Full access to Entrepreneur for $5

Starbuck's Free Wi-Fi Opens the Door for Hackers and Crackers

Opinions expressed by Entrepreneur contributors are their own.
When Starbucks said it would be offering free Wi-Fi in all of its U.S. stores by the end of June, the buzz among the entrepreneurial set was enthusiastic.

Entrepreneurs and those working on startup businesses love to work remotely -- especially in hip environments like the ones found within a Starbucks' cozy/homey atmosphere. For many, the news of free Wi-Fi was akin to a complimentary offering of Reduced-Fat Very Berry Coffee Cake.

But what wasn't discussed -- at least not among the entrepreneurs and startups I work with -- is that coffee shops and public Wi-Fi spots are breeding grounds for hackers and crackers to steal business-related information from web surfers. And no matter how tech-savvy you might think you are, free Wi-Fi has opened a gateway for these PC (and Mac) predators. (Oh, and for those who don't know the difference, hackers break into computers simply for the joy of doing so -- without causing harm -- while crackers have malicious intent.)

Hackers and crackers are everywhere, looking for easy marks. Believe me when I say they're just as likely to hang out at your favorite Starbucks as you are, Ms. Entrepreneur. They could be sitting with a latte and a laptop on the sofa right next to you. And don't look for Boris- and Natasha-style cartoon characters here. ("Fearless Leader say we steal computer access from moose and squirrel!") They are far more subtle than that.

So for an entrepreneur who considers Starbucks -- or any other coffee shop for that matter -- his home office, what options are available to ensure the privacy and security of his or her data when accessing the internet on a free Wi-Fi connection?

One of the best ways is to use a Virtual Private Network to connect to the net. Until very recently, VPN was the stuff of corporations and large businesses. Small businesses, startups and independent entrepreneurs avoided VPN because it's highly technical to set up and administer.

Today, anyone can access the internet from a PC or Mac using what I call a "consumer grade" VPN. But don't let "consumer grade" fool you -- this is the same exact thing large corporations use. Think of a VPN as a secure tunnel that you use to connect to the internet -- a tunnel that's impervious to a hacker or cracker's attempt to see what you're doing and gain access to your data.

One provider of affordable and turnkey VPN is Connect In Private, which offers a secure offshore backchannel for internet surfing, e-mails and more on computers and mobile devices. CIP protects you from identity theft and fraud by providing a fully encrypted network that is impenetrable to hackers.

For about $15 a month (based on an annual contract), CIP provides a secure line for accessing the internet from anywhere you choose. This week, the company began offering a one-week account for $10, which gives you a chance to test-drive the service.

If you're accessing the net via a free and unsecured Wi-Fi spot, and you're working on something critical to the success of your startup, $10-$15 is a small price to pay to guarantee your data is secure!

Maybe we're all overreacting to this hacker/cracker business, you say. This is Starbucks in the U.S., not a Jason Bourne hideaway in eastern Europe.

But here's the reality. If you Google "Wi-Fi hacking tools," you'll come up with about 500,000 results, most of which offer you access to incredibly easy hacking tools using a Mac or a PC.

A good friend of mine working in network security outlined how easy it is to gain access to my information while I'm sitting in Starbucks using free Wi-Fi.

He says a hacker can use "wardriving" products such as NetStumbler or Kismet to find my network -- even if I've disabled my Service Set Identifier, which is a unique identifier on a Wi-FI access point to differentiate networks. 

Next, the hacker will "attach" to the network by deciphering the network keys that are floating about via the 802.11 wireless radio waves. 

Most hackers will use a tool called AirSnort, or something similar. If your network is using WEP security, then that password cracking process will take mere seconds.

James MacDonald, the network architect for Connect In Private Corp., says using a VPN from a laptop or mobile device will encrypt the data from the device -- through the access point -- to a centralized server on the internet. He says this protects the data going through the Wi-Fi access so that even if someone is using a rogue access point or sniffing traffic locally, they can't gain access to unencrypted data.

And what are rogue access points? In this case, a hacker learns the SSID of a Wi-Fi hotspot and then determines a means of access.

"For example," MacDonald says, "if a Starbucks coffee shop has free public Wi-Fi, the hacker could ask an attendant how to access the network. Once the hacker has this information, they can configure an iPhone or other device to emulate a Wi-Fi access point with the exact same SSID and encryption configurations."

MacDonald says users in the general vicinity of the rogue access point could connect unknowingly to that access point because the credentials would be the same. The hacker can assume the identity of the access point and become a "man in the middle," accessing all the user's information as it goes to the internet.

"Since the encryption is between the user and the rogue access point, the hacker has access to the decrypted version of the traffic," MacDonald says.

As for sniffing traffic, MacDonald explaines that Wi-Fi access points are simply network switches, and as such, users on the same "broadcast network" can technically sniff any traffic from the access point on the same network.

Protection of that traffic is provided by Wi-Fi encryption such as WEP (Wireless Encryption Protocol) and WPA (Wi-Fi Protected Access) so that users don't have visibility to other users' traffic. MacDonald says hackers have been known to use tools such as Aircrack and now Aircrack-ng (open-source ethical hacking software) to decrypt the WEP/WPA traffic and dump the data to their laptops.

"These tools are well known, and other tools exist as well, providing similar functionality," says MacDonald. "In this case a hacker would simply sit at a coffee shop or other location with free public Wi-Fi and act like they're surfing the internet. All the time they are cracking and downloading data they are privy to on the access point for later analysis."

Based on the infomation from these two experts, it appears anyone planning to catch up on their work by accessing the internet for free at Starbucks should buy some protection. It's what Jason Bourne would do.

Mikal E. Belicove

Written By

Mikal E. Belicove is a market positioning, social media, and management consultant specializing in website usability and business blogging. His latest book, The Complete Idiot’s Guide to Facebook, is now available at bookstores.