Hotspot paranoia: try to stay calm
No-one's actually interested in your data
Opinion OK, the fact that Professor Brian Collins is prepared to talk about public Wi-Fi hotspots with evil twins does mean it's worth taking seriously. I took it seriously enough to publish something about it myself - mainly, though, as a way of publicising the Science Museum's series of talks on crime. But out there, people are taking it VERY seriously.
A quick Google News search on "evil twin" produced 111 positive results - all mainly nonsense, written by people with little understanding of risk assessment.
As a result, everybody in the Wi-Fi access point business - and his uncle - has been on the phone all afternoon, offering to explain how they, with their software or systems management technology or location based services, can eliminate this hazard.
OK, confession time. I, too, have been hacked while connected to a Wi-Fi hotspot. The evil hacker was a colleague: Manek Dubash, much-respected editor of Network Weekly. The site: the excellent NetEvents seminar network, in Garmisch one winter, not long ago.
And the "exploit" was simple: I had file sharing turned on, and Dubash told me, in a clear voice that everybody could hear across the desk, what was on my hard disk. Nothing embarrassing, thank goodness! but a reminder of the fact that we weren't back at our Ziff-Davis offices any more (where we worked at the time on PC Mag UK).
Now, here's the important point: nothing.
Nobody did anything nasty to my disk, nobody installed a virus, or spyware, or changed my dialup connectoid to one which rings a premium number in Brazil, or stored twenty Gig of illegal images on my hard disk. Nobody was even interested.
Hacker exploits are, as Professor Collins rightly observes, possible. Yes, I could sit down at a public hotspot, give my PC the ability to act as a hotspot, and make its network ID code the same as the local hotspot's code. I could sit down at a hotspot called T-Mobile and give my PC the name T-Mobile. And I could use a simple Internet Connection Sharing link to mean that if you logged onto my PC, you'd get a share of my share of the T-Mobile internet connection.
Properly done (a little preparation for a skilled hacker) I could even make the logon screen look exactly like a Starbucks logon screen, which is where most T-Mobile hotspots are. And if you logged on with your credit card, I could get your details. And if you logged into your bank to do some financial work, I might get your password.
Now, why would I do all that?
"For the money, stupid!" is the obvious answer. Well, yeah, duh! and the question isn't answered. Because the question is not "why would I want your password?" - it's more profound. It is: "If I want your password, what's wrong with the internet?"
Internet-based exploits are safe, anonymous, quick, and harvest not just one or two card details, but thousands. Organised criminals sitting undetectably in unstable countries half way around the globe do this routinely, and nobody can find who they are, or where they are.
So, if this is possible, why would I pin-point myself for the network? The network will have my MAC address, and I'll have to make sure never to use the same one again. If I do, I can be easily found... I'll be really close - like, within 100 feet or so - to the hotspot I've logged on to. I'll be vulnerable - physically vulnerable, not just identifiable - to being seen, photographed, or even seized and attacked. And I'll get... a few credit card numbers. Maybe. Which I could perhaps use to get goods sent to the home address of the card-holder.
The risks are discouraging, the level of expertise needed is relatively high, and the rewards are not startling. Is this going to be a popular habit?
Well, no, it isn't, unless something changes radically. If you want credit card numbers, you need the PINs to go with them. An automatic teller machine with a "skin" that reads cash cards and stores the PIN is worth having, especially if you can duplicate the card. And you don't have to be there in person to operate it.
For the non-technical, the old methods are tried and trusted. "When he comes around the corner, hit his head with the rock." Take wallet, remove plastic and cash, and run.
So yes: there will be hackers setting up "evil twin" access points, but your chance of meeting one is pretty slim - they'll be students trying to prove they could do it. They'll have useful careers ahead of them, and middle-class aspirations, and after a couple of experiments, they'll either get caught, or get bored.
Everybody in the wireless LAN business knows this! They all talk a wonderful PowerPoint presentation on security, but if you say: "Look, this really isn't interesting - you know as well as I do that the actual risks are tiny" they say yes, of course they know that, but The Customers worry about it.
Anybody can make ignorant lay readers frightened. It's a normal trick of security consultants. And it's a good idea to know what the exploits can be - especially if you're a lawyer or a doctor and have seriously confidential information on your PC, which simply cannot be risked.
But in a world where most PC users still don't use spyware blockers and distributed denial-of-service attacks routinely use hundreds of thousands of compromised PCs to bring down major web servers, and where viruses and worms are distributed over ordinary dialup accounts, the risk of being hacked at a Wi-Fi hotspot is infinitesimal by comparison.
If you're going to get paranoid about hotspots, you're the sort of person who'd drive a $100,000 sports car into Times Square, and walk away leaving the windows and doors open, while fretting that perhaps someone may know the activation code for the radio.
- Turn off file sharing when in a public hotspot
- Password-protect your system
- Use secure connections before sending any financial information
- Turn on a software firewall
- Stop worrying! The information you're going to transmit at the hotspot is of no interest to anybody in the world except your Granny, to whom you're sending those photographs.
Sponsored: Network DDoS protection