Experiment Shows How Fast Hotspot Hackers Can Harvest Your Sensitive Information

Mar 24, 2014 6:30pm

Jan Legnitto 
 Private WiFi

By now, we hope you know that hackers can grab your sensitive information right out of thin air any time you use a public WiFi hotspot. But what you may not know is how fast they can do it.

That’s what WAFB 9 recently demonstrated in a hacking experiment conducted on a crowded university WiFi network in Baton Rouge, Louisiana. During the lunchtime rush, WAFB asked computer security expert Josh Henderson to find out how many IP addresses he could collect at LSU Student Union. (An IP address is a unique digital identifier for every device that’s connected to the Internet that allows the device to be pinpointed).

WiFi Hotspot Hacking:  It’s As Easy As 1-2-3

Using a program called Look@Lan, Henderson scanned the WiFi network and detected 134 IP addresses in about a minute. Not surprisingly, most of them belonged to phones, which make more connections to WiFi hotspots than any other device.

Next, Henderson used a program called Wireshark to capture information sent from devices so he could see what users might be doing online – activities like logging into email and bank accounts and checking Facebook.

Finally, Henderson used a tool for network administrators called Cain & Abel. Unfortunately, hackers also use Cain & Abel for ARP (Address Resolution Protocol) poisoning which makes it possible to detect when your device is online and hijack it by tricking the device into thinking it’s on the Internet when it's actually connected to a hacker's computer.  As a result, the intruder can capture people’s user names, passwords and other sensitive information without the device owner knowing it.

While LSU’s wireless network is secure, there are other unsecure WiFi hotspots in the Student Union that were easy to exploit. Using the same hacking tools, Henderson found two people, both women, who were connected to one of them. He was able to figure out one woman’s name before she revealed it. The other woman admitted she connected to any available WiFi hotspot when she wasn’t on LSU’s secure network. That, said Henderson, is a hacker’s dream. 

That kind of careless behavior on WiFi hotspots could quickly become anyone’s worst nightmare. According to Javelin Strategy & Research, smartphone and tablet users are far more likely to become victims of identity fraud than the general public. In 2013, one person became a victim of ID fraud every two seconds. Make sure this doesn’t happen to you.

Disconnect from Hotspot Hacking Risks

The Better Business Bureau offers this advice from STOP. THINK. CONNECT., the national cybersecurity education campaign, when you're connecting to public hotspots:

  • Get savvy about WiFi hotspots. If you’re online through an unsecured or unprotected network, be cautious about the sites you visit and the information you release.   
  • Disable auto-connect. Check your Wi-Fi and Bluetooth settings to be sure you connect manually to networks you trust. Automatically connecting to WiFi can leave you vulnerable to hackers and others. Also close your file-sharing capabilities before connecting to a hotspot.

For extra security, use a personal virtual network (VPN) like PRIVATE WiFi to prevent hackers from intercepting your data at Wi-Fi hotspots.

A version of this blog first appeared on the Private Wifi Blog on March 21, 2014. View the original post at http://www.privatewifi.com/experiment-shows-how-fast-hotspot-hackers-can-harvest-your-sensitive-information.