Last week's M2M post looking at the risks that have to be overcome for embedded defibrillators was pretty scary. Now, I have something M2M related that might be pretty scary even if you don’t have an implanted medical device. I have been pretty impressed with some advertisements about how users can connect with home DVRs and possibly other accessories from their mobile devices. In one advertisement I saw, a mother is able to view cameras, unlock the front door for her daughter, and turn off lights when the daughter forgets. The scary part is if she was doing this from a public Wi-Fi like one might find at a Starbucks. Here’s the problem: if the network is unsecured or only secured with WEP, anyone on the network might be able to hijack the session. The hacker can use the hijacked session to change passwords and/or start controlling those cameras and locks.
What may be even scarier to you might be the idea that you use Facebook, Linked-In or some other program while on a public Wi-Fi. Those can be hijacked too. How is this possible? These services have SSL encryption when you log in but they drop it immediately afterwards to economize on the servers because encryption takes extra processing power. The session cookie is transmitted in the clear over the public network and there are many programs available that can allow people to hijack the session.
As a result, I installed some apps on my Smartphone that detect whether someone is using one of those network sniffer apps and also a method to secure my connection whenever I am on such networks. The first day I did, I was in the parking lot of Whole Foods and my Smartphone alerted me that at least one person using the co-located Starbucks Wi-Fi was, in fact using a hijack app. Therefore, I recommend that you do the same whenever you intend to do anything M2M or otherwise on a public Wi-Fi.