All Tech Considered
Fri June 13, 2014
Here's One Big Way Your Mobile Phone Could Be Open To Hackers
Originally published on Fri August 1, 2014 9:46 am
Despite the fact that every major Internet provider has added some kind of encryption to its services over the past year, tracking your online traffic is easier than you think.
And you don't have to be the target of the hacker or the NSA for your traffic to be intercepted. There is a hole in mobile security that could make tens of millions of Americans vulnerable.
Unsecure Wi-Fi networks have been a well-known vulnerability in the tech industry for years. They can let even the most unsophisticated hacker capture your traffic and possibly steal your identity.
Opening The Door To Hackers
Earlier this spring, when I conducted an experiment tapping my own Internet traffic, Sean Gallagher, a reporter from the tech news site Ars Technica, came to my house, and we connected a little device called a Pwn Plug — invented by computer security expert Dave Porcello — to my network.
Seeing just how much data streamed out of my phone the second I connected was a big surprise. My phone pinged Apple, Google and Yahoo. Then apps like Twitter and Facebook connected to the Internet. This all happened in just seconds of it simply sitting on my desk. I hadn't touched the phone.
If Porcello had been a hacker, those few seconds could have been a gold mine.
"Anything you are logged into when you reconnect, it basically relogs in, so there is an opportunity for an attacker to capture the cookie or maybe even the password," he said.
And chances are good that your beloved smartphone is constantly — relentlessly — looking for networks to connect to.
"When you have wireless turned on," says Oliver Weis, who works with Porcello at their company, Pwnie Express, "your phone or your laptop is sending out what are called probe requests out to the world — saying, 'Hey, where is my network? Where is my network? Is this network around? Where is this network?' "
I read this book to my kids called Are You My Mother? by P.D. Eastman. It's about this tiny baby bird that goes wandering around the world asking whatever it meets, "Are you my mother?" It asks a cow, then a dog and then a cat. Weis says there are evil Wi-Fi networks out there in the world programmed to act like a hungry cat that say, "Yes, I am your mother; yes, I am your network."
If your phone believes the cat, Weis says, the cat can intercept all traffic going through your phone.
That open Wi-Fi connection opens the door for hackers. They can get in the middle of transactions between, say, you and your bank.
Now, if you set up your phone correctly and only sign on to Wi-Fi networks you know, you can make these attacks more difficult. But some of America's biggest companies, like AT&T and Comcast, are aggressively rolling out nationwide open public Wi-Fi networks. These networks are insecure.
They aren't the only companies doing this, but they are the biggest. Comcast is turning its customers' cable boxes into public Wi-Fi hot spots, and it has a million hot spots across the country. AT&T offers open Wi-Fi connections at most Starbucks locations.
"A big problem with AT&T phones is that they all have a preferred network on their list that is open, and that is AT&T Wi-Fi," Weis says.
There is no password, "so when your AT&T phone is near an AT&T Wi-Fi network, it will automatically connect," he says.
You could turn off your Wi-Fi connections or shut off AT&T's auto-connect setting. But if you don't, your phone will connect to legitimate AT&T Wi-Fi hot spots — or hot spots called AT&T Wi-Fi set up by hackers.
The same is true for any open public Wi-Fi network. Spoofing them is as easy as changing the name on a Wi-Fi router. And Weis says if folks are just walking by one of the evil hot spots and their phone connects to it, they may never know.
"There is all this stuff going on behind the scenes — literally invisible packets in the air coming out of their pocket, saying things about who they are and where they have been and what they do," Weis says.
In the past year, the number of people using Xfinity Wi-Fi has almost tripled. Comcast told me that the number of out-of-home Wi-Fi sessions shot up 750 percent.
Don Bailey, a security expert at Lab Mouse, says these public Wi-Fi connections don't have to be insecure.
"There should be a way to identify whether or not you have attached to a public Wi-Fi," Bailey says.
That should happen automatically, he says, so when you connect to a network like this, all your traffic should be encrypted without you having to do anything. In fact, both Comcast and AT&T already offer consumers apps that will do this — but you have to buy them, install them and opt in. So most people don't.
I asked both companies if these open Wi-Fi networks were opening up millions of their customers to potential attacks.
AT&T spokesman Mark Siegel said the company takes "extraordinary measures" to keep its customers safe. Comcast said it was planning to roll out a more secure Wi-Fi network sometime in the future, but it didn't say when.
Comcast pointed out that for a more secure system to work, it will need the cooperation of every company that makes a device that connects with the network. That takes time.
RENEE MONTAGNE, HOST:
For a week this spring, NPR's Steve Henn allowed a small team of computer experts to plant a bug in his home office and monitor his Internet traffic. It was an eye-opening experiment, which he described earlier to David Greene.
DAVID GREENE, HOST:
Yeah, the idea was for Steve to act as a stand-in for all of us and see just how much the NSA, or anyone else who intercepted his Internet connections, could actually find out just by watching unencrypted traffic from his phone and laptop flow by. And Steve's team learned a lot.
Despite the fact that every major Internet provider has added some kind of encryption to its services over the past year, Steve's life online was really easy to track. The team also realized that you don't have to be the target of the NSA or a hacker for your traffic to be intercepted in this way. There is this hole in mobile security that could make tens of millions of Americans vulnerable. It's been well-known in the industry for years, and it could let even unsophisticated hackers capture your traffic, monitor your connections, even maybe steal your identity. Here again is Steve.
STEVE HENN, BYLINE: When I tapped my own Internet traffic, Sean Gallagher, a reporter from the tech news site Ars Technica came to my house, and we took this little device. It's called a PWN Plug. And it was invented by Dave Porcello, a computer security expert. And we took this thing, and we physically attached it to my computer network.
DAVE PORCELLO: And now I'm going to turn on the Wi-Fi.
HENN: Dave was on a speakerphone, watching my Internet traffic from his office in Vermont.
PORCELLO: Oh, yep. Geez.
HENN: Seeing how much data streamed out of my phone the second I connected kind of blew everyone away. My phone pinged Apple, Google, Yahoo, and apps like Twitter and Facebook connected to the net. This all happened in just seconds. And I didn't touch the phone. If Dave was a hacker, those few seconds could have been a gold mine.
PORCELLO: And anything that you're logged into, basically when you re-connect, it basically re-logs in. So there's an opportunity for an attacker to capture either the cookie or maybe just the password.
HENN: It turns out the device in your pocket, your beloved smartphone, chances are really good that it is constantly out there, relentlessly looking for networks like this to connect to.
OLIVER WIES: Pretty much. Basically, yeah.
HENN: Oliver Wies works with Dave Porcello at their company, PWNIE Express.
WIES: So when you have wireless turned on, your phone or your laptop is sending out what are called probe requests out to the world saying, hey, where's my network? Hey, where's my network? Is this network around? Where's this network?
HENN: There's this book I read to my kids by P.D. Eastman. It's called, "Are You My Mother?". And it's about this tiny baby bird that falls out of its nest and goes wondering around the world asking whatever it meets, are you my mother? First, it asks the cow and then a dog and then it asks a cat. Wies says there are actually evil Wi-Fi networks out there in the world that are programmed to act like a hungry cat that, when approached by your little, baby telephone, will say, yes, I am your mother. Yes, I'm your network. And if your phone believes that cat...
WIES: At that point, it's in the middle, and it can basically intercept all traffic going through it.
HENN: The cat has captured all of your traffic. That open Wi-Fi connection opens doors for hackers. They can get in the middle of transactions between, say, you and your bank. And Oliver Wies used this kind of man-in-the-middle attack to capture an email password.
WIES: I don't know if you can read that.
HENN: Password equals ponies1 or ponies! So it just captured your username and password.
HENN: Now, if you set up your phone correctly and only sign onto Wi-Fi networks you know, you could make these attacks more difficult. But some of America's biggest companies, like AT&T and Comcast, are aggressively rolling out nationwide, open, public Wi-Fi networks - networks that are insecure.
(SOUNDBITE OF COMCAST COMMERCIAL)
UNIDENTIFIED WOMAN: Imagine taking your home Internet with you when you leave the house and connecting to the fastest hotspot with the most coverage on-the-go. Introducing...
HENN: Now, these guys aren't the only company doing this, but they're the biggest. Comcast is turning customers' cable boxes into public Wi-Fi hotspots and has a million hotspots across the country. AT&T offers open Wi-Fi connections at most Starbucks.
WIES: A big problem with AT&T phones is that they all have a preferred network on their list by default that's open and that's AT&T Wi-Fi.
HENN: And Oliver Wies says there's no password.
WIES: So when, you know, your AT&T phone is near an open AT&T Wi-Fi network, it will automatically connect.
HENN: It will connect to a legit AT&T Wi-Fi hotspot or hotspots called AT&T Wi-Fi that are set up by hackers 'r us. And Awk says, if folks are just walking by one of these evil hotspots and their phone connects, they will probably never know.
WIES: There's all this stuff going on behind the scenes. I mean, literally invisible packets in the air coming out of their pocket saying things about who they are and where they've been and what they do.
HENN: In the past year, the number of people using Xfinity Wi-Fi has almost tripled. Comcast told me that the number of out-of-home Wi-Fi sessions shot up 750 percent. Don Bailey, a security expert at Lab Mouse, says these public Wi-Fi connections don't have to be insecure.
DON BAILEY: There should be a way to identify whether or not you've attached to a public Wi-Fi.
HENN: He says that should happen automatically. He says when you connect to a Wi-Fi network like this, all your traffic should be encrypted without you having to do anything. And in fact, both Comcast and AT&T already offer consumers apps that will do this. But you have to buy them, install them and opt in. So most people don't. I asked both companies if these open Wi-Fi networks were opening up millions of their consumers to potential attacks. AT&T said it took extraordinary measures to keep its consumer safe. Comcast said it was planning to roll out a more secure Wi-Fi network sometime in the future. But it didn't say when.
GREENE: That reporting coming from Steve Henn. And Steve joins us on the line right now to talk about the series. And, Steve, one interesting lesson from this experiment - I mean, we are all really vulnerable in those moments when our mobile device or computer is trying to connect to a public Wi-Fi network. If Comcast can make networks like this more secure, I mean, what's the holdup?
HENN: Well, part of the problem is that, for Comcast to roll out a more secure system, it needs the cooperation of everyone who uses it - so Apple, Android device manufacturers - they all have to agree to use this same system. So that takes time. And it's one of the issues we've seen again and again throughout the series.
The other problem that we've noticed is that even when companies roll out encryption, there are often bugs. So we found a bug in Google's location data that they've now patched. We found that Snapchat was showing when kids signed up for their service in the clear. And they fixed that as well. And we've seen lots of examples. And unless you really dig through the packets in the traffic, you don't see when encryption is breaking down.
GREENE: And that's probably difficult for people like me who don't do this kind of stuff - to dig through things like that and find out when things are breaking down. Anything that I can do, given all the leaks that you found, to make myself more secure?
HENN: Well, there are lots of little things you can do, like you can mess with your settings on your phone, turn off Wi-Fi or turn off location services. But I think for most people, that really doesn't work. For encryption to keep us all safe, I think it has to be built into the background and so simple to use that it's happening without us even knowing it. I mean, the one positive thing that has come out of this reporting for me is that we're seeing companies begin to move to that. And that was just unheard of a year ago.
GREENE: Interesting week of reporting. NPR technology correspondent, Steve Henn. Steven, thanks a lot.
HENN: My pleasure.
MONTAGNE: This is NPR News. Transcript provided by NPR, Copyright NPR.