You enjoy “free internet” through Wi-Fi hotspots libraries, coffee shops, at bars, and other public places. It seems harmless. Little do you know, a stranger could know your birthplace, the schools you attended, and your recent search history in 20 minutes.
Just a couple of years ago, strangers could login as you on Facebook if you were on the same Wi-Fi network as them. They’d be able to view and send messages from your account, and even post statuses.
You don’t have to swear off public Wi-Fi for the rest of your life, and it’s not entirely the venue’s fault. Instead, let’s figure out why public Wi-Fi is so attractive to hackers and explore how they steal your information. We’ll share a simple solution that protects you from the vast majority of hackers’ strategies and tactics.
Public Wi-Fi security: how hackers steal your data
Most public connections are either unsecured or have shared passwords. Public Wi-Fi makes for an easy target for hackers.
Hackers want to sit between you and the websites you visit in order to look at your information. They do this with little effort on public Wi-Fi. Besides the lack of security, all sorts of different people might their share sensitive information through public Wi-Fi.
In comparison, let’s say a hacker eavesdropped on someone’s residential Wi-Fi. The hacker would only see sensitive information from one or two people before they needed to hack another house.
Where do sniffers come from?
Hackers use sniffers to steal data, spy on network activity, and collect information on users. Usually, the end goal is to obtain passwords and account information for banking and shopping sites. Typically hackers place sniffers in places that offer unsecured Wi-Fi connections such as those found at coffee shops, hotels, and airports. Sniffers are also used to impersonate other devices on the network in what’s known as a spoofing attack in order to steal sensitive information.
How do you recognize a sniffer?
Unauthorized sniffers can be virtually impossible to detect and can be inserted almost anywhere, making them extremely dangerous to a network's security. Basic users will likely never know if a sniffer is spying on their network data. You could, in theory, run your own sniffer and monitor DNS traffic to find other sniffers, but for the standard user it’s much simpler to run anti-sniffer software to catch any intruders, or to use an internet security program that will hide your browsing activity.
The Man In the Middle
Most hackers strike with a man in the middle (MITM) attack. Simply put, they watch or tweak your data in transit.
In a MITM attack, the hacker sees the information going to and from your computer. They intercept, and alter, the communication between you and the website. (Think that sounds scary? Just wait till your appliances connect to the internet.)
The Evil Twin
The “evil twin” is a variation of MITM attacks. With this attack, hackers set up rogue Wi-Fi hotspots. You might connect to a harmless looking hotspot, like one entitled, “Free Public Wi-Fi”. You figure that maybe someone was being generous.
Little do you know, you might have fallen right into a hacker’s trap. Once you’re connected, hackers can see any data you send and collect through this internet connection.
Devious hackers can set up a legitimate-looking Wi-Fi connection. For example, hackers can broadcast a network name that’s the name of a coffee shop or library. Unsuspecting victims will connect to the evil twin. Unfortunately, their computer still looks connected to the legitimate hub instead.
Some hacker techniques are advanced enough to lure your computer into automatically connecting to their Wi-Fi connection. They do this by broadcasting fake certificates and credentials that match routers you’ve connected to in the past.
The Packet Sniffer
MITM and evil twins aren’t the only strategies for hackers. They use software called packet sniffers to collect victims’ data. A packet sniffer captures all packets of data that pass through a network interface (e.g., the network interface card in your computer).
Network or system administrators can use packet sniffing to monitor and troubleshoot network traffic. Unfortunately, when hackers use packet sniffing, they eavesdrop on network traffic. They listen in on the information you send through the public Wi-Fi connection and use it for their own interests.
It’s actually pretty easy for hackers to pull off these attacks. Here’s how you can protect yourself from hackers snooping on your sensitive information:
How to protect your data from hackers
Some public Wi-Fi connections (like Starbucks) force you to login after you’ve connected. That means it’s safe, right?
Actually, these authentication screens have nothing to do with security. Rather, it’s about the provider trying to identify you (and potentially charge you in cases with paid Wi-Fi). Here are some tactics to defend yourself from hackers’ attacks.
Two-Factor Authentication for Passwords
TechRepublic suggests combining two factor authentication and VPNs to keep sensitive business information secure. This layer of defense is also useful with your personal information. VPNs make it difficult for hackers to read your password.
Play safe with another layer of defence. Turn on two-factor authentication for all your web services (e.g., email, social networks, etc.). This simply means that when you try to login to a website, the website will text message your phone with a code that you’ll enter into the site in addition to your password.
Even if a hacker has your password, they won’t have your phone — which makes it much more difficult for them to login to your account.
Constant Vigilance
It might seem obvious to some, but you have to err on the side of caution when browsing the internet. Never let your curiosity get the best of you. In your browser, block cookies and remove tracking. Avoid unsafe or untrusted software (especially if it’s free or sounds too good to be true), and avoid dodgy links in your inbox, or on your social media feeds.
Tether Your Internet Connection
If you have a remarkable data plan, you can tether off your mobile device or phone. Since this is a private connection, it’ll be much more difficult, and less rewarding, for a hacker to break into.
Of course, this can be a bit pricey depending on where you live. It might also tax your phone’s battery, so use with your own power supply.
Encrypt Yourself
When you’re using public Wi-Fi, your computer or mobile phone sends data to the router like radio waves.
You can defend yourself by encrypting your radio waves. Encrypting your data makes it almost impossible for peering eyes to see your data.
Sites that use HTTPS technology encrypt your connection. Websites like Facebook, Paypal, and Google secure your connection with HTTPS (not HTTP). A man in the middle attack occurs significantly less with these instances. (Here’s an in-depth technical explanation on StackExchange.)
Many websites still use HTTP, which makes it likelier for a MITM attack to take place. Let’s say that, hypothetically, https://www.facebook.com doesn’t connect through HTTPS. A hacker might redirect a victim to the hacker’s page, disguised to look like Facebook. They’ll collect sensitive information in this MITM attack.
As an aside, I know that might sound like fear mongering, but someone duped the public and faked a Bloomberg report, and Twitter spiked share prices. If they’re capable of that, a hacker can definitely make a page that looks like Facebook.
Something similar to this actually happened with Facebook in 2010 (back when parts of the site still used HTTP). Developer Eric Butler discovered he could login as other people that were sharing a Wi-Fi connection with him. He even created a Firefox extension called Firesheep to show people how they could do the same.
On a desktop or laptop computer, and in Chrome on Android and Safari for iOS devices, you can verify a site is HTTPS secured with the green badge next to the URL. It’s more difficult to tell which apps are also encrypted (there was a scare just two years ago), although Apple is pushing developers to use HTTPS by default.
Just last year, a paper to be published in Proceedings of the 23rd USENIX Security Symposium showed that the Gmail app could be hacked 92 percent of the time, a Chase app 83 percent of the time, and the Amazon app 48 percent of the time. (The study examined Android apps.)
Because this connection happens inside the app, it’s hard to tell whether it’s secure. Even if an app uses HTTPS, there’s no guarantee that it’s done properly. For example, apps could be set to accept any certificate, and thus be susceptible to MITM attacks.
Unfortunately, many websites and services don’t use HTTPS technology yet. Here’s how you can encrypt your connection for all these other sites.
