Sign up for Boston 25 News emails!

Delivered To Your Inbox

FOX25 Investigates: Hackers can access your phone via Wi-Fi – even when it's not connected

by: Eric Rasmussen, Erin Smith Updated:

BOSTON - A notorious hacker revealed to FOX25 Investigates just how easy it is to break into the backdoor of our smart phones and other devices.

Even people who are careful to avoid free internet at their local coffee shop leave themselves vulnerable to attack. And the rise in the number of devices using Wi-Fi and Bluetooth is only making it easier for hackers.

Watch the video above to see a hacker – one of the good guys – expose commuters’ vulnerable smartphones, laptops and tablets at South Station.

Hacker Jayson Street is one of the good guys. He and Boston-based Pwnie Express are paid by banks and big corporations to expose security gaps.

Street showed FOX25 viewers what many criminals already know – how to tap into people’s phones and computers using a piece of hardware that’s easy for anyone to buy online.

Investigative Reporter Eric Rasmussen got hacked by Street as he showed how the device works at busy South Station.

Rasmussen had connected to Wi-Fi at a hotel in Alabama two months earlier. But because he didn’t “forget” the network before leaving the hotel, and Street’s device was able to mimic that previous Wi-Fi connection to gain access to his phone.

“You're not even knowing what I'm doing is malicious,” said Street. “You're unaware that all of your data is going through my device.”

Check out the tips below to find out how to protect yourself from hackers.

Open to Attack

At South Station, Street found more than 50 phones, laptops and tablets that would be easily hackable.

Street told FOX25 Investigates he can pick up on any devices nearby as long as the Wi-Fi is turned on – even if the owners aren’t connected or trying to connect to Wi-Fi.

“Once you've connected to it before, it's always asking,” said Street. “Every open access point that you've ever connected to – your device remembers that and it's constantly asking for it again.”

Sean Fagan, who happened to have his Wi-Fi turned on, was among dozens FOX25 Investigates found at South Station vulnerable to hacking.

“They could steal my credit card information?,” Fagan asked Street.

“Your credit card, your banking information, your log-ins to your Gmail, your Facebook,” Street told him.

A bank in Beirut recently hired Street to try to break in to test the security. In a matter of minutes, he was given access behind the counter with the teller and plugging into the bank’s computers by posing as a technician from IT.   

“From walking in the door the first time, to being behind the teller line and installing malware and controlling the whole bank for over 30 minutes -- two minutes and 22 seconds,” Street told FOX25 Investigates.

Bluetooth hacking threat

But Street said hackers can also remotely gain access to your private information with new products, including toys, lamps and even a globe outfitted with a Bluetooth recorder pin.

“Whenever they advertise something saying, ‘connect to your device from anywhere around the world,’ that means anybody from around the world can connect to your device,” said Street.

Even farm animals aren’t immune, according to Street.

“Cows are now embedded with RFID chips,” said Street. “For someone that's like trying to do cattle rustling, it's like, why not steal some and not have them broadcast?”

Street said consumers can protect themselves by keeping their Wi-Fi and Bluetooth turned off whenever they’re not using them. Consumers should also change the default password on Bluetooth devices, Street said.

At South Station, Street stopped short of stealing anyone’s information, but Sean Fagan told FOX25 he was turning off his Wi-Fi while at the busy train station.

“I just did,” said Fagan. “It's staying off!”

Top 5 tips to be more secure online

By Jayson E. Street/Pwnie Express

1. Don’t reuse passwords.

Passwords can be difficult to manage, so an easy shortcut is to find your favorite password and use it everywhere. Unfortunately, that means if one website has been breached and your password is compromised, attackers will try other common web services using that same user id and password and usually find success.

2.  Don’t use passwords. Instead, try pass phrases.

The biggest difficulty in passwords is that you’re constantly being told to use a mix of letters, numbers and characters that are meaningless and make them difficult to remember. Most web services and operating systems will allow you to use the space bar in your passwords.

Instead of struggling to remember a password like “*!7Sq9>W” – which looks complicated but can be easy to crack – try using a pass phrase like, “I'm tired of remembering passw0rds!”

This pass phrase is significantly more difficult to crack. The best part about pass phrases is you can use your favorite song lyrics or movie quotes. If you need help remembering which passphrase you use for a service, you can write down just the title of the movie or song without giving away what the pass phrase is.

3.  You’re not paranoid. They really are out to get you.

Whenever you receive an email with a link or attachment be extremely suspicious – even if the email appears to be from a good friend, the college you attended or service that you use.  If you can’t confirm who sent the email, you can upload the link or attachment to virustotal.com, an analysis service provided by Google using the top 50 web antivirus engines. Note: This does not offer complete protection, but it is a better alternative to randomly clicking emailed links.

4.  With great Wi-Fi accessibility comes great responsibility.

More and more locations are offering free and open Wi-Fi access, which is great for productivity and connectivity to the internet. But this also increases your risk of being compromised.
When using an open Wi-Fi access point, make sure to sign up for a VPN, or Virtual Private Network. A VPN service can better secure your connection and protect your browsing activity while using public Wi-Fi.

5.  The best antivirus or security system is you.

When an email, website or even an event at your workplace, raises concern or suspicions, act accordingly. If you get that nagging feeling in the back of your mind that something is just not quite right, report it. Take the time to investigate and be more cautious because at the end of the day, personal security relies on your judgment.

BONUS TIP: You can use your Bluetooth in public – just make sure it’s not in “discovery mode.” When pairing a new device with your Bluetooth, make sure you do it in a more private setting.