As public Wi-Fi service expands, so do security risks for users

Posted at 11:09 AM, May 16, 2013
and last updated 2013-05-16 11:09:16-04

TIMES SQUARE, Manhattan (PIX11) – Public WiFi is growing in the Tri State area, and so is the risk of people’s privacy being violated on it unless they take protective measures.

Underscoring the extent of the risk were two young men spotted on a recent afternoon in Times Square.  While they appeared to just be hanging out, what they were actually doing is very dangerous indeed.

“All these people are on Facebook,” said one of them, as he looked onto a busy screen on the laptop he was cradling.  “And Chase,” he added, as he described what he was viewing on the screen in front of him.

Specifically, he could see that somebody near his position at Father Duffy Square, next to the TKTS ticket booth at the north end of Times Square, was accessing a Chase bank account.  It was among thousands of computer transactions that the web spy, Raj Devjani, and his fellow spy Lane Liston, were able to monitor on software they’d downloaded from the web for free.

“Somebody’s on the ticket company’s website trying to buy tickets,” Devjani said as he monitored thousands of Times Square public WiFi transmissions every few minutes.  Most of the activity he was able to monitor was happening on iPhones or Android phones, which need not even be in active use for the online snoops to be able to monitor the smartphone’s activity.

“Your phone updates automatically every second,” Devjani said.  “You get updates every second.  It notifies you.  That’s data, that’s usage, and I can see that data.”

And he pointed out that he can snoop on electronics users at virtually any place they’re likely to be online, like a favorite coffee place, or waiting at the airport, staying at a hotel, and now that the MTA is expanding internet connectivity, spying can take place on the subway and commuter trains as well — anywhere where there’s public WiFi.

“So you have to be sure that when you’re logging on that you’re logging onto a public WiFi system,” said Don Aviv, “and not [logging onto ]that person next to you pretending to be that WiFi.”  Aviv is the managing partner of Interfor Investigations, a Manhattan security consulting firm which specializes in fighting electronic threats.

Aviv described another trick up the sleeves of potential hackers like Devjani and Liston.  Using nothing more than one of their smartphones, they set up a free WiFi in Times Square with a similar name to the official Times Square free WiFi.  It took them only a minute to create the bogus hotspot, and it took even less time than that for more than a dozen people to log onto it.  Immediately they were able to spy on those smartphone, tablet and laptop users who were accessing free WiFi.

“I’m getting all the information on you,” Devjani said about what he was able to see through his fake hotspot, “Your photos, your personal information, everything.”

“The only way to stop such high-tech but widespread snooping when a person is online,” said i-security expert Aviv, is to “do it at home, or use an encrypted system.”

Encryption is the transmission of WiFi using signals that are scrambled and indecipherable.  Typically, public WiFi does not use encryption.

“It’s your responsibility to protect yourself,” said Kent Lawson.  “The only way to protect yourself on any device is a VPN.”  That stands for a virtual private network, and he not only knows what one is, he knows how they work, since he’s created one, called PrivateWiFi.

WiFi transmits information through radio waves.  Just as a car stereo can pick up those waves and transmit music, a WiFi transmits a computer’s data.  In public WiFi, that information flows freely, with little or no security.  A VPN encrypts users’ data as it passes through WiFi radio transmissions.

“[Hackers] may be able to listen in on it,” Lawson told PIX11 News, “but all they’ll get is gibberish.”

A test of the PrivateWiFi VPN showed that a signal sent out on public WiFi with the Private WiFi app enabled was indecipherable on the spy software Raj Devjani and Lane Liston were using.

“It makes no sense!” Devjani said as he tried to read the transmissions of a smartphone user whose VPN was enabled.  In full disclosure, he and Liston are both employees of PrivateWiFi, but both are very knowledgable about computer spying, and how to prevent it.

One smartphone user who was randomly approached by PIX11 News near the place where the web spies were hard at work said, regarding a VPN for devices like his, “If that technology exists, and if something as simple as an app can do that, I’d be all for that.”

It should come as no surprise that a PrivateWiFi app for smartphones now exists.  It does seem to deliver exactly what it claims — to scramble a user’s WiFi signal on public WiFi, and then decode it on the company’s remote server so that the information is delivered to its intended source unscrambled.

However, unlike public WiFi, PrivateWiFi is not free.  A year’s subscription costs about $7.00 per month.