MIAMI (CBSMiami) — If you have a smartphone or laptop chances are you have used free Wi-Fi before. But what you may not know is that you are putting yourself at risk to be hacked.
CBS4’s David Sutta teamed up with a group called HackMiami to see exactly how it was done.
The group of hackers at Cyber Pizza in Dania Beach showed how they would need just seconds to steal your usernames and passwords, texts, even your photos all over Wi-Fi.
On a rainy Thursday night CBS employee Ezzy Castro used the free Wi-Fi in the restaurant.
Rod Soto with HackMiami set up across the room with his computer and a small antenna.
“Do you know her?” CBS4’s David Sutta asked Soto.
“No I don’t.” he replied.
Sutta asked if he had ever held her phone in his hands?” Soto shakes his head and replies “No. I have not.”
Soto then started running a program, showing a side of hacking never captured before.
“All I have to do is grep, or look for password and it will show up,” he said.
With the stroke of a few keys, a code flashed by and then suddenly he pulled up a list.
He point to a list of names and phone numbers on the screen.
“There’s David. There’s Alex.” It’s all the contacts we had put on Ezzy’s phone. Rod’s just hacked it all over Wi-Fi.
And he’s just getting started.
“Yes. Absolutely. I can grab the SMS (text messages). I can actually grab the contact of the actual text. And actually I can get pictures from the SD card.”
Sutta asked him to clarify. “So nothing is safe on the phone?”
“No, it’s not.” he said.
Soto told his computer to start pulling photos. A minute later he had one.
“This stuff is obviously dangerous. Now I have your contacts. Now I have your pictures. Now I have your private data. I can use this for identity theft,” he said.
Soto is what you call a “white hat” hacker. They are the good guys who search for vulnerabilities in the tech world then let people know about them before criminals do.
The experiment he ran with his team at HackMiami was at CBS4’s request.
With Ezzy across the room Rod instructed her to go to Facebook and login. As she entered in her information, he saw every keystroke.
The HackMiami team showed the how they did it. CBS4 agreed not to show you exactly what they did for security purposes; however, CBS4 found a quick Google search will give just about everything you need to know.
What was most frightening though was how he did it.
The entire hack occurred over those free Wi-Fi hot spots you find in coffee shops, stores, and public places.
James Ball with HackMiami explained “I could set it up and say this is a legit access point. A legit Wi-Fi network and people will log into me and not realize it.”
Essentially, the hacker can clone the login webpage to look like Starbucks or Publix or AT&T Wi-Fi. But it’s really the hacker’s site. And you would never know the difference.
In many cases your smartphone will automatically log into it. If your phone is familiar with say the Starbucks Wi-Fi, when you go in, it often will automatically log in.
The hackers can mimic the Starbucks Wi-Fi to the point where the phone would think is Starbucks but it really isn’t. Once your using the hackers Wi-Fi they are grabbing everything you are sending over the internet. They essentially are tricking people.
Soto shook his head and said, “Precisely. That’s what attackers will do. It’s called social engineering. We’ll present you objects, or words, or pages that look legit. They will use something that you will trust and by that they will lead you to inputting your information.”
While Ezzy used her iPhone, usernames, passwords, websites she visited, were all being recorded. The information traveled over what was considered a secure network. Soto ran a program that took the jumbled lines of code and put it back together.
Once it was assembled he could see websites along with all the data that was entered. When we switched Ezzy to an Android phone Rod took it a step further. He required her to update her phone to view the internet. She clicked the update. He inserted an app onto her phone to run in the background. Now he could pull anything he wanted.
Soto explained, “There is no limit. With enough resources and enough skill level we can pretty much break into anything.”
The second hack was worse than a Wi-Fi hack. It stayed with the phone even after she logged off the Wi-Fi.
“It is there. And as long as I have my listener every time she opens it. It will come back,” Soto said. Meaning he could pull data for her phone for weeks, months, even years if he wanted to.
Castro found the experience eye-opening. She frequently uses the free Wi-Fi in Target.
“It just makes you think twice. All the places that you use Wi-Fi at and you just can’t trust anyone,” Castro said.
In all, Soto spent very little to pull off the stunt.
“The software is actually open source. It’s free. So you can download it and install it,” he said.
He paid for a laptop and a cheap antenna.
For $250, he’s hacked phones. The number one question we had after witnessing the hacks was how to avoid being hacked on our phone. Soto had a few ideas but his number one was pretty straight forward. “I personally would not browse or use free Wi-Fi.” he said.
Staying off the free Wi-Fi is hard though. Data plans can cost a bundle. The idea of surfing the web for free is tempting. Certainly there are legitimate Wi-Fi hotspots out there. But how do you know it’s really Starbucks, or Target, or whatever it says they are? Soto and the hackers at HackMiami agreed that you’ll never really know.
Sutta wondered if this is happening in South Florida. The hackers didn’t blink when they responded “Absolutely.” Rod said he’s seen it personally at Miami International Airport. Others said they had seen it on the Metrorail, in area hospitals, and college campuses. Frankly with it being so cheap to do and requiring little education the belief is it’s really not a question of if it’s happening.
HackMiami.org also provided this list of tips for people worried about Wi-Fi hacking.
Mitigation measures against Wi-Fi attacks for users and businesses
1 – If you are business specify this attack in your Wi-Fi Acceptable Use Policy, making users aware of the possibility of these attacks
2 – (User)Avoid using free internet, they are usually honeypots or attack setups like the ones shown in this program.
3 – (User) Use a VPN service. This service will encrypt your traffic end to end preventing sniffing.
4 – (Business) Use of 802.1X Access Control mechanisms recommended for companies.
5 – (User) Disable your wireless adapter in your phone and computer when not using it.
6 – (User) Never enter your credentials on these public available Wi Fi spots. Do not conduct credit card transactions either.
7 – For businesses use complex passwords for Access points management. Change defaults and disable default and non-used ports/services. Do not have open access to your Wi-Fi service.
8 – (User) For services like email or Facebook or iCloud, enable two factor authentication (TFA) Where user must receive a SMS with a code that must be input in addition to the password in order to access those services.
9 – For businesses. Make sure your Wi-Fi router or access points is using the latest WPA (Wi-Fi Protected Access) or WPA2. Do not use WEP (Wired Equivalent Privacy) as it is easy to break. It takes an average of 10 to 20 minutes to break into a WEP protected WiFi network.
10 – (Business) It is recommended to disable Wi-Fi Protected Setup (WPS) and setup router to WPA2 +AES (128 Bit encryption).Filtering internal network by MAC addresses also mitigates possible man in the middle attacks.