ITEAM: Hotspot Hacking

BATON ROUGE, LA (WAFB) - Many of us connect to free Wi-Fi networks every day. They're convenient when you're away from the home or office, but they can also be dangerous if you're not careful.

"We have a total of 134 that we picked up in about a minute," computer expert Josh Henderson said. "Some of them are Windows 7, some of them are Windows 8, some of them are Macintosh, but the majority of them are phones."

During the lunch rush inside the crowded LSU Union we asked Henderson to see how many IP addresses he could collect. An IP address is the unique digital fingerprint for every device connected to the internet.

It's all part of an experiment we're doing to show just how vulnerable those personal devices can be. Henderson is a consultant who's paid by large companies to review the security of their computer networks. To know how to keep them safe he also must know how to hack them. He's using a program called Look@Lan. It scans open Wi-Fi networks for those IP addresses. Once they're found a second program called WireShark comes into play.

"Once we put it into this program it begins to capture all of the information that's sent from that device so we can check and see what are they doing. Are they just checking Facebook, are they logging into their bank, what are they doing with their phone?" he said.

A third program called Cain & Able does the real dirty work. It's a valuable tool for network administrators, but on its website it warns of using it for illegal activities.

"What that would do is called ARP poisoning, and it would hijack the device and tell the device that it was the internet. So if I did that to your phone and you went to go log in to your Facebook account, your username and password would pass through my computer and get saved on my computer," he said.

While LSU's wireless network is secure, there are other open Wi-Fi networks in the Union, and we found two people connected to one of them. Like Anne Pizzini. With the help of Henderson's programs we figured out her name before she told us.

"If you're checking your bank account, it'll show me that you're checking your bank account," Henderson explained to Pizzini. "Now I can't do anything with that because it's all encrypted, but if somebody wanted to, they could capture all those encrypted passwords and take them back later to a data center and run an encryption program on them and if it's not a strong password, it can encrypt it usually within a couple of hours."

Pizzini told us she wasn't surprised at how quickly Henderson hacked into her computer.

"It's more freaky than surprising. It's just scary," she said.

Lydia Bays was caught off guard too.

"Usually I'm on LSU secure, but if I'm not I just connect to whichever [network] is open," Bays told us.

And that's where most people make their mistake. An open Wi-Fi network is a hacker's dream.

"If you're not using your wireless, turn it off, turn your Wi-Fi off. That's what I tell everybody, because you're walking around with it in your pocket and you're not thinking about that it's active," Henderson said.

Many phones automatically connect to open networks, and a determined hacker can quickly pull personal information. They often gather hundreds of passwords and then sell the lists to the highest bidder.

"They'll log into the people's Facebook account and say something like 'Hey, check out this cool app I found,' or whatever and post it and they're trying to infect all those people's friends," Henderson said.

Mi-Fi is a safe and secure wireless hotspot available through wireless companies, but there is a fee. Freedom Pop is a lower cost, no-contract alternative to that. And Private Wi-Fi is a subscription service that offers you safe browsing within an insecure Wi-Fi hotspot.

For iPhone and iPad users, Apple recently released a software update called iOS 7.0.6. It patches a serious security flaw that makes your device vulnerable to a similar "Man in the Middle Attack." It's called that because a third party "middle man" intercepts data sent between your device and the websites you visit. To install the update, tap Settings  General  Software Update. Be sure to back up your device before you attempt the update.

Copyright 2014 WAFB. All rights reserved.