What eavesdroppers see when you use unsecured Wi-Fi hotspots
You've probably read at least one story with warnings about using unsecure public Wi-Fi hotspots, so you know that eavesdroppers can capture information traveling over those networks. But nothing gets the point across as effectively as seeing the snooping in action. So I parked myself at my local coffee shop the other day to soak up the airwaves and see what I could see.
My intent wasn't to hack anyone's computer or device--that's illegal--but just to listen. It's similar to listening in on someone's CB or walkie-talkie radio conversation. Like CBs and walkie-talkies, Wi-Fi networks operate on public airwaves that anyone nearby can tune into.
As you'll see, it's relatively easy to capture sensitive communication at the vast majority of public hotspots--locations like cafes, restaurants, airports, hotels, and other public places. You can snag emails, passwords, and unencrypted instant messages, and you can hijack unsecured logins to popular websites. Fortunately, ways exist to protect your online activity while you're out-and-about with your laptop, tablet, and other Wi-Fi gadgets. I'll touch on those, too.
You've probably read at least one story with warnings about using unsecure public Wi-Fi hotspots, so you know that eavesdroppers can capture information traveling over those networks. But nothing gets the point across as effectively as seeing the snooping in action. So I parked myself at my local coffee shop the other day to soak up the airwaves and see what I could see.
My intent wasn't to hack anyone's computer or device--that's illegal--but just to listen. It's similar to listening in on someone's CB or walkie-talkie radio conversation. Like CBs and walkie-talkies, Wi-Fi networks operate on public airwaves that anyone nearby can tune into.
As you'll see, it's relatively easy to capture sensitive communication at the vast majority of public hotspots--locations like cafes, restaurants, airports, hotels, and other public places. You can snag emails, passwords, and unencrypted instant messages, and you can hijack unsecured logins to popular websites. Fortunately, ways exist to protect your online activity while you're out-and-about with your laptop, tablet, and other Wi-Fi gadgets. I'll touch on those, too.
Capturing webpages
I opened my laptop at the coffee shop and began capturing Wi-Fi signals, technically called 802.11 packets, with the help of a free trial of a wireless network analyzer. The packets appeared on screen in real time as they were captured--much more quickly than I could read them--so I stopped capturing after a few minutes to analyze what I had vacuumed up. Note: You can click on any of these screenshots to view larger versions that are easier to read.
![]()
My own website, captured via the hotspot packets and reassembled for viewing.
Image credit: PC World
I first searched for packets containing HTML code, to see which websites other hotspot users were browsing. While I did see activity from other patrons, I didn't capture anything interesting, so I visited my own website--www.egeier.com--on my smartphone.
![]()
This is a copy of the email I sent (and subsequently received) using my smartphone connected to the hotspot.
Image credit: PC World
The raw packets with HTML code looked like gibberish, but as you can see above, the trial network analyzer I used reassembled the packets and displayed them as a regular webpage view. The formatting was slightly off and some of the images were missing, but plenty of information still came through.
I didn't find anyone else sending or receiving emails during my visit, but I did discover the test messages I sent and received via my smartphone while it was connected to the hotspot. Since I use an app to connect to my email service via POP3 without encryption, you could have seen my login credentials along with the message (I've blurred the username and password in the screenshot).
This is all the information someone would need to configure their email client to use my account and start receiving my emails. They might also be able to send emails from my account.
![]()
And these are the packets that went over the network when I sent an instant message using Yahoo Instant Messenger.
Image credit: PC World
I also used Yahoo Messenger to send a message while I was capturing Wi-Fi signals. Sure enough, the tool plucked that information out of the air, too. You should never use an unencrypted instant-messaging service with any expectation of privacy.
I opened my laptop at the coffee shop and began capturing Wi-Fi signals, technically called 802.11 packets, with the help of a free trial of a wireless network analyzer. The packets appeared on screen in real time as they were captured--much more quickly than I could read them--so I stopped capturing after a few minutes to analyze what I had vacuumed up. Note: You can click on any of these screenshots to view larger versions that are easier to read.
My own website, captured via the hotspot packets and reassembled for viewing.
Image credit: PC World
I first searched for packets containing HTML code, to see which websites other hotspot users were browsing. While I did see activity from other patrons, I didn't capture anything interesting, so I visited my own website--www.egeier.com--on my smartphone.
This is a copy of the email I sent (and subsequently received) using my smartphone connected to the hotspot.
Image credit: PC World
The raw packets with HTML code looked like gibberish, but as you can see above, the trial network analyzer I used reassembled the packets and displayed them as a regular webpage view. The formatting was slightly off and some of the images were missing, but plenty of information still came through.
I didn't find anyone else sending or receiving emails during my visit, but I did discover the test messages I sent and received via my smartphone while it was connected to the hotspot. Since I use an app to connect to my email service via POP3 without encryption, you could have seen my login credentials along with the message (I've blurred the username and password in the screenshot).
This is all the information someone would need to configure their email client to use my account and start receiving my emails. They might also be able to send emails from my account.
And these are the packets that went over the network when I sent an instant message using Yahoo Instant Messenger.
Image credit: PC World
I also used Yahoo Messenger to send a message while I was capturing Wi-Fi signals. Sure enough, the tool plucked that information out of the air, too. You should never use an unencrypted instant-messaging service with any expectation of privacy.
Capturing FTP login credentials
If you still use FTP (File Transfer Protocol) to download, upload, or share files, you should avoid connecting to them over unsecured hotspots. Most FTP servers use unencrypted connections, so both login credentials and content are sent in plain text, where any eavesdropper can easily capture them.
![]()
These captured packets reveal the username and password securing my FTP server (I've blurred them in this screenshot).
Image credit: PC World
While using my laptop to connect to my own Web server's FTP server, I was able to capture the packets containing my login ID and password--details that would have enabled any nearby eavesdropper to to gain unfettered access to my websites.
If you still use FTP (File Transfer Protocol) to download, upload, or share files, you should avoid connecting to them over unsecured hotspots. Most FTP servers use unencrypted connections, so both login credentials and content are sent in plain text, where any eavesdropper can easily capture them.
These captured packets reveal the username and password securing my FTP server (I've blurred them in this screenshot).
Image credit: PC World
While using my laptop to connect to my own Web server's FTP server, I was able to capture the packets containing my login ID and password--details that would have enabled any nearby eavesdropper to to gain unfettered access to my websites.
Hijacking accounts
Computers aren't the only devices susceptible to eavesdropping. I also ran an app called DroidSheep on my spare rooted Android smartphone. This app can be used to gain access to private accounts on popular Web services, such as Gmail, LinkedIn, Yahoo, and Facebook.
DroidSheep looks for and lists any unsecure logins to popular websites. While it doesn't capture the passwords to those sites, it can exploit a vulnerability that allows you to open the site using another person's current session, giving you full access to their account in the process.
As you can see from the screenshot below, DroidSheep detected Google, LinkedIn, and Yahoo logins from other people who were connected to the hotspot, as well as the Facebook login I made on my other smartphone.
![]()
DroidSheep detected other users' log-ins, which means those accounts were vulnerable to hijacking.
Image credit: PC World
DroidSheep detected other users' log-ins, which means those accounts were vulnerable to hijacking.
I couldn't legally access other people's logins, of course, but I did open my own Facebook login.
![]()
Using DroidSheep, I was able to access my own Facebook page without providing a user ID or password. I could have done the same with any other patron's accounts if they were logged in.
Image credit: PC World
Once I'd done that, I could magically access my Facebook account on that rooted Android phone (see the screen at lower right) without ever providing my username or password from that device.
Computers aren't the only devices susceptible to eavesdropping. I also ran an app called DroidSheep on my spare rooted Android smartphone. This app can be used to gain access to private accounts on popular Web services, such as Gmail, LinkedIn, Yahoo, and Facebook.
DroidSheep looks for and lists any unsecure logins to popular websites. While it doesn't capture the passwords to those sites, it can exploit a vulnerability that allows you to open the site using another person's current session, giving you full access to their account in the process.
As you can see from the screenshot below, DroidSheep detected Google, LinkedIn, and Yahoo logins from other people who were connected to the hotspot, as well as the Facebook login I made on my other smartphone.
DroidSheep detected other users' log-ins, which means those accounts were vulnerable to hijacking.
Image credit: PC World
DroidSheep detected other users' log-ins, which means those accounts were vulnerable to hijacking.
I couldn't legally access other people's logins, of course, but I did open my own Facebook login.
Using DroidSheep, I was able to access my own Facebook page without providing a user ID or password. I could have done the same with any other patron's accounts if they were logged in.
Image credit: PC World
Once I'd done that, I could magically access my Facebook account on that rooted Android phone (see the screen at lower right) without ever providing my username or password from that device.
No comments:
Post a Comment