell if your traffic’s being snooped, or just many users logging on at the same time to a “real” hotspot.

If you want to login to check bank balances, buy something for your wife or catch up on e-mail, your computer sends the login information across the network, this is the goldmine scammers look for. Normally, if you login to a bank website, you’ll see the bank address beginning with “https” rather than “http”, this means the traffic is encrypted, which is far better than unencrypted http traffic. But if scammers capture the encrypted credentials, they can still run a program later that will try many combinations in an attempt to decrypt your encrypted credentials. If they have the information, they have all the time in the world to work on decrypting it, so you may notice fraudulent account activity days or weeks later, long after you’ve left the coffee shop or airport. If the login information you send is unencrypted to begin with, like typing username/password on a normal “http” site, it makes the task all that much easier. Remember, scammers are lazy, and will try for the lowest hanging fruit first. It’s the old analogy that thieves want to steal A car, not necessarily YOUR car, so they’ll steal the easiest one they can get, that looks like it’ll generate the most profit for them.

Sometimes you have to do banking and other more secure transactions on the road. If you can manage to wait until you can get to a network you know and trust (like home/work), you can have a little more peace of mind. If, however, you’re a road warrior or just need your morning latte, spend an extra couple seconds verifying that you’re logging in to the network you are expecting to, not a fake.

Author Cameron Camp, ESET

  • Jason

    Sorry Cameron, your article goes to pot on the details. Hackers will not try to decrypt credentials that were encrypted over HTTPS. There is much lower hanging fruit for them to attack, like unecrypted mail sessions and stealing live session ala Firesheep methods.

  • Jason

    To follow up on the last comment, any competent hacker would just set up a man in the middle attack on the “evil twin” WiFi access point. And the easiest is if they force a downgrade to HTTP, which is not technically difficult, as this would not even show the certificate error dialog box to the user.

  • Cameron Camp

    @Jason: Thanks for the comments. I can think of a few other ways to do the same thing as well, but for users, similar advice applies.

  • Mike

    I was talking about this to someone recently who was logging into their workplace FTP on a public network. They didn't want to listen but I mean he's just hanging his details out there.
    I was looking at getting a wifi repeater the other day (this one ) and it occured to me that considering I'm frequently connecting new devices to my network the only reason I know I'm actually connecting to my network for sure is my ancient access point covers my room and barely anything more. Maybe I should just stick with the bad range in favour of security.

Follow Us

Automatically receive new posts via email:

Delivered by FeedBurner

1 article related to:
Hot Topic
14 Jul 2011
ESET Virus Radar

Archives

Select month
Copyright © 2014 ESET, All Rights Reserved.