When it comes to the highly unreliable security of public Wi-Fi hotspots – there is nothing better that even a moderately tech-minded person, let alone a full-blown nerd, would recommend to anyone else other than educating themselves about all the ways these highly convenient, yet potentially highly damaging services can do to harm them online – and recommend acting accordingly to prevent any damage.
Knowledge, and security, however, comes with some investment – this has been and remains true in this day of convenience that sometimes seems to rule all else out and offer an easy solution by means of delegating the task, most often to a mobile app. And now, appearing to prove that an informed approach of coping with the complexities of the web, instead of expecting, and trusting, others to solve the puzzle for users may be anyone’s best bet – is a popular Android hotspot finder app. Nothing is more convenient than connecting a phone or a laptop to a public and free hotspot in a hotel, airport, or a restaurant – but there might still be an unexpectedly high price tag attached to “fee.”
TechCrunch is reporting that GDI Foundation’s Sanyam Jain drew their attention to the app in question – that remains up on Google Play at press time – one “believed to be based in China” – that has been downloaded by thousands of users, and had in the meanwhile reportedly left “more than two million network passwords exposed and unprotected, allowing anyone to access and download the contents in bulk.”
TechCrunch said that in order to gain access to a network, an attacker could be able to change router settings to direct users to “malicious websites by changing the DNS server (…) When on a network, an attacker also can read the unencrypted traffic that goes across the wireless network, allowing them to steal passwords and secrets.”
The website said that it received no reaction from the app creators – but that DigitalOcean, a US cloud storage provider, as the app’s host, “took down the database within a day of reaching out” – and “notified the user, and have taken the (server) hosting the exposed database offline.”
TechCrunch said that “tens of thousands” of the exposed Wi-Fi passwords have been for US-based networks.
Meanwhile, users should keep in mind that the very advantage of public hotspots drawing them to use the service is the thing that also makes it appealing to hackers: no authentication to set up a network connection – allowing bad actors access to security credentials and other private information.
One way to mitigate the risk is to use a virtual private network (VPN) connection while connecting via inherently insecure channels as hotspots.