Wi-Fi hacking explained: How to protect yourself from password theft

Wi-Fi hacking explained: How to protect yourself from password theft


Hi, I’m Natalie, and I’m about to get
my email account hacked. Ethically! Yes, ethically hacked. For science! So, what I’m going to show you today is
a type of man-in-the-middle attack called “SSL stripping.” SSL is a layer of encryption used between
the client and major websites. That’s the “S” in HTTPS, right? Correct. But actually I’m going to trick your computer
into using HTTP instead, which is unencrypted, so when you log into your email, you’re
actually sending the password in clear text, and I’m picking it up with this. But won’t the website know that there’s
something wrong if I’m sending my password in plain text instead of encrypted? Well that’s the fun part, you’re actually
sending it to me in plain text, and I’m sending it to the website encrypted. Neither of you will know there’s a man in
the middle. So, show me how it works then. Sure. Is your VPN off? Yup, VPN is off. Because this attack only works when VPN is
off. So firstly, I’m going to search for your
computer on the wireless network, which you are connected to. And as you see, this is your computer right
here. Wow. Now I run the attack. So now please log in to your email account. Okay. So as you can see, when you typed in your
credentials and pressed enter, you can see that the device picked up the credentials
and here is your password. Oh my! Not a great password I guess. Well it doesn’t matter how it good it was
because I have it now. And if you’re the kind of person who tends
to reuse their passwords… Oh boy. I’m definitely going to have to change my
password. So does this same attack work on other sites? Yeah. Shopping websites, cloud storage, online banking,
you name it! Wow. Was this equipment expensive? Was it hard to figure out how to use it? Well that’s the scary part. This bit caught maybe twenty bucks, and the
software is free and open source. Even a smart kid can do it. Yikes! Okay, can you unhack it now? Now earlier you said the VPN had to be turned
off. What would happen if my VPN was turned on? Great question! Just turn it on and let’s find out. OK. So I can still see your computer here. As you can see, this is your computer right
here. But when I run the attack, I’m just stuck
at the listening screen. So you can’t see any traffic at all, even
when I try to log in. None. Because your online activity is being sent
through the secure VPN servers instead of to me, so there’s just nothing for me to
read here. Amazing! So, Samet, would you say that it’s always
a good idea to have your VPN turned on? Pretty much, especially when you’re on public
Wi-Fi, you’d be crazy not to protect yourself. Alright, well thank you so much, Samet. Thank you, thanks for having me.

30 Replies to “Wi-Fi hacking explained: How to protect yourself from password theft”

  1. ilike express vpn its cheap and it works
    but the only problem it has some issues on my phone. i have sprint and it keeps kicking the connection off.

  2. il faut bien insister sur le fait que la connexion sur le "webmail" doit être possible en HTTP. Ce qui n'est plus très vrai de nos jours… mais un VPN reste un bon moyen de se prémunir de l'attaque MITM.

  3. ummmm…. if she is connected to his laptop pretending to be an wireless access point… she would be connected and with a sniffer, he would have at least seen the public key go out for a request right, before the client connects to the VPN using a secure tunnel. If he wanted to he could even redirect traffic to his own vpn keys to hand out. So… I'm not sure how smart you need to be to figure that out. I think any smart kid could do that and still see all the passwords once decrypted. It's just an extra step. Probably automated at this point.

  4. Thanks for the advert (which was too long). I'm interested as to why you're "VPN" is more secure than anyone else's is? I've nothing to hide and don't use one, but I appreciate why some might. Scare tactics aside? At the end of the day all cloud stuff is someone else's shitty computer

  5. Excellent demonstration. However, some of the stated facts are now incorrect. After the invention of HSTS, passwords and logins cannot be sent in plain text. HSTS also negates the effects of an SSL stripper.

  6. How hard are you trying to sound like a hapless computer user who thinks its insides are made from unicorn rainbow farts and other such magic things? Good info, but my gosh!

Leave a Reply

Your email address will not be published. Required fields are marked *