One man, one bike ride, and a lot of hacked networks

Click to watch the video
Click to watch the video

I was on the TODAY show this morning and didn’t even know it.  Neat!  it was taped months ago, but better late than never.  The tips and topics are all still relevant, maybe moreso in the post Home-Depot world.

Would you walk into a coffee shop wearing a sign with your name? Would you hand your email to complete strangers so they could send it along for you? A computer security expert spent three days riding his bike around San Francisco recently to prove that many of us do that every day.

Today, free Wi-Fi hotspots are more important than ever, as most of us worry that smartphone use will eat up our cell phone data plans, hitting us with expensive overages. So most smartphones are set to constantly scan the world, looking for a free Wi-Fi alternative to our pricey mobile network connections. This is just one way consumers continually invite harm from hackers, stalkers, and other criminals, says James Lyne, Global Head of Security Research at security firm Sophos.

Sign up for Bob Sullivan’s free email newsletter.

In an attempt to measure this ever-expanding attack footprint, Lyne hopped on a specially-equipped bike and pedaled around tech-happy San Francisco recently for three days, with TODAY cameras following along. The bike had hacker tools designed to capture and intercept wireless traffic. At the end of his ride, Lyne had connected to 190,000 computers and 72,000 networks. Sophos called the experiment called “war-biking,” similar to “war-driving,” a common hacker technique that involved driving through neighborhoods in cars looking for networks to attack. Here’s some of what Lyne found:

* 10 percent of networks use security tools that were hacked nearly a decade ago and are now considered completely insecure

* Only 13 percent used what are considered state-of-the-art security

* Thousands of mobile phones are labeled with obvious names like “BobSullivansPhone,” making it easy to learn strangers’ identities

* Plenty of Bluetooth devices, such as cars, make the same mistake.  And while connecting to them requires a PIN code, many PINs are simply 0000 or 1234

* Worst of all, some 1,500 people connected to a rogue Wi-Fi network Sophos set up, which allowed the firm to hijack every users’ Internet traffic, a so-called “man in the middle” attack. In other words, Sophos took all users’ email and web browsing and then passed the data along to the rest of the Internet. If it were a computer criminal gang, it could have read all the content and stolen anything that was useful.

“Users simply do not care what they are connecting too to get their latest Internet fix,” Lyne said. “(They) connect first, and worry about it later.”

Wi-Fi devices like phones and tablets are set to scan for networks, but in doing so they reveal the name of the device and a lot of data about the past. It might seem innocuous for your phone to reveal your name, but think about this: If you alone in a strange coffee shop, would you really want everyone else in the shop to know your name?  Worse yet, because the device is looking for other hotspots you have connected to in the past, it might also reveal where you’ve been. For example, a smartphone might announce it’s “BobSullivansPhone” and it had connected recently to “MapleAveCoffeeShopWiFi.“

There are more reason to be concerned when considering the future of connected gadgets and the coming Internet of Things, Lyne says.

“Many of these new Internet of Things devices are in the same box. They … do not receive the same security concerns,” he said. They will all hungrily attach to wireless networks, and will almost certainly expand the attack surface for digital criminals.

So what should you do?

* When naming devices like smartphones and tablets, don’t use your real name or any label that’s identifiable (So, no “RedHeadsiPhone”).

* When you aren’t using Wi-Fi or Bluetooth with your phone or tablet, consider turning it off. You’ll save battery power and reveal less about yourself.

* Don’t connect to random hotspots, and don’t let your phone do that.  Even if you trust the hotspot, leave the online banking and other sensitive Net surfing for your home or work network

For many more wireless safety tips, visit http://sophos.com/tips

Sign up for Bob Sullivan’s free email newsletter.

Don’t miss a post. Sign up for my newsletter

About Bob Sullivan 1662 Articles
BOB SULLIVAN is a veteran journalist and the author of four books, including the 2008 New York Times Best-Seller, Gotcha Capitalism, and the 2010 New York Times Best Seller, Stop Getting Ripped Off! His latest, The Plateau Effect, was published in 2013, and as a paperback, called Getting Unstuck in 2014. He has won the Society of Professional Journalists prestigious Public Service award, a Peabody award, and The Consumer Federation of America Betty Furness award, and been given Consumer Action’s Consumer Excellence Award.