Together with a hacker I studied the public wifi of a couple of coffee shops and with relative simplicity we were able to figure out messages, passwords, sex, sexual orientation, ethnicity, hobbies, shopping habits and even bank details of random people.
This is what you’re exposing when you log in to a public wifi network…
In the backpack of WS (who we shall call “Our Hacker”) is a small black device, slightly larger than a cigarette pack, with an antenna on it. I met him at a random coffee shop in the center of Amsterdam. It is sunny, almost all the tables are occupied. Some people talk, others work on their laptop or play with their smartphone.
Our Hacker takes his laptop out of his backpack, puts the black device on the table and hides it under a menu. We ordered coffee and ask the waitress for the wifi password. Meanwhile, Our Hacker switches on his laptop and the black device. He starts up some programs and his screen fills with green lines of text. Slowly it becomes clear that the small black device makes contact with the laptops, smartphones and tablets of the coffee shop customers.
On his laptop screen words start to appear such as “iPhone John” and “MacBook Martin.” The antenna of the device receives signals from the laptops, smartphones and tablets.
More text appears on the screen. Of all the devices that have made contact with the black device, we can see which wifi networks they have been connected to earlier. Sometimes they are irreducible names with lots of numbers and letters, but often they carry the wifi network name of the location where they belong.
We see that John has visited McDonalds, has probably been on holidays in Spain (many Spanish-language network names) and at some point he went go-karting (he has logged into a well-known go-kart track in the west of the country).
Another customer, Martin, has been connected to the network at Heathrow and the U.S. airline Southwest. In Amsterdam he is probably staying at the White Tulip Hostel. He also visited coffee shop The Bulldog.
Get everyone to log in to our fake network
The waitress brings our coffee and gives us the wifi password of the coffee shop. Once logged in, Our Hacker is able to supply all the coffee shop’s customers with and internet connection and all internet traffic streams through the tiny device.
Most smartphones, laptops and tablets automatically search for a wifi network. They prefer to find a wifi network to which they have been connected before. If you’ve ever logged in to a particular network, your device is constantly asking if there is a trusted network nearby.
My phone automatically logs on to one of these networks, which in reality all belong to the black device.
This device is able to register these network searches and pretends to be the trusted wifi network of the coffee shop customers.
For example, I see that suddenly the name of my home network appears in the list of available networks on my iPhone as well as that of my work and a whole range of public places that I have visited (cafés, hotel lobbies, trains). My phone automatically logs in to one of these networks, but in reality all stream through the black device.
Our Hacker can also give a fictitious name to a network, allowing users to think they are connected to the network of the coffee shop. For example, if a coffee shop has a wifi network with random letters and numbers (Fritzbox xyz123) then he can override this with a network name of his choice, i.e. Starbucks. People are much more likely to log in to that, he says.
We see that more and more customers are starting to log in to our network. The siren song of the little black device is irresistible. Twenty smartphones and laptops are ours.
If he wants, Our Hacker can now ruin everyone who is connected to our network. He can retrieve their passwords. Steal their identity. Plunder their bank account. Later today he will show how he would handle that: I give him permission to hack me and to demonstrate what he can do.
But he could do it to anyone with a smartphone that searches for a network, or a laptop that logs in to the wifi network. Even, in almost all cases, if these networks are secure. It takes just a little longer.
Everything can be hacked
The fact that public wifi networks are insecure, is nothing new. But it is a fact that should be repeated often. Some wifi networks are more secure than others. Some mail or social media services use more secure encryption technologies than their competitors. However, spend a day with Our Hacker and you find out that just about everything and everyone can be hacked through a wifi network is.
Report after report shows that digital identity fraud is an increasingly common problem. Hackers and cyber-criminals many different tricks at their disposal. But public wifi networks make it very very easy for them.
I asked Our Hacker to demonstrate this today He is an “ethical hacker,” a good guy, a techie who wants to show the dangers of the Internet and technology. He advises individuals and companies on how they can better protect themselves. He does this mostly through simply showing you how simple it is to inflict damage.
Because it is child’s play. The device is cheap, the software needed to read the traffic is very simple and can be downloaded freely. “All you need is 70 euros, an average IQ and a little patience,” he says. For the sake of non-disclosure, I won’t get into the technical aspects, such as equipment needed or software and apps to download.
Scanning name, password, and sexual preference
Armed with Our Hacker’s backpack we move on foot to a coffee shop that is not only known for its beautiful flowers gracing their cappuccinos, but also for the many freelancers who are out there during the day working on their laptops. This place is currently packed with people totally focused on their screens.
Our Hacker starts up his equipment. What happens next is exactly the same as before: within a few minutes, there are twenty or so devices connected to our device. We see the Mac addresses and their login history and some names of devices.
At my request, we go one step further. Our Hacker opens another program (also readily available to download) and is now able to find out much more information on the existing smart phones and laptops. Thus, we see the specifications of the phone types (eg Samsung Galaxy S4), the language settings for different devices or the version of the operating system (for example, iOS 7.0.5).
This would be tremendously valuable information for a malicious hacker: If a device has an outdated operating system, there are always ‘bugs’ or holes in the security system to be hacked. If you have that information, then you know how to access the operating system and take over the device.
A sample of the coffee shop reveals that none of the existing devices have downloaded the latest operating system and that for all of these outdated systems we can find online bugs.
We can now see more of the actual Internet traffic of the customers. We see that someone with a MacBook is on facebook.com. On Our Hacker’s screen we can see device names of people who are sending documents via WeTransfer or who are connected to Dropbox or active on Tumblr. We see that someone has just logged in on Foursquare. The person’s name also appears. We google him and see that he is only a few meters away from us.
Even those who are not working or surfing the net are transmitting information to us. Many mail programs and apps are in constant contact with their servers. This is necessary, for example, to retrieve new email. For some devices and apps we can see what information is sent to which server.
And now it’s really intimate. We see that one of the people present has the gay dating app “Grindr” on his smartphone. We see the name of his smartphone and the type (i.e. iPhone 5s).
We don’t actually do it, but on the basis of this and some other information issued by his smartphone, it would be a breeze to find out which customer in the coffee shop this is. At about the same time we see that someone’s phone tries to make contact with a Russian mail server and sends the password. We can see the password on our screen.
Study, hobbies and relationship problems
Many apps, programs, sites and software make use of encryption technologies that are basically ensuring that information which is sent and received, is not available for unauthorized reading. But once a customer logs in to “our” wifi network, that security can often be circumvented relatively simply using decryption software.
To both our surprise, we see information sent by an app about a coffee shop customer to a company that sells online ads. We see among other things: the location data, phone type and wifi network specifications.
We also see the name (first and last) of a woman who uses the social bookmarking site Delicious, a social network where users share interesting sites (bookmarks) with each other. In general, the pages of Delicious users are available in the public domain. Yet we feel voyeurs when we see how much we can find out about this woman using this information.
First we google her name, so we can determine who she is and where she sits in the coffee shop. Directly based on her photo we find out that she comes from a different European country and has only recently been living in the Netherlands.
Through Delicious we discover that she has bookmarked the site of a Dutch language course a few months ago and also a site with information about the Dutch integration course.
We are less than twenty minutes in and we already know the woman’s name, that she sits four feet away from us, where she is from, where she studied, that she is interested in yoga, has recently bookmarked an offer for an anti-snoring mattress, has recently been in Thailand and Laos and has been showing remarkable interest in sites that give tips on how to save a relationship.
Our Hacker is showing me some more hacker’s tricks. He can instruct an app on his phone to replace a particular word on any site viewed by anyone connected. For instance, replace “Hillary Clinton” with “Ellen Degeneres”. We tested it and it works. Or anyone who loads an image on any site will get to see an image chosen by Our Hacker. Funny when it’s just mischief, but this app would also enable him to load images of child pornography to someone’s smartphone. Possession of which is punishable by law.
Password intercept
My last request to Our Hacker is to demonstrate what he would do if he wants to create real damage. He asks me to go to Live.com (Microsoft mail program) and to type in a random username and password.
A few seconds afterwards that information appears on his screen. “Now I have the login details of your email. The first thing I’d do is change the password of your email. Then I would indicate that I “forgot the password” at any other services that you might use. Most people use the same email account for all services. And those new passwords are sent to your mailbox, which I now have at my disposal.”
We do the same with Facebook: Our Hacker is able to quite easily intercept my login and password information.
Another trick is internet traffic forwarding. He instructs his program to forward me to one of his sites instead when I visit some of my regular sites. It’s a cloned site, to the visitor it looks identical to the trusted site, except that’s is fully under Our Hacker’s control. This is called “DNS spoofing”. The information that I leave on the site is stored on Our Hacker’s server. In twenty minutes, he manages to get my login details and passwords from Live.com, SNS Bank, Facebook and DigiD.
I think I well and truly get the message: I will NEVER connect – unprotected – to another public wifi network.
All names in this document are fictitious. We have treated the intercepted data with the utmost care and immediately erased it afterwards.
Translated and adapted from Dutch for The Silver Life.
Original source: De Correspondent: “Dit geef je allemaal prijs als je inlogt op een openbaar wifi netwerk” by Maurits Martijn.