“Hacking”, WiFi, and Journalism

I’ve seen several variations of this story over the past couple days:

Steven Petrow, the journalist who had his computer hacked while on a flight, recounts his experience and what he learned.

Each version of the story I’ve seen has emphasized that the guy had his laptop hacked on a flight. He was using GoGo In Flight for in-flight WiFi.

For the record, the guy, or rather his computer, was not hacked.  He was sorta personally hacked in that he was given misinformation, but his machine was not compromised.  Some of his data was.

Let me explain the difference.  Mr. Petrow was on an airline flight, using his laptop, connected to the inflight WiFi.  The GoGo In Flight is an open WiFi access point.  This means there is no encryption.  Now, when you pay money (via a credit card transaction) to use GoGo, the transaction is encrypted using SSL between your computer and the GoGo server.  Once that’s done, the connection reverts to nonsecured, and you are connected to the Internet.

Mr. Petrow was using his computer to write an article, and submitted that article to his employer.  I’ve seen references to his sending it via email, but the mechanism is not clear.  Near him (and it doesn’t matter if near means the next seat over, or the back of the airplane), a guy was using a WiFi sniffer tool to watch the WiFi traffic.  Since the access point was open (no encryption), the “hacker” (although a better term might be “sniffer”) could see (and capture, if he wanted) every packet of traffic sent to and from the access point.

Now, a point that has to be made here is that anyone who was doing anything sensitive using a server that had even the least security on it would be using SSL encryption, which is between your device all the way to the server.  That traffic can be seen and captured, but it is encrypted, and would take a significant effort to decrypt (by significant, I’m talking years of computation).

So for the hacker/sniffer to see Mr. Petrow’s traffic, the traffic would have to have been unencrypted.  It could have been an unencrypted email (SMTP/POP3 protocol), or an unencrypted webmail.  Regardless, both email servers and clients, and web servers and web browsers, have had basic encryption built into them since the early 2000s.

So the hacker/sniffer saw the email with the article that was sent unencrypted.  The hacker/sniffer did not attack or tamper with the computer Mr. Petrow was using.  That is not being hacked, it is being eavesdropped on.

Whoever Mr. Petrow works for, their IT department should secure the server that the company uses to implement an encrypted link.  All major email servers and clients support encrypted connections.  All major webservers and browsers support encrypted connections.

So as to the sniffer/hacker, what he did is trivial from a technology standpoint.  I’ve used similar tools to look at WiFi traffic, on airplanes and elsewhere.  You might not be surprised, but while in hotels, I have seen examples of half of the connections being to porn sites.  Using sniffer tools, you get an idea as to why hotel WiFi is often so slow, when most of the connections are to streaming video sites (think porn, and Netflix, and Hulu).

The above might sound frightening, but I think most businesses that have an interest in keeping customer information safe (think banks) implement end-to-end encryption as a matter of course.  A news site like CNN might not care to encrypt the connection a site visitor is checking out, though.

The real issue here is that the story being reported is wrong.  It’s not a case of hacking, it’s really an example of not implementing best practice for securing data.  And that is something that is easily fixable, once you realize what the real problem is.


Tags: , , ,

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: