The US National Security Agency and the UK’s Government Communications Headquarters have been spying on people via popular smartphone apps like Angry Birds, as well as using mobile base stations to gather data from phones on users’ ages, location, financial status and even sexual orientation, recent revelations from former CIA contractor Edward Snowden claim.
This secret infiltration shows a commonality with a more insidious threat that lurks on the high streets: opportunist drive-by hackers who leverage public hotspots to get their hands on other pieces of information, such as users’ bank log-in details.
Drive-by hacking, or war driving, as it was originally known, is nothing new and most home broadband routers come with WPA keys (passwords) aimed at keeping users’ data private.
Before Christmas, Cork IT security company Smarttech.ie highlighted a security flaw in guest Wi-Fi services in 10 randomly selected hotels in Dublin.
The company claimed even a novice internet hacker would be able to tap into these networks while guests are logging into the internet, potentially collecting everything from email logins, credit-card details, Facebook passwords, and PayPal account details.
Using a tool from the internet known as a network sniffer, hackers would be able to – without even entering a premises, just by sitting outside in a car or on a bench – within seconds, access smartphones and laptops by fooling the wireless routers.
This form of attack is technically known as ARP poisoning, or more commonly, the Man in the Middle (MITM) attack.
Ronan Murphy, managing director of Smarttech.ie, said this kind of security weakness could leave hotels in violation of the EU directive for Public Wi-Fi (2006/24/EC) passed in the wake of the 7 July 2005 bombings in London.
Paradise for hackers
More free public hotspot services are going live around Irish towns and cities – for example, social network Facebook has launched a new service that gives users free internet access when they ‘check in’ at one of two cafés in Dublin – and as a result, streets and hotels could become a hacker’s paradise.
“This isn’t a new threat and has been around for a long time,” Murphy said. “It is only becoming more of an issue as people become more mobile and access more sensitive data from a multitude of devices.”
There are two types of MITM attacks. The easiest form of attack is a basic hacking of a free wireless network by intercepting the traffic. This attack is generally the first phase of a more sinister form of hacking where the attacker acquires user names and passwords for social media or email, with a view to acquiring more target information that allows exploitation.
Dermot Williams, managing director at Dublin-based IT security firm Threatscape, said Smarttech.ie is correct about the vulnerabilities.
He said the internet is like a global game of pass the parcel, whereby packets of data travel from point A to point B via a long series of hops, where unencrypted data can be snooped on at any point along the internet journey.
Internet service providers, hosting companies and the like control and secure most of these points, Williams said.
Yet when a user is online at a wireless hotspot, particularly an unencrypted, public wireless hotspot, the first part of the journey their data must undertake is the least secure.
“Because of the nature of wireless communication, it’s not so much ‘pass the parcel’ as ‘shout the message’ – and an attacker need only be within range of the same wireless hotspot to have easy access to the endless stream of data packets generated by the user’s internet activities,” Williams said.
“Any of those data packets which are not encrypted are wide open to being captured – exposing any valuable data they contain, including session cookies.”
Williams said most public wireless networks transmit their wireless data without encrypting it, making it easy prey for hackers to ‘sniff’.
“This can include paid-for wireless networks which display a welcome page in your browser requesting a password or payment before providing you with internet access – that password is protecting their income, not your browsing.”
Hugh Callaghan, director at Ernst & Young’s Financial Services Advisory, said there are steps venues like hotels, coffee shops and conference centres can take to protect ordinary people using their internet services.
“Generally, people in public areas looking for an easy internet connection are typically interested in instant connectivity rather than the risks associated with wireless networks and how they work,” Callaghan said.
“So Man in the Middle is a realistic threat, particularly with the proliferation of Wi-Fi hotspots and the heavy use of consumer mobile devices.”
Venues can protect their Wi-Fi networks by using a security protocol known as WPA2, Callaghan said. Yet this is often cumbersome, as it means having to give each user the key before they can connect.
For this reason, some hotspots do not enforce WPA2 security and therefore allow network traffic to be easily monitored by any wireless device within range.
“It is easy to forget that by their very nature, wireless networks are a shared medium where the access point is trusted, so a good assumption is that anybody within the vicinity can view wireless network traffic.”
Callaghan said that even if the user’s network traffic is encrypted using secure socket layer (SSL) tools, an attacker can still perform a MITM attack by creating a rogue access point with the same name as a legitimate point.
“The user has no way of telling a valid access point from a malicious one,” said Callaghan. “If the attacker can ensure a stronger wireless signal, the user’s device will preferentially connect to the attacker’s Wi-Fi network. This means that all of the user’s internet traffic will be routed through the attacker.”
Furthermore, if the user ignores security warnings relating to digital certificates, this could allow an attacker to view and alter the user’s network traffic in real-time, Callaghan added.
Users should ensure their laptops are patched with the most up-to-date security software and configure online accounts to only permit access over SLL. For example, Gmail and Facebook have this option and other online services will likely follow suit, said Callaghan.
Brian Honan, one of Europe’s foremost experts on IT security who was recently appointed special adviser on internet security to Europol’s European Cybercrime Centre (EC3), agrees with Callaghan that secure versions of popular websites significantly reduce the likelihood of falling victim to a wireless hack.
“It should be noted that there are some additional attacks that can even undermine the security of these SSL connections, so people should pay constant attention to how they connect to the internet when using publically available networks,” said Honan.
“Ideally, they should use a VPN (Virtual Private Network) to provide a secure connection to the internet. If a company has a number of workers that regularly work from public networks, then they should ensure those employees use a company VPN to do so.”
Cyber security on the job
Companies should make it their business to ensure employees are trained in how to securely connect to the internet using their laptops, phones or tablets, he said.
Honan added that criminals are more likely to target companies, from which they can obtain large quantities of data, rather than individuals.
“I am not aware of any high-profile Man in the Middle attacks which resulted in sensitive data, such as credit-card details, becoming exposed,” Honan said. “This is mainly due to the potential small number of victims such attacks would typically target and as a result would not make any major headlines. However, insecure wireless networks have resulted in a number of major security breaches, most notably the TJX hack from 2007 which exposed over 45m credit card details.
This attack resulted from criminals gaining access to the TJX network from poorly secured wireless networks in two of their stores in Miami. In this case, TJX had been using the WEP protocol to secure those wireless networks. WEP has long been recognised, even before 2007, as not providing adequate security to wireless networks, Honan said.
The most recent high-profile MITM attack Murphy can recall is an attack on the public Wi-Fi at the European Parliament.
The Parliament was ordered to shut down after the French journal Mediapart reportedly hired a private consultant to hack into the personal and confidential emails of 14 randomly selected MEPs, parliamentary assistants and employees, he said.
“When people’s credit cards are compromised in MITM attacks it’s generally due to inputting the details into a http site or a https site without a valid security certificate,” Murphy said.
“It is difficult to trace back the hacking to that point in time because the user will only be aware their details were compromised when the card is used.”
A version of this article appeared in The Sunday Times on 2 February
Hacker image via Shutterstock