Use of public Wi-Fi is becoming a way of life for American business travelers and coffee-shop habitu´es. And new attacks emerge along with the growing popularity.
Wi-Fi hardware now comes standard on most laptops and 30 percent of adult Americans say they have connected to the Internet wirelessly when away from home and the office, according to a March report from the Pew Internet & American Life Project. Rick Farina, a “white hat” hacker for AirTight Networks, a Mountain View, Calif., company that helps corporate clients secure wireless networks, says a big jump in vulnerable Wi-Fi devices came with last year’s release of Apple’s iPhone. “You can see iPhones all over the place. Laptop users are only vulnerable when they turn them on. iPhone owners leave the Wi-Fi on all the time. It’s a bigger target,” he says.
A new vulnerability discovered by AirTight can crack older Wi-Fi security in as little as six minutes, the company says. And its airport study shows that unsecured computing is still common, along with the use of the older, ineffective Wired Equivalency Privacy technology. WEP is the original system to password protect Wi-Fi networks. An insecure iPhone or laptop makes it easier for a hacker to intercept information to and from the Web, including passwords and credit-card numbers. It is also vulnerable to infection with viruses and spyware, or to having its contents stolen or destroyed. A hacked laptop or iPhone can create a security risk for the user’s workplace if it contains a password to the corporate network, or if it is infected with spyware that captures information and then phones home to the hacker, Farina says. “The bad guys don’t have to sit outside your building anymore. They don’t even have to be in the same city,” he says.
Today, most Wi-Fi-capable laptops, PDAs and smart phones such as the iPhone include either a hardware switch or software to turn the Wi-Fi off. Turning it off when it isn’t being used stops the risk, but the basic security step is often overlooked. “People think ‘I’m not using the network, I’m not at risk,’ but you don’t need to log on to the public network to be vulnerable. If they leave their Wi-Fi card turned on, it sits there broadcasting your SSID, looking for all the networks it’s previously connected to,” Farina says. The SSID, or service set identifier, and other information broadcast by the computer’s Wi-Fi — whether or not the device is connected to the network — can be used by hackers to figure out the key that unscrambles the network password.
Attacks such as “man in the middle” can make it appear that a user has a secure “SSL” connection — the type of security known for adding a little padlock icon next to the name of the site address in the browser. SSL uses strong encryption to protect information. But in the man-in-the-middle attack, the hacker sets up one secure SSL connection with the Web surfer and a second secure connection with the bank or other destination site. Information looks encrypted at either end, but it is decoded and viewed by the hacker in the middle.
Steve Morley, who was a member of the task force that developed the standard for the next higher-speed version of the wireless technology, Wi-Fi N, says mobile Internet users should take precautions, but not be scared away from Wi-Fi. “Even WEP, with its known vulnerabilities, is not something the average hacker can crack,” says Morley, a former Qualcomm technology vice president. Given a known Wi-Fi provider and a VPN (virtual private network), he would have no concerns about logging in to any site, Morley says. “People are at greater risk of losing their laptop than of facing a brute-force attack that cracks their password,” he says.
Wireless security experts don’t agree on all points, but most say there are steps users should take to reduce the risk:
• Use a known service such as those provided by T-Mobile and AT&T instead of the alluring “Free Public Wi-Fi” or similar risky, unknown networks.
• Install the T-Mobile or AT&T network software on your computer to ensure it’s the known network, not an “evil twin” hacker site pretending to be the legitimate one.
• Pay attention to warnings that an “SSL certificate is not valid.” Never accept an invalid certificate on a public wireless network. It could be a sign of an “evil twin” or “man-in-the-middle” attack. Log off and look for a trustworthy network.
• Find out if your company offers a VPN (virtual private network) and learn how to use it. Encrypted VPN sessions offer the highest security for public wireless computing.
• Upgrade Wi-Fi cards. Older WEP security is easily hacked. New WPA and WPA2 — Wi-Fi Protected Access — are much more resistant to attack.
• Learn to connect securely. Even the vulnerable WEP offers more privacy and protection than an unsecured public connection.