Hacking into email over Wi-Fi 'easy'
5th Aug 2007 | 23:00
Expert accesses Gmail accounts in demo at hacking convention
A hacking expert has demonstrated just how easy it is to intercept email over a Wi-Fi connection. The demo happened at the Black Hat security convention taking place at Ceasars Palace in Las Vegas.
Robert Graham, CEO of Errata Security, accessed the Gmail of a 'victim' in front of the press. According to TGDaily , Graham even took over another reporter's Gmail and sent messages between the accounts.
What's worrying is that the methodology really is very simple. First, Graham ran Ferret to sniff out the packets of data on the open Wi-Fi network set up for the expo. This software copies the cookies being sent across the access point. Graham then copied these into his browser with a tool called Hamster.
And, because he had the cookie, he could then gain password-less access to mail accounts. Graham demonstrated the methodology against different webmail providers. OK, so using any type of encryption in the process will disrupt the process. So what's the advice here? If you're on a public, open network, you should use a VPN or some other type of encryption (SSL-encrypted sites will stop the sniffing).
"You're an idiot if you use T-Mobile hotspot," Graham told TGDaily. "I see ten people's cookies on my screen, I just need to click on the guy's IP address and I'm in. Once you get someone's Google account, you'd be surprised at the stuff you'd find."