If you’ve ever wondered when, where or how a digital hack originates, look no further than our team’s latest Wi-Fi hack demo. In the video below, we simulate an unfortunate case that could happen to anyone when surfing on public Wi-Fi without using protection, such as an encrypted connection or VPN app. In the demo, F-Secure Partner Sales Manager, Olli, plays the role of a malicious hacker who hacks a “victim” named Timo while the two of them are sitting in their local coffee shop.
The hacking process begins with Timo switching on his iPad with the intent of checking his email. An open hotspot named “Hot Free Internet” appears on his tablet’s list of available networks, and he connects to it without needing to provide a password. What the victim doesn’t know is this: the Wi-Fi network to which he has connected is a hoax, and there’s a hacker sitting in a nearby corner of the coffee shop who has set it up using his own router. Using this fake hotspot, the hacker is on a mission to “sniff”, or steal, some of the victim’s most vital personal data.
We watch as Timo navigates to Safari and signs into Gmail on his device. Simultaneously, the hacker uses software that follows all of Timo’s online traffic starting from the moment that he logs in to the hacker’s Wi-Fi hotspot. Timo enters in his login credentials and immediately encounters a screen saying that Google’s server is down. Although this message could already be recognized as being suspicious, our victim thinks nothing of it and decides to wait until the server returns online while sipping his cup of coffee. Little does he know that his data is being sent directly to the hacker’s software.
Now that our hacker has effortlessly obtained the victim’s Gmail credentials, as well as his full name, he’s now busy at work hacking into Timo’s Gmail account in order to collect the personal data that he needs in order to monetize his efforts. Remember, this has all been made possible by the fact that the victim submitted his personal information over an open, unprotected Wi-Fi network. The hacker accesses the victim’s Gmail account with ease, while the victim remains oblivious to what’s happening online. Timo’s emails reveal that he’s a frequent Amazon customer, so the hacker tries to use Timo’s email address and full name to reset his Amazon password and access his account — and he succeeds! In the span of a few minutes, the hacker has obtained access to the victim’s credit card information, which is live within his Amazon account, and he’s now able to purchase anything he’d like. The hacker decides to go for a Samsung 4K Smart TV, and with a click of a button, he adds it to the shopping cart and makes his purchase.
This is how easy it is to steal login credentials over an open, public Wi-Fi network. This demo provides just one example of the bad things that can happen when your data is sniffed – in real life, this could be your Facebook or LinkedIn account, both of which are tied to many of your other digital accounts and services. When you fail to encrypt your Internet connection, this information becomes easy pickings for hackers.
In this demo’s scenario, had the victim been using a virtual private network (VPN) many of which are free, all of his personal data would have been encrypted, making it completely protected against the prying eyes of hackers.
Note: For the purpose of this demo, we built a webpage designed to look like Gmail. Authentic Google webpages were not used within our simulation.