| As Los Angeles and hundreds of other | | | | no longer in place. That means the computer |
| communities push to turn themselves into | | | | is unprotected. Once hackers have "got a |
| massive wireless hotspots, unsuspecting | | | | toehold in a network, it's pretty much game |
| Internet users are stumbling onto hacker | | | | over," Bickers said. |
| turf, giving computer thieves nearly | | | | |
| effortless access to their laptops and | | | | Most laptops are configured to search for |
| private information, authorities and | | | | open wireless points and common wireless |
| high-tech security experts say. | | | | names, whether or not the user is trying to |
| | | | get online. That leaves people open to |
| It's an invasion with a twist: People who | | | | hacking. |
| think they are signing on to the Internet | | | | |
| through a wireless hotspot might actually be | | | | In two new attacks, called "evil twin" and |
| connecting to a look-alike network, created | | | | "man in the middle," hackers create Wi-Fi |
| by a malicious user who can steal sensitive | | | | access points titled whatever they like, such |
| information, said Geoff Bickers, a special | | | | as "Free Airport Wireless" or an established, |
| agent for the FBI's Los Angeles cyber squad. | | | | commercial name. |
| | | | |
| It is not clear how many people have been | | | | In the "evil twin" attack, the user turns on |
| victimized, and few suspects have been | | | | a laptop, which may automatically try to |
| charged with Wi-Fi hacking. But Bickers said | | | | connect. When it does, it is connecting to a |
| that over the last couple of years, these | | | | fake access point, or "evil twin," and the |
| hacking techniques have become increasingly | | | | hacker gets into personal files, steals |
| common, and are often undetectable. The risk | | | | passwords or plants a virus. |
| is especially high at cafes, hotels and | | | | |
| airports, busy places with heavy turnover of | | | | The hacker can become a "man in the middle" |
| laptop users, authorities said. | | | | when he funnels the user's Internet |
| | | | connection through this false access point to |
| "Wireless is a convenience, that's why people | | | | a true wireless connection. The unsuspecting |
| use it," Bickers said. "There's an axiom in | | | | Wi-Fi surfer may then proceed to enter credit |
| the computer world that convenience is the | | | | card information, access e-mail or reveal |
| enemy of security. People don't use wireless | | | | other sensitive data that can be tracked by |
| because they want to be secure. They use | | | | the hacker. Meanwhile, the session appears |
| wireless because it's easy." | | | | ordinary to the user. |
| | | | |
| For Mark Loveless, just one letter separated | | | | Although the FBI has been aware of this kind |
| security from scam. | | | | of attack for about five years, its use has |
| | | | increased in the last couple of years and is |
| Logging on to his hotel's free wireless | | | | being seen as a "huge threat," Bickers said. |
| Internet in San Francisco last month, | | | | |
| Loveless had two networks to choose between | | | | "The actual tools you need, the software, the |
| on his laptop screen - same name, one | | | | hardware, etc., to mount this sort of attack |
| beginning with a lowercase letter, one with a | | | | has become insanely easy to acquire," Bickers |
| capital. He chose the latter and, as he had | | | | said. "You need a laptop, wireless radio and |
| done earlier that day, connected. But this | | | | the ability to download a free tool and run |
| time, a screen popped up asking for his | | | | it. It literally is child's play." |
| log-in and password. | | | | |
| | | | The creation of the access point itself is |
| Loveless, a 46-year-old security analyst from | | | | not generally considered criminal; it's what |
| Texas, immediately disconnected. A former | | | | happens next - tracking people's Internet use |
| hacker, he knew an attack when he saw one, he | | | | - that can cross the line. |
| said. | | | | |
| | | | These hacking techniques are considered to be |
| Most Internet users do not. | | | | "tantamount to a computer intrusion and |
| | | | illegal interception of wireless |
| About 14.3 million American households use | | | | communication that can be prosecuted under |
| wireless Internet, and this figure is | | | | federal law," Bickers said. |
| projected to grow to nearly 49 million | | | | |
| households by 2010, according to | | | | But computer evidence and statistics are hard |
| JupiterResearch, which specializes in | | | | to come by, said Arif Alikhan, a former |
| business and technology market research. | | | | federal prosecutor and former chief of the |
| | | | cyber and intellectual property crimes |
| "There's literally probably millions of | | | | section for the U.S. attorney's office in Los |
| laptops in the U.S. that are configured to | | | | Angeles. People can unwittingly compromise |
| join networks named Linksys or D-Link when | | | | their computers in a multitude of ways, and |
| they are available," said Corey O'Donnell, | | | | often there's no trace. |
| vice president of marketing for Authentium, a | | | | |
| company that provides security software. "So | | | | "You can tell how many burglaries occur |
| if I'm a hacker, it's as easy as setting up a | | | | because you're victimized, and someone knows |
| network with one of those names and waiting | | | | they're victimized," Alikhan said. "People |
| for the fish to come." | | | | don't always know if someone is using their |
| | | | wireless network, and it's very difficult to |
| Linksys and D-Link are two of the many | | | | tell unless you trace back every single |
| commercial brands of wireless routers, | | | | connection.... It happens more than I think |
| products that allow a user to connect to the | | | | we all realize." |
| Internet using radio frequency. | | | | |
| | | | The U.S. attorney's office will not comment |
| As the field of wireless connectivity | | | | on pending investigations; however, wireless |
| expands, so too does a hacker's playground. | | | | hacking cases are relatively new, and few if |
| More than 300 municipalities across the | | | | any current cases involve "evil twin" or "man |
| country are planning or already operating | | | | in the middle" attacks, law enforcement |
| Wi-Fi service. | | | | authorities said. |
| | | | |
| Los Angeles Mayor Antonio Villaraigosa last | | | | "This is a classic case of law and law |
| month announced plans for citywide Wi-Fi in | | | | enforcement being a little behind the |
| 2009. USC already offers free wireless, and | | | | technological curve," Bickers said. |
| by the end of March, Los Angeles | | | | |
| International Airport will officially offer | | | | Other types of wireless-related Internet |
| wireless at all its terminals under a new | | | | hacking cases have recently popped up across |
| contract with T-Mobile. | | | | the country. |
| | | | |
| Some airlines already offer Wi-Fi at LAX. | | | | Nicholas Tombros was found guilty in 2004, |
| "There are no signs for any service at all, | | | | under the federal Can-Spam Act, of |
| so if any passenger is accessing a free | | | | "war-spamming." He drove around the Venice |
| wireless service ... they should be | | | | Beach area with his laptop and used |
| cautious," said Nancy Castles, an airport | | | | unprotected wireless access points to send |
| spokeswoman. | | | | spam. He could receive up to three years in |
| | | | federal prison at his sentencing next month. |
| A survey at Chicago's O'Hare Airport by | | | | |
| Authentium revealed 76 peer-to-peer networks, | | | | He is the only defendant who has been charged |
| or access points that are connected to via | | | | in a case involving wireless hacking by the |
| another user's computer, with 27 of them | | | | Greater Los Angeles section of the U.S. |
| advertising access to free Wi-Fi - a | | | | Department of Justice's cyber and |
| trademarked term for the technical | | | | intellectual property crimes division since |
| specifications of wireless local area network | | | | it was established in October 2001, according |
| operation. The company also found that three | | | | to Assistant U.S. Atty. Wesley L. Hsu, deputy |
| of the networks had fake or misleading | | | | chief of the section. |
| addresses, one sign the hotspots could be | | | | |
| hackers. | | | | "They are technically difficult cases.... |
| | | | They're difficult cases to put together, so |
| "At a busy place like O'Hare, in one hour a | | | | law enforcement is having to sort of catch |
| bad guy could get 20 laptops to connect to | | | | up," Hsu said. |
| his network and steal the users' account | | | | |
| information," said Ray Dickenson, vice | | | | On Sept. 30, Gov. Arnold Schwarzenegger |
| president of product management at | | | | signed into law the Wi-Fi User Protection |
| Authentium, who conducted the survey last | | | | Bill, which aims to block unauthorized |
| September. | | | | sharing of open Wi-Fi networks and inform |
| | | | users of the dangers of unsecured networks. |
| Corporate networks are sometimes the most | | | | Starting in October, warnings and tips will |
| vulnerable, as employers push for a more | | | | be required on all wireless home-networking |
| mobile workforce without always educating its | | | | equipment sold in California. |
| users on the security risks of wireless | | | | |
| Internet. | | | | The law specifically addresses "piggybacking" |
| | | | - or the use of another person's wireless |
| Many workers rely on corporate firewalls in | | | | network to access the Internet - a problem |
| the office and an automatic default network | | | | that security experts say has been a concern |
| setting that links them to their corporate | | | | for years. |
| networks. Outside the office, the firewall is | | | | |