Why Public WiFi Is a Public Health Hazard1
2015-12-10ByMauritsMartijn
By Maurits Martijn
本文作者和一位黑客随意走进一家咖啡馆,在20分钟内,他们就利用咖啡馆里公共WiFi的漏洞窃取了周围顾客的各种信息,包括他们的出生地、学校、兴趣爱好、去过的地方、网络浏览记录,甚至是登录网页的用户名和密码等等。无线网络无处不在的世界里充满了陷阱,阅读此文后,你还敢随意连接未经安全认证的公共WiFi吗?
In his backpack, Wouter Slotboom, 34, carries around a small black device,slightly larger than a pack of cigarettes, with an antenna2. antenna: 天线。on it. I meet Wouter by chance at a random cafe in the center of Amsterdam.3. by chance: 偶然,意外地;random: 随便的,随意的。It is a sunny day and almost all the tables are occupied. Some people talk, others are working on their laptops or playing with their smartphones.
Wouter removes his laptop from his backpack, puts the black device on the table, and hides it under a menu. A waitress passes by and we ask for two coffees and the password for the WiFi network. Meanwhile, Wouter switches on his laptop and device, launches some programs, and soon the screen starts to fill with green text lines.4It gradually becomes clear that Wouter’s device is connecting to the laptops, smartphones, and tablets5. tablet: 平板电脑。of cafe visitors.
On his screen, phrases like “iPhone Joris” and “Simone’s MacBook” start to appear. The device’s antenna is intercepting6. intercept: 拦截,截住。the signals that are being sent from the laptops, smartphones, and tablets around us.
More text starts to appear on the screen. We are able to see which WiFi networks the devices were previously connected to. Sometimes the names of the networks are composed of mostly numbers and random letters, making it hard to trace them to a definite location, but more often than not, these WiFi networks give away the place they belong to.7. trace: 追踪;definite: 确切的,确定的;more often than not:通常,多半;give away: 泄露。
We learn that Joris had previously visited McDonald’s, probably spent his vacation in Spain (lots of Spanish-language network names), and had been kart-racing8. kart-racing: 卡丁车比赛。(he had connected to a network belonging to a well-known local kart-racing center).Martin, another cafe visitor, had been logged on to the network of Heathrow airport and the American airline Southwest.9. Heathrow airport: 希思罗机场,位于英国伦敦;American airline Southwest: 美国西南航空公司。In Amsterdam, he’s probably staying at the White Tulip Hostel. He had also paid a visit to a coffee shop called The Bulldog.
Let everyone connect to our fake network
The waitress serves us our coffee and hands us the WiFi password. After Slotboom is connected, he is able to provide all the visitors with an internet connection and to redirect all internet traffic through his little device.
Most smartphones, laptops, and tablets automatically search and connect to WiFi networks. They usually prefer a network with a previously established connection. If you have ever logged on to the T-Mobile network on the train, for example, your device will search for a T-Mobile network in the area.
Slotboom’s device is capable of registering these searches and appearing as that trusted WiFi network.10.史劳博的装置可记录下(设备对无线网络的)这些搜索并伪装成可信赖的WiFi网络。register: 记录。I suddenly see the name of my home network appear on my iPhone’s list of available networks, as well as my workplace, and a list of cafes, hotel lobbies, trains, and other public places I’ve visited. My phone automatically connects itself to one of these networks, which all belong to the black device.
We see more and more visitors log on to our fictitious11. fictitious: 虚构的。network. Already 20 smartphones and laptops are ours. If he wanted to, Slotboom could now completely ruin the lives of the people connected: He can retrieve their passwords,steal their identity, and plunder their bank accounts.12. 假如史劳博想要的话,他能分分钟完全毁掉这些人的生活,比如盗取密码,窃用身份信息,侵吞银行账户等。retrieve:检索;identity: 身份;plunder:盗窃。Later today, he will show me how. I have given him permission to hack me in order to demonstrate what he is capable of,13. hack: (网络黑客)攻击;demonstrate: 示范,演示。though it could be done to anyone with a smartphone in search of a network, or a laptop connecting to a WiFi network.Everything, with very few exceptions, can be cracked14. crack: 破解,破译。.
The idea that public WiFi networks are not secure is not exactly news. It is, however, news that can’t be repeated often enough.Each year the worldwide demand for more laptops and tablets increases. Probably everyone with a portable device15. portable device: 便携设备。has once been connected to a public WiFi network: while having a coffee, on the train, or at a hotel.
The good news is that some networks are better protected than others; some email and social media services use encryption16. encryption: 加密。methods that are more secure than their competitors. A study from threat intelligence consultancy Risk Based Security estimates that more than 822 million records were exposed worldwide in 2013,17. 网络安全顾问公司Risk Based Security的一项研究显示2013年全球有8.22亿个人信息被泄露。consultancy: 咨询公司。including credit card numbers, birth dates, medical information, phone numbers, social security numbers, addresses, user names, emails,names, and passwords.
Report after report shows that digital identity fraud18. identity fraud: 身份欺诈。is an increasingly common problem. Hackers and cybercriminals currently have many different tricks at their disposal.19. 网络黑客和罪犯们的手法花样百出。cybercriminal: 网络罪犯;at one’s disposal:供……使用,任由……支配。But the prevalence of open, unprotected WiFi networks does make it extremely easy for them.
Scanning for name and passwords
Armed with Slotboom’s backpack, we move to a coffeehouse that is a popular spot for freelancers20. freelancer: 自由职业者。working on laptops. This place is now packed with people concentrating on their screens.
Slotboom switches on his equipment. He takes us through the same steps,and within a couple of minutes, 20 or so devices are connected to ours. Slotboom launches another program, which allows him to extract even more information from the connected smartphones and laptops. We are able to see the specifications of the mobile phone models, the language settings for the different devices, and the version of the operating system used. If a device has an outdated operating system,for example, there are always known “bugs,” or holes in the security system that can be easily exploited.21. 例如,如果一台设备的操作系统已经过时,其安全系统通常就会存在漏洞,可以轻易地被(黑客们)利用。With this kind of information, you have what you need to break into the operating system and take over the device. A sampling of the coffeehouse customers reveals that none of the connected devices have the latest version of the operating system installed.
Obtaining information on occupation, hobbies, and relational problems
To our shared surprise, we see an app sending personal information to a company that sells online advertising. Among other things, we see the location data, technical information of the phone, and information of the WiFi network. We can also see the name of a woman using the social bookmarking website Delicious. Delicious allows users to share websites—bookmarks—they are interested in. In principle, the pages that users of Delicious share are available publicly, yet we can’t help feeling like voyeurs22. voyeur: 偷窥狂。when we realize just how much we are able to learn about this woman on the basis of this information.
First we google her name, which immediately allows us to determine what she looks like and where in the coffeehouse she is sitting. We learn that she was born in a different European country and only recently moved to the Netherlands. Through Delicious we discover that she’s been visiting the website of a Dutch language course and she has bookmarked a website with information on the Dutch integration course.
In less than 20 minutes, here’s what we’ve learned about the woman sitting 10 feet from us: where she was born, where she studied, that she has an interest in yoga, that she’s bookmarked an online offer for a anti-snore mantras, recently visited Thailand and Laos, and shows a remarkable interest in sites that offer tips on how to save a relationship.23. anti-snore: 防治打鼾的; mantra: 祷文,咒语;Laos: 老挝;save a relationship: 挽救恋情。
Password intercepted
We visit yet another cafe. My last request to Slotboom is to show me what he would do if he wanted to really harm me. He asks me to go to Live.com (the Microsoft email site) and enter a random username and password. A few seconds later, the information I just typed appears on his screen. “Now I have the login details of your email account,”Slotboom says. “The first thing I would do is change the password of your account and indicate to other services you use that I have forgotten my password. Most people use the same email account for all services. And those new passwords will then be sent to your mailbox, which means I will have them at my disposal as well.” We do the same for Facebook: Slotboom is able to intercept the login name and password I entered with relative ease.
Another trick that Slotboom uses is to divert my internet traffic.24. divert: 转移;internet traffic: 网络传输。For example, whenever I try to access the webpage of my bank, he has instructed his program to re-direct me to a page he owns: a cloned site that appears to be identical to the trusted site, but is in fact completely controlled by Slotboom.25. 例如,每当我试图访问我的网上银行页面时,史劳博便通过特定的黑客应用程序将我所访问的页面自动跳转到他自制的页面上来。乍一看他克隆的页面和真正的网银页面几乎一模一样,但实际上完全由他操控。be identical to:与……相同的。The information I entered on the site is stored on the server owned by Slotboom. Within 20 minutes he’s obtained the login details.
I will never again be connecting to an insecure public WiFi network without taking security measures.