Intro
Nowadays most of us use public Wi-Fi on daily basis, whether it is on our local coffee shop, school, or even at the airport.
Today people have become addicted to the internet, and it is not just younger generations. Now even my father, who 5 years ago didn’t know what Facebook was, now everywhere we go, he wants to connect to Wi-Fi and check out his Facebook account.
Certainly, Internet has made our life easier in many ways, allowing us to communicate easy, learn easy, make a living, and … check out video cats, but do we really need technology in everything, in my opinion no, but either way it’s not for me to discuss. As I am here to demonstrate the danger that technology brings with it and how we can protect ourselves.
I am not going to philosophize anymore as that’s not why I wrote this article, so instead I am going to address the “elephant in the room”; hackers, maybe the “black hat” ones.
Public Wi-Fi is the best place to hack someone. Most of the people are unaware of the danger of using public Wi-Fi and they don’t know how to protect themselves.
How do they steal your information?
“Wi-Fi is the name of a popular wireless networking technology that uses radio waves to provide wireless high-speed Internet and network connections” (webopedia)
Devices communicate with each other using IEEE802.11 standards, which transmits packets in different frequency bands (2.4, 5 and 60 GHz).
When you connect your laptop, or phone to a coffee shop hotspot, your device becomes part of that WLAN (Wireless Local Area Network), and other devices on that network too can communicate with each other. So in this case, if a hacker “happens” to be there, he can see the IP address of your device, the device name and he can target your device and start listening to packets that are coming to and going from your device.
1. MITM ATTACK
One of the common attacks is Man-in-the-Middle Attack (MITM), where a hacker secretly intercepts and relays messages between two parties, in this case you and the internet, who believe they are communicating directly with each other.
One of the techniques, which I recently have used in a demo for ExpressVPN, is called SSLStrip.
In short SSLStrip is the type of MITM attack which forces the victim’s browser into communicating with a website in plain-text over HTTP. So, if the website uses SSL (https://www.hotmail.com/), which is the “S” on the http, means that the site is securing your data by encrypting them between your device and the website. What the attacker does is that he puts himself in the middle, pretending to be a proxy server and redirects all your traffic from your pc, to his pc and then to the webserver you are trying to access.
Picture credit: computerhope.com
Not only intercepts and captures all the traffic, but also forces your browser to open the website on a http protocol, and all the data that you submit to your website and being captured in plain text by the hacker.
One of the popular tools to perform this attack is bettercap .
Below is the demo I performed for ExpressVPN on a controlled public Wi-Fi:
2. Hijacking Cookie Sessions
Before explaining how a hacker can steal your session cookies, let me explain a little bit what cookies are, what’s in them and how a browser creates a session with the webserver.
What are cookies?
“Cookies are small files which are stored on a user’s computer. They are designed to hold a modest amount of data specific to a particular client and website, and can be accessed either by the web server or the client computer. This allows the server to deliver a page tailored to a particular user, or the page itself can contain some script which is aware of the data in the cookie and so is able to carry information from one visit to the website (or related site) to the next.” (Whatarecookies.com)
Picture credit: 0x00sec.org
What’s in a Cookie?
Each cookie is effectively a small lookup table containing pairs of (key, data) values – for example (firstname, John) (lastname, Smith). Once the cookie has been read by the code on the server or client computer, the data can be retrieved and used to customise the web page appropriately.
How does a browser creates a session with the webserver?
Because http communication uses many different TCP connections, the web server needs a method to recognize every user’s connections. The most useful method depends on a token that the Web Server sends to the client browser after a successful client authentication. A session token is normally composed of a string of variable width and it could be used in different ways, like in the URL, in the header of the http requisition as a cookie, in other parts of the header of the http request, or yet in the body of the http requisition.
The Session Hijacking attack compromises the session token by stealing or predicting a valid session token to gain unauthorized access to the Web Server. Owasp.org
Picture credit: owasp.org
After they steal the cookie, they can use that cookie, inject it to the browser, and authenticate themselves with the websites you were visiting. Now “they’re” you. Maybe the first thing they might do, is change the password, change the backup email where from this point there is no way you are getting back your account. It could be, online back account, shopping websites account, social media (Facebook, Twitter, Instagram etc)
How to protect yourself ?
Are there other attack that might be performed on a public Wi-Fi?
Absolutely. This was just two demos I wanted to demonstrate as a security awareness which if they turned out to be successful the amount of information they might be able to steal from people using public Wi-Fi, could cause someone a lot of damage.
One of the best easy ways to do it is by using VPN Encryption.
Even though website might use SSL, as a security layer, which encrypts your data over the network, you are still not secured as we have demonstrated that SSL can be defeated, and when using VPN all your data will be encrypted and sent through secure VPN servers.
Make sure the VPN company you choose, has fast servers, and does not log your activity (browsing history, traffic data, DNS queries etc), as a lot of them do. That will protect you from Wi-Fi attacks but it will not keep your online activity private.