He easily hacked into the computers of hundreds of users who had connected to the airport's complimentary WiFi. And while he was at it, he also accessed the users' WhatsApp conversations, credit card numbers and encrypted user names and passwords for good measure.
This casts a dark shadow over the government's plan to offer free WiFi in 2,500 cities and towns across the country.
Among other users, thousands of senior level executives including CEOs of companies may be sharing confidential information such as business plans without being aware of it. Some of them may even be the target of corporate espionage, cyber security experts said.
According to Shubho Halder, chief scientist at mobile security firm Appknox, who conducted the exercise at Bengaluru airport, most airports and free WiFi hotspots in India are a hacker's paradise owing to lack of proactive security.
Halder, who said he had also found security holes in products from Apple, Microsoft and Google, added that he found users accessing their corporate emails and banking applications at the free WiFi zones and he managed to get all such details in a jiffy.
"While these airports use a lot of security tools, they usually do not track what the users are doing with the WiFi connection which lets hackers use fake WiFi hotspots to gather tons of information from unsuspecting victims," Halder told ET.
Halder used WiFi Pineapple, a portable device which acts as a router and creates fake WiFi hotspots that appear to be authentic — such as Free_airport_WiFi, Free_cafe_WiFi, etc.
Once the user connects to this network, he or she is able to access the internet as usual without realising that somebody else is accessing all the information.
WiFi Pineapple can be carried by hackers around offices of large companies, coffee shops, malls, etc and create massive repositories of usernames, passwords, WhatsApp conversations, and credit card and banking data.
"Hackers are not just randomly collecting data at airports and cafes. We've seen cases where hackers are going after specific targets to steal business plans as part of corporate espionage and then sell it to competitors, which could be in India or overseas," said Jayaraman Kesavardhanan, founder and CEO of K7 Computing. According to American networking equipment maker Cisco Systems, which is working with the government on many public WiFi projects, the company has the tools to identify such fake WiFi hotspots and even locate the user who is trying to do this but smart hackers can get their way around it.
"If a hacker uses a 3G or 4G router to offer a fake WiFi hotspot, there is no way to detect or stop it. The only thing that can be done is to tell users not to use any WiFi hotspot that doesn't ask for SMS verification," said Pravin Srinivasan, lead-security architecture sales, Cisco India & Saarc.
In many cases, while the public hotspot providers have tools to prevent such misuse they often don't activate it, Srinivasan said, adding, "The tools can only tell you what's happening. It is ultimately up to the security teams of the public WiFi providers to monitor and take action."
While there are ways to fix security bugs, there is no way for users to tell if they are the target of snooping.
"We should consider public WiFi as raw internet," said Sajan Paul, directorsystems engineering, India & SAARC at Juniper Networks.
"At an average enduser level, it is very difficult to detect such scenarios. However, one must understand that anything that goes into the Internet is subject to snooping and other forms of attacks. The user should be vigilant while accessing and sending sensitive data over such mediums."
According to Symantec Corporation, deployment of security tools is not enough to deal with the menace of snooping in free WiFi zones. "Individual security products cannot help companies handle such a situation," said Tarun Kaura, directortechnology sales, India at Symantec.
Source: ET