By Maurits Martijn, Matter, Oct. 15, 2014
Translated from Dutch by Jona Meijers
In his backpack, Wouter Slotboom, 34, carries around a small black device, slightly larger than a pack of cigarettes, with an antenna on it. I meet Wouter by chance at a random café in the center of Amsterdam. It is a sunny day and almost all the tables are occupied. Some people talk, others are working on their laptops or playing with their smartphones.
Wouter removes his laptop from his backpack, puts the black device on the table, and hides it under a menu. A waitress passes by and we ask for two coffees and the password for the WiFi network. Meanwhile, Wouter switches on his laptop and device, launches some programs, and soon the screen starts to fill with green text lines. It gradually becomes clear that Wouter’s device is connecting to the laptops, smartphones, and tablets of local cafe visitors.
On his screen, phrases like “iPhone Joris” and “Simone’s MacBook” start to appear. The device’s antenna is intercepting the signals that are being sent from the laptops, smartphones, and tablets around us.
More text starts to appear on the screen. We are able to see which WiFi networks the devices were previously connected to. Sometimes the names of the networks are composed of mostly numbers and random letters, making it hard to trace them to a definite location, but more often than not, these WiFi networks give away the place they belong to.
We learn that Joris had previously visited McDonald’s, probably spent his vacation in Spain (lots of Spanish-language network names), and had been kart-racing (he had connected to a network belonging to a well-known local kart-racing center). Martin, another café visitor, had been logged on to the network of Heathrow airport and the American airline Southwest. In Amsterdam, he’s probably staying at the White Tulip Hostel. He had also paid a visit to coffee shop called The Bulldog.
Session 1: Let everyone connect to our fake network.
The waitress serves us our coffee and hands us the WiFi password. After Slotboom is connected, he is able to provide all the visitors with an internet connection and to redirect all internet traffic through his little device.
Most smartphones, laptops, and tablets automatically search and connect to WiFi networks. They usually prefer a network with a previously established connection. If you have ever logged on to the T-Mobile network on the train, for example, your device will search for a T-Mobile network in the area.
Slotboom’s device is capable of registering these searches and appearing as that trusted WiFi network. To demonstrate, I suddenly see the name of my home network appear on my iPhone’s list of available networks, as well as my workplace, and a list of cafes, hotel lobbies, trains, and other public places I’ve visited. My phone automatically connects itself to one of these networks, which all belong to the black device.
Slotboom can also broadcast a fictitious network name, making users believe they are actually connecting to the network of the place they’re visiting. For example, if a place has a WiFi network consisting of random letters and numbers (Fritzbox xyz123), Slotboom is able to provide the network name (Starbucks). People, he says, are much more willing to connect to these.
We see more and more visitors log on to our fictitious network. The siren song of the little black device appears to be irresistible. Already 20 smartphones and laptops are ours. If he wanted to, Slotboom is now able to completely ruin the lives of the people connected: He can retrieve their passwords, steal their identity, and plunder their bank accounts. Later today, he will show me how. I have given him permission to hack me in order to demonstrate what he is capable of, though it could be done to anyone with a smartphone in search of a network, or a laptop connecting to a WiFi network.
Everything, with very few exceptions, can be cracked.
The idea that public WiFi networks are not secure is not exactly news. It is, however, news that can’t be repeated often enough. There are currently more than 1.43 billion smartphone users worldwide and more than 150 million smartphone owners in the U.S. In the U.S., more than 92 million American adults own a tablet and more than 155 million own a laptop. Each year the worldwide demand for more laptops and tablets increases. In 2013, an estimated 206 million tablets and 180 million laptops were sold worldwide. Probably everyone with a portable device has once been connected to a public WiFi network: while having a coffee, on the train, or at a hotel.
The good news is that some networks are better protected than others; some email and social media services use encryption methods that are more secure than their competitors. But spend a day walking in the city with Wouter Slotboom, and you’ll find that almost everything and everyone connected to a WiFi network can be hacked. A study from threat intelligence consultancy, Risk Based Security, estimates that more than 822 million records were exposed worldwide in 2013, including credit card numbers, birth dates, medical information, phone numbers, social security numbers, addresses, user names, emails, names, and passwords. Sixty-five percent of those records came from the U.S. According to IT security firm Kaspersky Lab, in 2013 an estimated 37.3 million users worldwide and 4.5 million Americans were the victim of phishing—or pharming—attempts, meaning payment details were stolen from hacked computers, smartphones, or website users.
Report after report shows that digital identity fraud is an increasingly common problem. Hackers and cybercriminals currently have many different tricks at their disposal. But the prevalence of open, unprotected WiFi networks does make it extremely easy for them. The National Cyber Security Center, a division of the Ministry of Security and Justice, did not issue the following advice in vain: “It is not advisable to use open WiFi networks in public places. If these networks are used, work or financial related activities should better be avoided.”
Slotboom calls himself an “ethical hacker,” or one of the good guys; a technology buff who wants to reveal the potential dangers of internet and technology. He advises individuals and companies on how to better protect themselves and their information. He does this, as he did today, usually by demonstrating how easy it is to inflict damage. Because really, it’s child’s play: The device is cheap, the software for intercepting traffic is very easy to use, and readily available for downloaded. “All you need is 70 Euros, an average IQ, and a little patience,” he says. I will refrain from elaborating on some of the more technical aspects, such as equipment, software, and apps needed to go about hacking people.
Session 2: Scanning for name, passwords, and sexual orientation.
Armed with Slotboom’s backpack, we move to a coffeehouse that is known for the beautiful flowers drawn in the foam of the lattes, and as a popular spot for freelancers working on laptops. This place is now packed with people concentrating on their screens.
Slotboom switches on his equipment. He takes us through the same steps, and within a couple of minutes, 20 or so devices are connected to ours. Again we see their Mac-addresses and login history, and in some cases their owners names. At my request, we now go a step further.
Slotboom launches another program (also readily available for download), which allows him to extract even more information from the connected smartphones and laptops. We are able to see the specifications of the mobile phone models (Samsung Galaxy S4), the language settings for the different devices, and the version of the operating system used iOS 7.0.5).
The latter can be extremely valuable information for a malicious hacker. If a device has an outdated operating system, for example, there are always known “bugs,” or holes in the security system that can be easily exploited. With this kind of information, you have what you need to break into the operating system and take over the device. A sampling of the coffeehouse customers reveals that none of the connected devices have the latest version of the operating system installed. For all these legacy systems, a known bug is listed online.
We can now see some of the actual internet traffic of those around us. We see that someone with a MacBook is browsing the site Nu.nl. We can see that many devices are sending documents using WeTransfer, some are connecting to Dropbox, and some show activity on Tumblr. We see that someone has just logged on to FourSquare. The name of this person is also shown, and, after googling his name, we recognize him as the person sitting just a few feet away from us.
Information comes flooding in, even from visitors who are not actively working or surfing. Many email programs and apps constantly make contact with their servers—a necessary step for a device to retrieve new emails. For some devices and programs, we are able to see what information is being sent, and to which server.
And now it’s getting really personal. We see that one visitor has the gay dating app Grindr installed on his smartphone. We also see the name and type of the smartphone he’s using (iPhone 5s). We stop here, but it would be a breeze to find out to who the phone belongs to. We also see that someone’s phone is attempting to connect to a server in Russia, sending the password along with it, which we are able to intercept.
Session 3: Obtaining information on occupation, hobbies, and relational problems.
Many apps, programs, websites, and types of software make use of encryption technologies. These are there to ensure that the information sent and received from a device is not accessible to unauthorized eyes. But once the user is connected to Slotboom’s WiFi network, these security measures can be circumvented relatively easily, with the help of decryption software.
To our shared surprise, we see an app sending personal information to a company that sells online advertising. Among other things, we see the location data, technical information of the phone, and information of the WiFi network. We can also see the name (first and last) of a woman using the social bookmarking website, Delicious. Delicious allows users to share websites—bookmarks—they are interested in. In principle, the pages that users of Delicious share are available publicly, yet we can’t help feeling like voyeurs when we realize just how much we are able to learn about this woman on the basis of this information.
First we google her name, which immediately allows us to determine what she looks like and where in the coffeehouse she is sitting. We learn that she was born in a different European country and only recently moved to the Netherlands. Through Delicious we discover that she’s been visiting the website of a Dutch language course and she has bookmarked a website with information on the Dutch integration course.
In less than 20 minutes, here’s what we’ve learned about the woman sitting 10 feet from us: where she was born, where she studied, that she has an interest in yoga, that she’s bookmarked an online offer for an anti-snore mantras, recently visited Thailand and Laos, and shows a remarkable interest in sites that offer tips on how to save a relationship.
Slotboom shows me some more hacker tricks. Using an app on his phone, he is able to change specific words on any website. For example, whenever the word “Opstelten” (the name of a Dutch politician) is mentioned, people see the word “Dutroux” (the name of a convicted serial killer) rendered on the page instead. We tested it and it works. We try another trick: Anyone loading a website that includes pictures gets to see a picture selected by Slotboom. This all sounds funny if you’re looking for some mischief, but it also makes it possible to load images of child pornography on someone’s smartphone, the possession of which is a criminal offense.
We visit yet another cafe. My last request to Slotboom is to show me what he would do if he wanted to really harm me. He asks me to go to Live.com (the Microsoft email site) and enter a random username and password. A few seconds later, the information I just typed appears on his screen. “Now I have the login details of your email account,” Slotboom says. “The first thing I would do is change the password of your account and to indicate to other services you use that I have forgotten my password. Most people use the same email account for all services. And those new passwords will then be sent to your mailbox, which means I will have them at my disposal as well.” We do the same for Facebook: Slotboom is able to intercept the login name and password I entered with relative ease.
Another trick that Slotboom uses is to divert my internet traffic. For example, whenever I try to access the webpage of my bank, he has instructed his program to re-direct me to a page he owns: a cloned site that appears to be identical to the trusted site, but is in fact completely controlled by Slotboom. Hackers call this DNS spoofing. The information I entered on the site is stored on the server owned by Slotboom. Within 20 minutes he’s obtained the login details, including passwords for my Live.com, SNS Bank, Facebook, and DigiD accounts.
I will never again be connecting to an insecure public WiFi network without taking security measures.