Europol: Everything you do on a public Wi-Fi hotspot 'puts you at risk'

Europol: Everything you do on a public Wi-Fi hotspot 'puts you at risk'

Summary: From the "we've been over this before" department, Europol wants users to avoid using public Wi-Fi hotspots to conduct personal transactions and sensitive data transfers.

SHARE:
TOPICS: Security
8
starbucks
(Image: Chow/CBS Interactive)

"Everything that you send through the Wi-Fi is potentially at risk."

That's the message from Europol's cybercrime chief Troeis Oerting, talking to the BBC News over the weekend about public Internet hotspot security, and how a little common sense can go a long, long way.

Insecure and free public Wi-Fi hotspots are increasingly being used by hackers to steal data, according to Oerting, at a time when the European police force continues its work with a number of member states amid a growing number of attacks.

He told BBC's Click show that there has been an increase in the "misuse" of public Wi-Fi in order to steal information, identities, and passwords — and ultimately money — from unsuspecting users logging into their bank from their local Starbucks.

A sprinkling of common sense should be applied when dealing with the most sensitive of data, such as online bank and email accounts.

Most wireless routers provided to home users and business customers are secured with WPA/WPA2 or enterprise-grade encryption, making it nigh on impossible to steal data. But everything that flows across unsecured wireless waves in your local coffee shop can be "sniffed" and collected by hackers, which can aid the unauthorized access into your private lives.

The better-known techniques include hackers setting up fake wireless hotspots and tricking customers into connecting, allowing the hacker to conduct man-in-the-middle (MITM) attacks between websites and the user.

This was one of the "attacks" conducted by one security researcher who breached the European Parliament's public wireless network late last year, which led to some staff mailboxes being compromised. 

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

8 comments
Log in or register to join the discussion
  • My experience...

    Wi-Fi (Wireless Fidelity) is a very patchy system. At home, I have my own micro-network which is part of a bigger network, by connecting an RJ45 wire coming from the router into my laptop, which is then served as a Wi-Fi hotspot in Linux using the fantastic "ap-hotspot" terminal applet. I then connected all my devices up to extend internet across more devices such as my tablet, desktop, phone and iPod.

    Hacking Wi-Fi isn't particularly difficult - given the correct tools. Even WPA/WPA2 can be cracked using the right tools. By connecting your device up to the network, you are putting yourself at a severe risk of data theft or potential PC damage. Hackers sniff networks (scan the traffic using the bandwidth) to discover systems that are vulnerable. A hacker can easily discover a systems OS and then decide what exploit to use - often delivered from an exploit framework and executed via the terminal.

    My advice would be to understand the risks and protect yourself against the attacks. Like the article says - use common sense.

    DISCLAIMER: Hacking public Wi-Fi is illegal. I do not hack public Wi-Fi nor am I affiliated with Black hat hackers who exploit vulnerable end-users of said Wi-Fi hotspots.
    James Stevenson
    • Some attacks aren't very feasible.

      "Even WPA/WPA2 can be cracked using the right tools. "

      Theoretically, yes. However, with a properly set up router, and especially with open source firmware like DD-WRT, even the "right tools" are unlikely to crack it within your lifetime.
      CobraA1
      • True...

        ...but it is possible. In an article I read about "aircrack-ng", It explains that cracking a pre-shared WPA2 key can take multiple days depending on the speed of your CPU and the size of the dictionary.

        The other way, like the article suggests, is to set up a fake wireless hotspot and exploit through that. This can be done with tools like "ap-hotspot" (terminal applet) or Ubuntu's built in hotspot tool (though I personally prefer using "ap-hotspot" just because it's easier to configure). By doing this, you can execute a number of exploits for the OS the end user may be running. Once you get the OS, you can pick an exploit and execute an attack.

        There are loads of tutorials all across the web for exploiting wireless hotspots but they all have disclaimers warning you that it is illegal to tap public communications for your own gain. However, it is perfectly legal to set up your own wireless network and exploit your own devices within it (*I think, but don't quote me on that one).

        DISCLAIMER: I do not condone unethical black hat hacking. Hacking public communication networks is done at your own risk. I do not nor have ever hacked a public Wi-Fi network. It is not in my interest to hack public communications for my own gain whether financial or otherwise.
        James Stevenson
        • what's up with all those disclimers?

          you think it makes your posts look more sophisticated?
          vpupkin
        • Assuming the password isn't random . . .

          "depending on the speed of your CPU and the size of the dictionary."

          You're describing a dictionary attack, which is never a guaranteed crack: If the hotspot uses a random password rather than something in a dictionary, such a technique is useless.

          "By doing this, you can execute a number of exploits for the OS the end user may be running."

          Now you're describing something completely different: You're not hacking the protocols anymore, you're hacking the OS. Something to watch out for, yes, but not a description of any weakness in WPA/WPA2.
          CobraA1
  • Meh

    "Everything you do on a public Wi-Fi hotspot 'puts you at risk'"

    Meh, everything you do, period when connected to the internet could be considered to "put you at risk." This is too vague a statement and doesn't take into account stuff like end to end encryption.

    "But everything that flows across unsecured wireless waves in your local coffee shop can be 'sniffed' and collected by hackers, which can aid the unauthorized access into your private lives."

    This particular attack is what encryption and VPNs are for.
    CobraA1
    • Balance

      I appreciate the balance you provide on this important subject in your above two Posts. Good on you.
      PreachJohn
  • Potential trouble

    Any transactions we do over the internet can be 'potentially' trouble. Ain't that true?
    VishNish