Log In

Reset Password
BERMUDA | RSS PODCAST

Laptop users beware of Wi-Fi hot spot hackers at large

Next time you are sitting in a hotel lobby checking email on your laptop, be careful: The "businessman" in the next lounge chair may be tracking your every move.

Many Wi-Fi users do not know that hackers posted at hot spots can steal personal information out of the air relatively easily. And savvy criminal hackers are not settling for just access to credit cards, bank accounts and other personal financial information; they love to sneak into your company's network, too.

Whether you're using a Wi-Fi hot spot at a hotel, airport or cafe, "you've got to assume that anything you are doing is being monitored," says Shawn Henry, deputy assistant director of the Federal Bureau of Investigation's cybercrimes division.

Home Wi-Fi networks are vulnerable, too, but it is far more fruitful for a hacker to pitch his tent in a busy hotel lobby or convention-center lounge where he can collect data from dozens of users. And Wi-Fi hot spots have proliferated, multiplying the potential targets for hackers. There were 66,921 hot spots in the US last year, up 56 percent from 2006, according to advertising firm JiWire Inc. T-Mobile USA Inc. has 8,700 hot spots across the nations in such places as Starbucks and Borders Books & Music. AT&T Inc. has 10,000 hot spots in places like McDonald's, Barnes & Noble and Coffee Bean & Tea Leaf.

Mr. Henry says businesses that offer Wi-Fi, like hotels, often do not know that their networks have been breached and many times do not report incidents they know about for fear of bad publicity. Users are frequently unaware they have been hacked. As a result, there are not solid figures on the number of wireless-hacking incidents. But the FBI for several years has received reports from educational institutions, private security companies and other federal and local law-enforcement agencies about such attacks.

While the chances any one person will be hacked aren't high, the pay-off for criminals can be great, says Tom Brennan, a manager for AccessIT Group, which assesses companies' security vulnerabilities.

In early 2006, when he was working for a different firm, Mr. Brennan helped a financial institution determine how its data network had been breached. An employee working on a laptop in Midtown Manhattan's Bryant Park used what he thought was a publicly available Wi-Fi signal to get Internet access. In fact, the signal he used had been set up by a hacker. When the employee reached his company's network, the hacker nabbed the employee's corporate user name and password.

Prosecutions involving wireless hacking have been few, though there have been some high-profile cases. In September, Max Butler, known on the Internet as "Iceman," was indicted on charges of wire fraud and identity theft. Mr. Butler allegedly went "war driving" - searching for unprotected Wi-Fi networks - and stole user names and passwords that gave him access to several banks' networks, according to the US Department of Justice. Mr. Butler has not entered a plea yet, and his lawyer declined to comment.

Hackers have an assortment of tools in their bags to filch your personal information.

Two popular methods are the "evil twin" and "man in the middle." Using either one, the hacker can monitor and record everything you do on the Web, including the input of credit-card numbers, user names and passwords. The hackers often sit or leave their equipment near other users but also can set up shop, say, out at the curb in a van.

A hacker might be able to completely take over the laptop, says Rick Farina, an engineer with AirTight Networks Inc., a wireless-security firm. The hacker can mine for vulnerabilities on your machine and search for user names and passwords. With access to your corporate user name and password, the hacker might be able to access your company's network to steal sensitive data.

The Bryant Park incident was an evil-twin attack; the hacker offered a wireless network posing as a legitimate signal. Once you are connected to the bogus network, everything you do on the Internet can be tracked.

In an evil-twin attack, the hacker might also direct users to a sham website, for example, one made to look like T-Mobile's. At that point, you're told to input credit-card information to purchase Wi-Fi access.

A man-in-the-middle attack is similar in that the hacker sets up a deceptive Wi-Fi signal. But once you connect to that, the hacker funnels you to the legitimate wireless network.

All of this happens behind the scenes undetected by the user. As a hacker, "the fact that you have come to me is 'Game over,' in most cases," says Amit Sinha, chief technology officer at AirDefense Inc, a Wi-Fi-security firm.

Some of the big Wi-Fi providers offer software that users can employ to protect themselves. T-Mobile offers a free download called hotspot connection manager, which confirms that the user has connected to a genuine T-Mobile hot spot and not an evil twin. This extra layer of protection is not mandatory to use T-Mobile's networks, and the company does not offer the software for Macs. Even with the added security, the company warns on its Web site, hot spots "may be subject to unauthorised interception and are not inherently secure."

AT&T also offers a free download, called Connection Software, which offers authentication and encryption. It also has a feature that will automatically launch a virtual private network, or VPN, which is an encrypted means of sending data over the Internet that protects the data from interception. Many companies require use of a VPN for connection to the company network from a laptop. AT&T does not offer Connection Software for Macs.

Even with additional security, users shouldn't pass sensitive information over the web at public hot spots. "It the same thing as talking on a phone on a crowded bus, you probably don't want to give out your Social Security number," says Dennis Whiteside, vice president for broadband consumer marketing at AT&T.

Protecting Yourself

- Stay current. Make sure your laptop is up to date. Do not use old versions of your operating system and Web browsers, says Mr. Sinha, of AirDefense. Keep your firewall, antivirus and antispyware software current, too.

- Use a VPN. Virtual private networks can be set up for personal, as well as corporate, use. Do a web search for "personal VPN" or try a software retailer. Karen Hanley, senior director of the Wi-Fi Alliance, a nonprofit industry trade group, says the chances of getting hacked using a wireless hot spot are slim. But "we need to remind people to practice safe computing."

- Bank at home. Avoid conducting financial transactions at a hot spot. "Don't go sell your stocks or do any online banking," says David King, chief executive of AirTight Networks. Do all of your financial transactions at home, he says.

- Name your home network. For your home network, do not use the generic name, called the SSID, that came with the wireless router, says Robert Richardson, director of the Computer Security Institute, an association of computer-security professionals. Hackers will often create Wi-Fi networks with names like "default" or "linksys" (named after a router manufacturer) because most laptops are configured to automatically connect to networks that they've used in the past.

- Give Wi-Fi a rest. Turn off your laptop's Wi-Fi capabilities when you don't need to connect to the Internet. Most laptops search for Wi-Fi signals automatically and the connection stays open even if you do not boot up your Web or email application. If your laptop automatically connects to a Wi-Fi network run by a hacker, she might be able to search your computer for sensitive data, even information that would allow access to your company's network.

- Wire up. John King, a 46-year-old engineer from Livermore, California, works for a company that mines computers for evidence in legal cases. He travels a lot for business and avoids Wi-Fi at hotels in favor of high-speed connections that plug into his laptop. He says he uses Wi-Fi to check email and stock listings if that is the only means available, but only if he is sure of the signal.

"I won't go on a wireless access point that I'm not confident in," he says.