Wireless connections can be a haven for hackers

As communities push to turn themselves into massive wireless hotspots, unsuspecting Internet users are stumbling directly onto hacker turf, giving computer thieves nearly effortless access to their laptops and private information, authorities and high-tech security experts say.

It’s an invasion with a twist: People who think they are signing on to the Internet through a wireless hotspot might actually be connecting to a look-alike network, created by a malicious user who can steal sensitive information, said Geoff Bickers, a special agent for the FBI’s Los Angeles cyber squad.

It is not clear how many people have been victimized, and few suspects have been charged with Wi-Fi hacking. But Bickers said that over the past couple of years, these hacking techniques have become increasingly common and are often undetectable. The risk is especially high at cafes, hotels and airports, busy places with heavy turnover of laptop users, authorities said.

“Wireless is a convenience, that’s why people use it,” Bickers said. “There’s an axiom in the computer world that convenience is the enemy of security. People don’t use wireless because they want to be secure. They use wireless because it’s easy.”

For Mark Loveless, it was just a letter that separated security from scam.

Logging on to his hotel’s free wireless Internet in San Francisco last month, Loveless had two networks to choose between on his laptop screen – same name, one beginning with a lowercase letter, one with a capital. He chose the latter and, as he had done earlier that day, connected. But this time, a screen popped up asking for his log-in and password.

Loveless, a 46-year-old security analyst from Texas, immediately disconnected. A former hacker, he knew an attack when he saw one, he said.

Most Internet users do not.

“There’s literally probably millions of laptops in the U.S. that are configured to join networks named Linksys or D-Link when they are available,” said Corey O’Donnell, vice president of marketing for Authentium, a security company that provides security software. “So if I’m a hacker, it’s as easy as setting up a network with one of those names and waiting for the fish to come.”

Linksys and D-Link are two of the many commercial brands of wireless routers, products that allow a user to connect to the Internet using radio frequency.

As the field of wireless connectivity expands, so too does a hacker’s playground. More than 300 municipalities across the United States are planning or already operating Wi-Fi service. Google and Earthlink are working to bring wireless access to all of San Francisco.

Corporate networks are sometimes the most vulnerable, as employers push for a more mobile work force without always educating its users on the security risks of wireless Internet. “Once they’ve got a toehold in a network, it’s pretty much game over,” Bickers said.

Many workers rely on corporate firewalls in the office and an automatic default network setting that links them to their corporate networks. Outside the office, the firewall is no longer in place. That means the computer is unprotected.

Most laptops are configured to search for open wireless points and common wireless names, whether or not the user is trying to get online. That leaves people open to hacking.

In two new attacks, called “evil twin” and “man in the middle,” hackers create Wi-Fi access points titled whatever they like, such as “Free Airport Wireless” or an established, commercial name.

In the “evil twin” attack, the user turns on a laptop, which might automatically be trying to connect behind the scenes. When it does connect, it is connecting to a fake access point, or “evil twin,” and the hacker gets into personal files, steals passwords or plants a virus.

The attacker can become a “man in the middle” when he funnels the user’s Internet connection through this false access point to a true wireless connection. The unsuspecting Wi-Fi surfer then might proceed to enter credit card information, access e-mail or reveal other sensitive data. Meanwhile, the session appears ordinary to the user.