Kevin MacArthur of Secure Networks came to scare the daylights out of us at the August First Friday – and he succeeded. With the help of a WiFi Pineapple, Kevin demonstrated the dangers of using public WiFi, showing us first hand what can happen to our mobile devices, whether we connect knowingly or not.
Over the course of his talk, Kevin demonstrated how a hacker can capture traffic, steal usernames and passwords, and instigate brute force and denial of service attacks. To prove that we don’t always know what our devices are connecting to, he ran a demo that showed how many mobile devices in the room had signed onto his fake xfinitywifi network (11 devices).
There are several networks that our mobile devices connect to automatically – including hotel and courtesy networks. Once those devices connect, a hacker can monitor web traffic and look for tendencies. From there it’s easy to put up a false web page, capture credentials, and steal information. For instance, if you’re at Starbucks and a window pops up to log on for free Starbucks WiFi, are you sure you’re connected to Starbucks?
We watched as he put up a Starbucks portal with a “Internet access is on us today!” splash page. Without thinking, people enter a username and password to access WiFi. From there, Kevin (or a hacker), puts you on their own wireless network and redirects your traffic. Login with your gmail credentials, and he can do anything he wants.
“People don’t know what they don’t know,” Kevin says. “They don’t know if they’re getting hacked, or monitored. There’s a reason phishing works. There is not a bank on the planet that will send you an email telling you to change your password. Everyone who clicks on a bad link, knows the second they click that they’ve done the wrong thing.”
So what happens if you get hacked? It’s not just the hacker who has your stolen information. Kevin says it goes on the dark web, along with millions of usernames and passwords. Asking for volunteers, Kevin did a live scan of company accounts with the device he brought, listing which email accounts had been compromised, and where those hacks had happened (LinkedIn and Dropbox, for example). Many people use the same usernames and passwords across the board (which we already knew not to do). Some of the passwords that were compromised were encrypted, which can be hacked but not as easily.
He showed us how easy it was to monitor someone’s traffic once they inadvertently signed on to his network by selecting one of the devices that had connected automatically (his own), and showing a projection of the live feed. We could see what he was looking at on his phone – which fortunately was only ESPN. It’s safe to say everyone in the room will now refrain from doing their banking on anything but a known, secure, network.
He also scanned the area for access points. The device looks for open networks, secure networks, and people who are broadcasting. He can then send a request to an unsecured wireless access point and transfer the traffic to his own wireless network. He can also instigate a kind of denial of service attack, broadcasting a flood of access points so no one can connect.
The product he brought was one of many available on the internet, described as “an advanced suite of wireless penetration testing tools for reconnaissance, man-in-the-middle, tracking, logging and reporting.” He says they are very easy to come by, and simple to set up. (He said he had a 1.8 GPA at Dennis-Yarmouth High School, and if he can do it, anyone can.) The devices are marketed for “ethical hacking,” used for education, demo purposes.
So how do you avoid being hacked?
- Don’t allow your wifi to auto-connect to networks.
- Don’t log into any account via an app that contains sensitive information. Go to the website instead and verify it uses https before logging in.
- Don’t leave your WiFi or Bluetooth* on if you are not using them.
- Don’t access websites that hold your sensitive information.
- Don’t log onto a network that isn’t password protected.
- Do disable file sharing.
- Only visit sites using https (not http:)
- Log out of accounts when you’re done using them.
- Use a simple VPN, which encrypts your traffic.
- Use your phone as a hot spot, rather than connecting to public WiFi.
- If you look at the browser bar, you can often tell that you’re not where you think you are.
*Kevin said Bluetooth is not as easy to hack as others, but if you want to be really secure, there’s a potential security gap there.
For corporate use, your firewall has the ability for a VPN. It’s reliant on the speed of your connection at home, so accessing large databases doesn’t work as well, but it’s a secure, encrypted tunnel. A personal VPN will double your data usage.
Kevin MacArthur is the Owner/President of Secure Networks, a Managed Service Provider on Cape Cod. He brings over 20 years of corporate level IT experience to small and medium-sized business. The Secure Networks’ business model is designed around partnering with clients to help them get the most out of their technology.