Shaun Murphy was at 35,000 feet when he realized his online activity was being monitored.
An in-flight Wi-Fi service was collecting and decrypting his information as he browsed, compromising passwords and other private information on his computer.
“I had no idea that was going to happen when I logged in,” said Murphy, chief executive of Private Giant, an online security and research start-up. “I basically just resolved never to use in-flight Wi-Fi again.”
None of Murphy’s information was stolen, but he had only recognized the vulnerability because of his security background. He quickly changed his passwords after he landed.
Countless other passengers have not been so lucky. Wi-Fi security breaches and malicious attacks by hackers have emerged as potent threats facing travelers who log in to unsecured networks to check e-mail and other personal accounts while in transit.
A five-minute session on the the wrong network can compromise e-mail credentials, bank accounts, credit card information, and other private accounts.
Attacks using a laptop and easily accessible software can occur inside airport terminals, at cafes, on a plane, and even in your hotel room.
One of the most common attacks is for a hacker to set up a Wi-Fi network named after an airport restaurant or other business, then steal a traveler’s information when they log in and start browsing. +
“When you’re on an open network, you don’t know when someone else is watching and picking up your keystrokes,” said Michael Kaiser, executive director of the National Cyber Security Alliance, a nonprofit that educates consumers about online protections. “You might find a connection labeled ‘Welcome to the Airport,’ but how do you know that’s not being spoofed?”
Kaiser said he advises people to avoid open networks as much as possible. Safer options are to set up a VPN connection or a personal Wi-Fi hotspot, or use data provided by your cellular carrier.
“People always want to save on their data plans, but you have to consider the costs and benefits” Kaiser said. “It’s probably worth it just to have the peace of mind.”
There is little reliable data on the number of Wi-Fi-related thefts each year, in part because they are seldom discovered right away or reported publicly. But the threat is gaining increasing attention, as federal officials continually issue warnings to businesses and consumers about the dangers.
In addition to property theft, the General Accountabilty Office issued a report in April finding that hackers could use passenger Wi-Fi to access on-board computers of commercial airliners. If the Wi-Fi shares the same router as the navigation system, someone in the cabin or on the ground could gain access to an airplane’s controls.
The FBI and Transportation Security Administration followed up with a joint alert advising airlines to watch out for data intrusions or tampering with network ports under passenger seats.
The alert noted that the agencies have no information to support claims that a hacker could use Wi-Fi to commandeer a plane midflight. But it underscored the extent of the vulnerabilities posed by unsecured networks that can provide access to everything from retail databases to critical transportation infrastructure.
“It’s one thing if my computer gets hacked,” said Kaiser. “It’s another thing if someone can change all the street lights in Boston from green to red.”
The good news is that an increasing array of online security companies are making it their business to discover and publicly report vulnerabilities in Wi-Fi services before they are exploited by hackers.
The antivirus firm Cylance Inc. recently uncovered a major weakness in Wi-Fi security at hotels. Researchers at the Irvine, Calif.-based company found that a Wi-Fi router used by 277 hotels across the world, including more than 100 in the United States, was leaving hotel guests vulnerable to hackers.
The router, manufactured by the Singapore firm ANTlabs, allowed direct access to the entire file system kept on the devices, meaning a hacker could distribute malware to hotel guests or monitor and record data sent over the network.
In some instances, it also found that the devices were linked to hotel property management systems that typically contain guests’ check in dates, e-mail addresses, and financial information.
“The bottom line is an attacker could do anything they want with this device,” said Justin Clarke, a senior researcher at Cylance. “They can read any data they want or they could modify it in real time to cause a person’s browser to download malware.”
Clarke said travelers don’t need to avoid using hotel Wi-Fi altogether. But he advises them to keep antivirus software on their computers and avoid financial transactions as much as possible.
“You have to remain aware and vigilant about what you’re doing,” he said. “You can always browse the news, but do you really need to check your brokerage account? Don’t do it if you don’t need to.”
Source – http://www.bostonglobe.com/lifestyle/travel/2015/05/16/travelers-wary-all-that-free/uPt2viRE3PhQTykpaDOJvL/story.html