Previous Previous item Next Next item Email Email this post Facebook Link to Facebook profile Instagram Link to Instagram profile LinkedIn Link to LinkedIn profile RSS Subscribe to RSS Feed Twitter Link to Twitter profile YouTube Link to YouTube profile

Watchdog Wednesdays Hacks a Wi-Fi Hotspot

Consumer Champion, Television,


Watchdog Wednesdays continues on BBC Three and in this week's film I investigate how easily a criminal can hack a public Wi-Fi hotspot and compromise its users' personal information.

Coffee shops, high streets and hotels increasingly offer free public Wi-Fi so visitors can sync up while they eat, shop or stay. However, as I've reported on before, Wi-Fi hotspots are easy to spoof, are frequently unsecured, and even when there is a password there is still no guarantee of safety.

Hacking the Hotspot

So, in a controlled experiment at a central London coffee shop, I set out to see what the hackers see. What I saw when the Watchdog cameras began rolling surprised even me:

With very little investment in time or equipment I learnt how to intercept traffic sent between users' devices laptops, smartphones, tablets and the internet.

I was shocked that supposedly secure websites such as John Lewisebay and Amazon were vulnerable to this basic attack.

Just to be clear - I am not a hacker, I’m a journalist, but picking up the basics was worryingly easy.

The Man in the Middle

My attack (known as a 'Man in the Middle' attack by ARP poisoning) targeted only a single device operated by a member of the BBC crew. It could equally have targeted a number of devices, perhaps all logged in to the Wi-Fi hotspot.

I found unencrypted traffic easily visible, plain text usernames and passwords flashed before my eyes in real time "gold dust for a hacker" and webpage images appeared on my hacktop just as they did on the victim's machine. I was even able to work around some (but not all) websites' attempts to enforce HTTPS security.

plain text usernames and passwords flashed before my eyes in real time - gold dust for a hacker

I was shocked that supposedly secure websites such as John Lewis, ebay and Amazon were vulnerable to this basic attack on an iPad, along with email accounts that didn't have SSL security enabled. Facebook and Twitter didn't fall for the hack.

Are we really aware of how easy it is for data we send over the airwaves to be intercepted by a silent criminal? I suspect not. This is a perfect crime where victims are unaware that their details have been compromised until the criminal executes his hack hours, days or weeks later when emails get intercepted, accounts get hijacked and funds go missing.

'Hacktop' Tech

There's nothing here that's difficult to get hold of:

I should add that none of the software used here was illegal; Kali Linux and its bundled utilities are open source, promoted as ‘penetration testing and ethical hacking' software and is used by security professionals to ensure their corporate networks and public websites remain secure to hackers. Of course, the very same software may also be used by hackers for malicious means. And then, of course, there is YouTube - there's any number of tutorials here to help you get to grips with the tools and utilities mentioned above.

Stay Safe on Public Wi-Fi Hotspots

So there's the scare story. But what can you do stay safe when on public WiFi?

How secure are apps? How do you know whether they're secure if there's no green padlock or HTTPS visible in an address bar? In my testing I found some apps that are blatantly not secure broadcasting personal details, but I'll be exploring this in more detail very soon.

Keep watching BBC Three Watchdog Wednesdays for more films like these, and do get in touch on here or on Twitter if there are any other hacks or scams you'd like me to investigate.

Previous pageBBC Three Watchdog Wednesdays Scams the PC Support Scammers

Next pageTurn your Commute into Cash: Right on the Money