TSA warning comes to life as man jailed for attack.
AFP via Getty Images
Updated on Dec. 5 with expert security guidance for smartphone users when traveling, including how to avoid connecting to dangerous networks.
Almost all smartphone users are at risk, Google says, flagging messaging attacks and “unencrypted” networks that are “easily exploited” by hackers. This stark alert echoes a warning from America’s Transportation Security Administration (TSA).
TSA tells the traveling public: “Don’t use free public WiFi.” And now, with the holiday season underway, this will be front of mind. TSA has faced some criticism for its alert, not least indirectly from the FTC, but Google has now said exactly the same.
BeyondTrust’s James Maude suggests “the hacklore around public Wi-Fi has almost taken on a life of its own. Tell someone you work in cyber security and they may well gleefully tell you how they know not to connect to free Wi-Fi or use a VPN at all times.”
But there may be some wry smiles within TSA’s cyber team this week, given the news that a man “who created ‘evil twin’ Wi-Fi networks to capture personal data and hacked into women’s online accounts to steal intimate material” has been jailed.
That update comes from the Australian Federal Police (AFP). The attacks took place onboard a flight — in midair. Airline employees “identified a suspicious WiFi network – which mimicked a legitimate access point – during a domestic flight.”
Public Wi-Fi warnings rile cyber experts because most data traffic to and from devices is now encrypted. But that focuses on interception of the data itself. An evil-twin attack is different. This fakes an access point, using a similar Wi-Fi name to a real service, “hoping that users will connect to it instead of a legitimate one.”
Responding to this latest story, Black Duck’s Nivedita Murthy told me “evil twin attacks are common where Public Wi-Fi is offered. While users might look for Wi-Fi that does not have the secure option enabled, they may also accidentally connect to Wi-Fi having similar names as the one offered by the location if they are in a hurry.”
Per Kaspersky, “when users connect to this access point, all the data they share with the network passes through a server controlled by the attacker. An attacker can create an evil twin with a smartphone or other internet-capable device and some readily available software. Evil twin attacks are more common on public Wi-Fi networks.”
“Users should scrutinize which network are they connecting to by ensuring the Wi-Fi names match exactly and they have the secure padlock at the least,” Murthy advises. “They can also use VPN apps (ensure that those are installed from a trusted play store and verified before) to connect and ensure their traffic is protected even from someone snooping on the network.” That assumes VPNs aren’t set for restrictions, of course.
None of this is new. I reported on the in-flight Wi-Fi threat in 2020. “Public Wi-fi will always have risk,” Cyjax CISO Ian Thornton-Trump told me. “I once saw a Starbucks and a Subway Wi-Fi access point, flying from Newark to Vegas at 35,000 feet.”
At an airport or a mall or a resort, it’s all too easy to scroll through the countless Wi-Fi networks looking for one absent a private padlock and with an option to connect. “Free Airport Wi-Fi” or “Free Flight Wi-Fi” are easy to create and hard to police.
Zimperium says “during travel, these risks multiply. Airports, hotels, rideshare hubs, and cafés all offer rich hunting grounds for attackers leveraging man-in-the-middle attacks or malicious public Wi-Fi. And employees, often multitasking or in a hurry, are far more likely to click, install, or connect without thinking twice.”
According to BeyondTrust’s James Maude, “the real danger here is not connecting to Wi-Fi it is falling for a fake login page, just as you might do through a phishing email, a link on social media or a compromised website.”
“As travel increases,” says Zimperium’s Kern Smith, “users should be cautious of what networks they connect to, and be very wary of installing apps or configurations if prompted to do so when connected to unknown and potentially malicious networks.”
Maude says “this is part of the wider identity security landscape where attackers know it is easier to log in than hack in so will use a variety of means to compromise your identity. So this holiday season no matter what Wi-Fi or network connection you use make sure you keep your credentials off the attackers naughty list.”
“Cyber criminals are hard at work,” Optiv’s Nathan Wenzler tells me, “taking advantage of the distractions of the season to steal data and compromise your financial information. One of the most common ways they do this is to set up fake Wi-Fi access points that look like a real, public wireless access point and lurk in public areas waiting for an unsuspecting user to connect and start shopping.”
Wenzler’s watchlist for traveling smartphone users is simple: “Make sure the name of the Wi-Fi service is correct. There could be extra letters, underscore characters or other clues that the access point isn’t the correct one being provided by a business.”
You can also “check for the lock icon next to the Wi-Fi name. This means the access point is encrypted or requires a password to access, and is more secure to use. And don’t be afraid to ask someone for the password and if it’s the correct access point! It’s an easy way to make sure you’re on the correct Wi-Fi network with the correct password.”
Just be careful before you click to connect.
“Evil twin attacks are dangerous because, when successful, they allow hackers to access your device,” Kaspersky warns. “This means they can potentially steal login credentials and other private information, including financial data (if the user carries out financial transactions when connected to the evil twin Wi-Fi).”
In addition, the security firm says, “hackers could also insert malware into your device. Evil twin Wi-Fi attacks often don’t leave tell-tale signs which could expose their true nature. They perform their primary task of providing access to the internet, and many victims won’t question it. Users may only realize they’ve been victimized by an evil twin attack afterward when they notice unauthorized actions performed on their behalf.”
“If you’re on a flight heading home for the holidays,” Wenzler says, “and while in the air you see a Wi-Fi network from your favorite coffee shop or fast food restaurant, chances are, it’s a fake access point and you should not connect to it. Criminal actors will commonly try this to see if someone will connect out of curiosity, but, if that business isn’t the airline and their legitimate Wi-Fi name, then chances are, it’s a trap.”
