Are you an easy mark for an airport cyber attack? If your phone is set up to find and automatically connect to open Wi-Fi networks, cyber experts say you are putting your data security at risk.
In its latest tech column, the FBI’s Oregon field office warns consumers, “Don’t allow your phone, computer, tablet, or other devices to auto-connect to a free wireless network while you are away from home. This is an open invitation for bad actors to access your device.”
Free Wi-Fi networks like those found in airports are not secure. “Connecting to any available Wi-Fi is kind of like eating gas station sushi,” says Caleb Barlow, president and CEO of CynergisTek, a cybersecurity consulting firm. “It’s not a good idea because you never know what the source is.”
In addition, it’s becoming increasingly difficult to tell a legitimate network from a rogue network. For hackers, a favorite gambit is to create an “evil twin” network that masquerades as the official airport Wi-Fi network.
Tricking distracted travelers into connecting to a rogue network is alarmingly easy. “If you’ve ever been to an airport, you’ll notice that a lot of the Wi-Fi networks have very similar SSIDs,” explains Max Eddy, a senior cybersecurity analyst for PCMag. An SSID — or service set identifier – is simply the name assigned to a Wi-Fi network.
“If I were a hacker, all I would need to do is note the name of the official Wi-Fi network, and then set up another one with a very similar name,” says Eddy. For example, Denver International Airport’s official public Wi-Fi network is “- DEN Airport Free WiFi,” so an evil twin might be called “DEN Airport Free WiFi-5G” or “Free DEN Airport WiFi.”
“No matter which airport I’m in, without having to do anything special, I could just set up a router that has a very similar name and I know a bunch of phones are going to connect to it,” says Eddy.
Once your phone connects to a rogue network, hackers can do all sorts of damage. “They then can load malware, steal your passwords and PINs, or even take remote control of your contacts and camera,” warns the FBI.
Worse yet, your phone can be an open door to your life. “You know how you can go into your settings and see all your frequently connected networks?” asks Barlow. “That’s a trail of every place you’ve been, and you’re basically broadcasting out to the world, everywhere you go, a record of all of your past destinations.”
“Anyone can buy a sniffing device for about $200 that will capture all of the network requests that your phone is broadcasting and then figure out a lot about you,” says Barlow. “All I’ve got to do is listen for what your phone is broadcasting. I don’t even need to be near you. I just need to listen in.”
Let’s say your home Wi-Fi network is called “JacksonFamilyWiFi.” “If I can see that listed in your phone’s known networks, then I can set up a network with the exact same name,” says Barlow. You may not be anywhere near your home, but your phone is still constantly looking for that specific SSID. “So your phone says, ‘Oh, that’s a trusted network,’ and will immediately connect to the network I just created. Now your internet traffic is going through me.”
The more a hacker knows about you, the more harm he can do. “Not only might I see that this person’s device is trying to connect to a bunch of airport hotspots, but I can see exactly which airports. And maybe I see hotel Wi-Fi networks,” says Eddy. The hacker can then make educated assumptions about companies you hear from regularly. “I now know something about that person: where they go, what they do. That’s information I can use in a targeted phishing attack.”
Perhaps the scariest scenario of all is that your phone can be hacked when you’re not even using it. “Even if your phone is in your pocket, it’s still looking for networks to connect to,” says Eddy. “It is still broadcasting information and doing all sorts of stuff in the background,” says Eddy. “So, it could be in your pocket, screen turned off, but connected to a malicious network.”
4 Easy Ways to Thwart An Airport Hacker
There are simple ways to protect yourself from hackers, sniffers and evil twins.
1. Invest in a VPN. A virtual privacy network will encrypt all of your activity. Use it when you connect to public networks and any network that you don’t manage yourself. Notably, Eddy’s top picks for the best VPNs generally run $10 a month or less.
2. Shun free Wi-Fi. If you don’t have a VPN, don’t connect to public Wi-Fi at the airport. Just stay on the regular 5G, LTE or 4G service provided by your wireless carrier.
3. Turn off auto pilot. Before heading to your flight, adjust your phone’s Wi-Fi settings to turn off the auto-connect feature.
iPhone: The Auto-Join feature, when enabled, will automatically connect your phone to designated networks when within range. Before going to the airport, turn off Auto-Join. Go to Settings > Wi-Fi, then tap the small (i) next to the network name. Turn off the Auto-Join toggle switch to disable the feature.
Android: To stop your phone to automatically connecting to open networks, go to settings and then to Network & Internet > Wi-Fi > Wi-Fi preferences. Next, toggle off the “Connect to open networks” switch to disable it.
4. Give your phone amnesia. “People are always shocked by number of networks that they’ve connected to over the years,” says Eddy. Before you travel, do some housekeeping and remove any saved networks that you don’t need.
iPhone: Go to Settings > Wi-Fi. Look under “My Networks” and tap the small (i) next to the network name. Tap “Forget network.”
Android: Go to settings and then to Network & Internet > Wi-Fi > Wi-Fi preferences. Touch and hold on the network you want to forget, then tap “Forget network.”