MIAMI (CBSMiami) – For the past few months CBS4 has been working with Hack Miami to reveal a side of hacking rarely seen. They showed us for less than $200 how they could hack practically any phone or laptop. What was most alarming though was you wouldn’t be aware they were doing it. To prove that, Florida International University agreed to do an experiment with Hack Miami and CBS4. We let our hackers work their magic on campus… and the results were eye opening. It may have you re-thinking how you use Wi-Fi.
It’s a Tuesday morning on the campus of FIU. 20,000 students rush between classes. Inside the student union, Rod Soto with HackMiami is setting up our test. “We’re almost done,” he says. Suddenly an alert on his screen goes off. Soto is surprised. “Somebody already connected already.” He’s not even fully up with his system but he’s already connecting to random devices in the union. We have challenged him to see how many phones, tablets, and computers he can connect to in seconds. As his program begins to run he leans over and asks “The thing is how aggressive do you want to be? I can go and attack them and de-authenticate them and bring them to me.” By de-authenticate Soto is suggesting to kick everyone in the building off the university’s Wi-Fi and have them log onto to a Wi-Fi network he just setup.
Soto fits in like the rest of the students. He’s sitting near a hallway working on a laptop. Using a free program and an antenna, he is beaming a Wi-Fi signal out. The signal can be seen throughout the building he’s in. He’s named the Wi-Fi network “FIU wifi” similar to what FIU uses. As the minutes roll by students are signing on to his Wi-Fi network. They would have no idea it’s not really FIU if not for a page he setup announcing we are doing a test. The page informs users they have connected to our test and that they could have exposed themselves to being hacked by doing so. Soto is not giving anyone access to the internet or hacking their device. He’s simply counting the number of devices that are connecting to his network. On his computer lines of code run by with a series of numbers. The numbers represent someone’s phone or computer. As classes let out the number of connections skyrocket.
While Soto connects we asked students what they thought. Most are not all that concerned. FIU student Camille Gayle thinks free Wi-Fi is a necessity. “I looked at it as a helpful thing. That it was helping me out,” she says. Luis Levias, another student explains “If you are in need you really have to use it you know. If it’s emergency and you don’t have internet access you have to use it.”
What Hackers can do over Wi-Fi
If you think using free Wi-Fi isn’t a big deal… we gave Soto free rein to hack a CBS4 employee’s phone using only free Wi-Fi. In a pizza shop he connected. On his laptop he pulled up her data. “Pictures. Contacts. I can do the same thing with videos as well. I can do the history of calls. I can download the content of the SMS. The text messages she sent and whatever is stored in the SD card,” Soto explained as he pulled it all over the Wi-Fi network. Essentially nothing is off limits. Soto explains he can even see what you are surfing and pull everything you write. “If you were to log into your bank, then I can go back into log into your bank. If you were to log into your Facebook, then.” In other words he’s grabbing usernames and passwords. Back at FIU… it’s not one phone that’s connecting to him… it’s dozens of devices. This Wi-Fi network has opened the front door for him to come in and do whatever he wants. Soto agrees. “Absolutely. There is a reason why people must be conscious when joining free Wi-Fi.”
Cloning Starbucks Wi-Fi
We decide to change the name of the WiFi network to the one Starbucks uses. What happened next we were not ready for. The number of connections goes haywire. “I didn’t think it was going to be so overwhelming for the setup, that I ran out of IP’s. That’s actually quite an impressive situation,” Soto says. He’s now connected to more than a 100 devices. Most people have no idea. He explains how it works “The main issue is you have your phone or your computer to automatically join a Wi-Fi. If we set up a similar Wi-Fi that you have joined before it will automatically join,” he says. “Since your phone has been connected to Starbucks before it will now automatically join.” And what Soto is doing is simply pretending to be the Starbucks Wi-Fi. And guess what? A lot of people have been connecting at Starbucks. “People are not really looking at what’s going on with your phone. Your phone might be on your belt, yet it has the wifi enabled and would actually join the rogue wifi,” Soto says.
Beaming the Hack
We step outside to a real Starbucks on campus. The Hack Miami team steps it up one more time, this time bringing out out a microwave dish. James Ball, a member of the Hack Miami team explains any dish will do. “A DirecTV satellite dish will do the trick, or any satellite dish will do the trick,” Ball says. As Ball positions the dish, Soto tells us what they are doing. “What the antenna does is amplifies the range that we can reach with our attack. So basically they don’t have to see me. Just sit here, place my antenna there.” He’s now beaming his Wi-Fi across campus. They point the dish at a group sitting around a table. They are probably a football field away. “As we have a lot of people over there, they start popping up here,” Soto says. We look down at the computer and sure enough dozens of devices start connecting. Sure the dish is large. It’s obvious. You would probably be suspicious if you saw it. But would you notice it from a 100 yards away? Soto laughs. “You could have it over a mile, almost 2 miles. Some others even farther than that. 7-8 [miles],” he says. Meaning you would never see it coming.
Two hours into our test it’s time for the results. Just how many devices did Soto connect to? “It’s about 850,” Soto says. 850 phones, tablets and computers that logged onto his network in just a couple of hours. A majority of the devices he connected to had the potential to be hacked… just like the CBS4 employee’s phone.
We share the results with FIU’s Chief Information Officer Robert Grillo. “That is alarming. It causes us to rethink how we educate our students,” he said. Grillo believes it is important for his students, everyone, to learn from this test. Grillo explains “For us it was an educational opportunity to show everyone what you can do and what you shouldn’t do when you actually access the internet.” Even with our experiment students were split if they would continue using free Wi-Fi. Luis Levias was shocked about what was possible. “That would actually change my mind a lot about using open wifi,” He said. But Stephanie Barrios, another FIU student wasn’t all that concerned. “It’s gotta happen to us first before we take it seriously,” Barrios said. Soto says it may have already happened… and you’ll never know.
How to protect yourself
According to Soto these types of hacks are happening in South Florida. “Absolutely. It doesn’t take that much to make them happen,” Soto says. He explained criminals will use his exact setup on hotels, airports, train stations… anywhere you find open Wi-Fi networks. So how do you protect yourself? “You can disable your Wi-Fi in your phone. I usually do it,” Soto said. Secure Wi-Fi networks offer another level of protection too. However they are not invincible to be hacked.
Interesting enough FIU has implemented some excellent technology to try to protect students. When Hack Miami tried to clone FIU’s Wi-Fi network exactly, FIU’s systems managed to kick Hack Miami out. It was impressive technology that more and more businesses may want to consider to better protect their customers.
At the end of the day though criminals are often moving faster than most companies are. For now, the best protection for your data is stay off of Wi-Fi networks.