Why Using Free Open WiFi is SO Dangerous

Attackers Love When You Use Open WiFi

- The #1 Rule for Accessing Open WiFi

I see it time and time again. People logging into their admin panel on their websites, social media and just about anything else with complete abandon on public, open WiFi in coffee shops, airports, hotel lobbies, and just about anywhere else. I attend between 5-10 web design conferences per year and EVEN with all those tech savvy people, they will still gladly hook into the free wi-fi at the conference and login.
I’ve performed security audits on countless small businesses that were previously hacked. Most of the time it’s weak passwords, but the #2 culprit is, “Oh, yeah - I did login to {that site} from a Starbucks just before the hack.”

Attackers Love When You Use Open WiFi

Hackers like to use sniffers to lift your data and credentials when you log in through open WiFi connections. A sniffer looks just like a router, and what it can do is not only act as a rogue wireless access point, but it can also spoof real, existing access points. Small sniffers can easily fit within somebody’s pants pocket, maybe even a shirt breast pocket.

Router

Let’s see what the bad guy sees when he logs into one of these guys. When the attacker logs in, he gets a dashboard letting him know how many clients have connected. It also shows the spoofed wireless access point.

Attackers Log

The attacker has the ability to name that wireless access point anything that he or she pleases. Obviously they’re going to use something that’s going to try to be as intriguing or as enticing as possible to get you to click on it. And of course it’s going to be an open SSID -- a Service Set Identifier. The SSID is the name given to a WiFi network.
After connecting to the attacker’s SSID, I can surf the internet however I see fit. The attacker could be anywhere within the building or outside in the parking lot and see pretty much exactly what you’re browsing. It goes way beyond that, though. It also records the cookies, which could be used to hijack sessions later on, long after the person is gone.
It’s not just people be able to see what you’re doing. It’s what you leave behind that’s important.

Attacker Access Point

It works just as easily on a phone or mobile device as it does on a laptop.

The #1 for Accessing Open WiFi

If you find yourself in a situation where you absolutely, positively have to use an open, public WiFi and you have to login to something, make sure that you’ve got the green lock in the address bar, and that it’s an HTTPS website.

Accessing Open Wifi

Be conscientious of the lock, it is very important. But the bad guys are gonna continue to try to push the envelope. There is a thing called SSL split, which is a way of stripping out the “S” in the HTTP.
Some of the world’s biggest websites, like Twitter, won’t have anything to do with it. It basically isn’t even fazed by it.
Other websites might be aware of the fact that something weird is going on and is going to give you a warning.

SSL

This example is a little bit different, but if you click on there you can see that the connection is not secure.

Connection Unsecure

The tools that the bad guys use get more and more sophisticated. You need to be more and more sophisticated in defending yourself. 50% of all websites will NOT give you a clear warning at all, so you still need to be very aware, even if you THINK you are visiting an HTTPS website.
After a scrubber sits for a couple minutes, this thing will actually start to replicate the other wireless access points in the area. What that means is that it will send out a beacon as if it were the wireless access point. If somebody accidentally attaches to one of these spoofed access points, everything from above still applies.

You could use a VPN, which is a virtual private network. There are some free ones out there but the better ones you pay for. Essentially what this does is it allows you to change your IP address to pretty much anywhere in the world. All the information that was pouring out earlier, the scrubber isn’t getting.
The other thing about using a VPN, it gives you a certain amount of anonymity on the internet.
That about wraps it up. Just remember if you’re on an open WiFi in a coffee shop or anywhere else like an airport or hotel -- you are a target. It is very, very, very easy to sniff out and steal credentials. If they can get credentials to one of your logins, there’s a very high likelihood that they’ll be able to run those credentials through a database and try to login to every bank and financial institution in the world and do more damage that way. This is essentially what a lot of them do.
So be smart, stay safe, check that lock for SSL and use a VPN if you can when accessing open WiFi.