Hacker demonstrates risks of using public Wi-Fi

ORLANDO, Fla. – Computer hacker Jonathan Singer wants to remind everyone that not all hackers are of the so-called "black hat" variety who have sinister intent.

[WEB EXTRA: Extended video]

"'White hat' is what I do in my industry and profession, to help secure networks and bring awareness to make it safer," said Singer.

The longtime computer enthusiast tells News 6 that one way "black hat" hackers can steal information from smart phones and other mobile devices is through free public Wi-Fi hotspots, like the kind found in coffee shops, gyms, and airports.

A skilled hacker with a laptop and some free software can intercept data being shared on a Wi-Fi network, similar to someone eavesdropping on conversations at a cocktail party.

"It's called 'sniffing,'" said Singer. "Your computer determines whether information (shared on a Wi-Fi network) is meant for you or is meant for somebody else. For the most part, your computer is going to say 'this isn't meant for me' and discard it. What we're saying is, 'everything is meant for me.'

To demonstrate how a hacker can view data on a mobile device, realtor Charlene Larney accessed a free public Wi-Fi hotspot along the Sanford Riverwalk using her iPhone. It did not require her to enter a password.

Larney then navigated her phone's web browser to Realtor.com, a website she visits several times a day. She pulled up a map showing home listings in East Orange County. Within seconds, Singer was able to view that exact same map on his laptop, along with other data Larney's phone was sharing on the public Wi-Fi.

"We can basically reconstruct what her web page looks like," said Singer. "Anything that is appearing on her phone screen when she visits the website, I get a copy of that information, too."

Larney then navigated to another website with her iPhone, where she typed a secret message in a text box. Almost instantaneously, Singer's laptop displayed the phrase, "Hi, how are you?"

"I couldn't believe he could pull it up in just seconds and see everything I'm looking at," said Larney, who had never given much thought to security using public Wi-Fi. "They can see where you're going, where you're traveling to, where you live, your bank information."

To demonstrate how a hacker can create a phony Wi-Fi hotspot, Singer attached a small device with antennas to his laptop called a Wi-Fi Pineapple. With it, he is able to broadcast his own Wi-Fi signal. By naming it something enticing like "Free Wi-Fi," a mobile device user might be tricked into logging onto it.

"It's what we call 'man-in-the-middle'," said Singer. "You can provide that free internet service, but you're monitoring all of the traffic."

With the Wi-Fi Pineapple, Singer can also mimic a legitimate Wi-Fi hotspot and force the mobile device to log on without the user's knowledge.

After a mobile device accesses a Wi-Fi network, such as one at Orlando International Airport, it constantly sends out signals trying to automatically establish contact with that Wi-Fi network again. Using the Wi-Fi Pineapple, Singer is able to see all of the places a mobile device has accessed Wi-Fi previously. He can then create his own Wi-Fi signal using one of the legitimate Wi-Fi hotspot names, tricking the mobile device into logging on to his network.

"Because I'm in control of the wireless access point, and you're connected to my device, I rule that thing," said Singer.

Once a mobile device is connected to a hacker's Wi-Fi network, a phony software update can be sent to the phone, giving the hacker access to text messages, photos, and other private information, according to Singer.

So how can mobile device users protect their data?

“I don't want people feeling hopeless,” said Singer. “With a little bit of awareness they can surf safely online and they can transmit information they consider sensitive, as long as they know what to look for.”

He recommends avoiding free public Wi-Fi that does not require a password. By requiring a password to access the internet, the Wi-Fi provider has also likely enabled encryption on the network, making it more difficult for hackers to view the data being shared.

Big-name companies that provide free Wi-Fi without passwords, such as Starbucks and McDonalds, probably have additional security features in place to protect its customers, according to Singer.

“They're going to invest in the hardware to prevent these kinds of attacks,” he said.

When transmitting sensitive data on a mobile device, Singer makes sure the website uses encryption, usually noted by a padlock icon and green text in the address bar.

“Everybody in the social media game these days has enabled encryption,” said Singer, suggesting sites like Facebook and Instagram have additional security measures in place.
And Singer urges mobile device users to be selective about their online activity while connected to a public Wi-Fi network.

“If its sensitive information, such as banking, personal notes, even medical information, that's generally something you don't want to share in public,” said Singer. “You wouldn't have that conversation in public, so you wouldn't transmit it in public either.”