RENEE MONTAGNE, HOST:
For a week this spring, NPR's Steve Henn allowed a small team of computer experts to plant a bug in his home office and monitor his Internet traffic. It was an eye-opening experiment, which he described earlier to David Greene.
DAVID GREENE, BYLINE: Yeah, the idea was for Steve to act as a stand-in for all of us and see just how much the NSA, or anyone else who intercepted his Internet connections, could actually find out just by watching unencrypted traffic from his phone and laptop flow by. And Steve's team learned a lot.
Despite the fact that every major Internet provider has added some kind of encryption to its services over the past year, Steve's life online was really easy to track. The team also realized that you don't have to be the target of the NSA or a hacker for your traffic to be intercepted in this way. There is this hole in mobile security that could make tens of millions of Americans vulnerable. It's been well-known in the industry for years, and it could let even unsophisticated hackers capture your traffic, monitor your connections, even maybe steal your identity. Here again is Steve.
STEVE HENN, BYLINE: When I tapped my own Internet traffic, Sean Gallagher, a reporter from the tech news site Ars Technica came to my house, and we took this little device. It's called a PWN Plug. And it was invented by Dave Porcello, a computer security expert. And we took this thing, and we physically attached it to my computer network.
DAVE PORCELLO: And now I'm going to turn on the Wi-Fi.
HENN: Dave was on a speakerphone, watching my Internet traffic from his office in Vermont.
PORCELLO: Oh, yep. Geez.
HENN: Seeing how much data streamed out of my phone the second I connected kind of blew everyone away. My phone pinged Apple, Google, Yahoo, and apps like Twitter and Facebook connected to the net. This all happened in just seconds. And I didn't touch the phone. If Dave was a hacker, those few seconds could have been a gold mine.
PORCELLO: And anything that you're logged into, basically when you re-connect, it basically re-logs in. So there's an opportunity for an attacker to capture either the cookie or maybe just the password.
HENN: It turns out the device in your pocket, your beloved smartphone, chances are really good that it is constantly out there, relentlessly looking for networks like this to connect to.
OLIVER WIES: Pretty much. Basically, yeah.
HENN: Oliver Wies works with Dave Porcello at their company, PWNIE Express.
WIES: So when you have wireless turned on, your phone or your laptop is sending out what are called probe requests out to the world saying, hey, where's my network? Hey, where's my network? Is this network around? Where's this network?
HENN: There's this book I read to my kids by P.D. Eastman. It's called, "Are You My Mother?". And it's about this tiny baby bird that falls out of its nest and goes wondering around the world asking whatever it meets, are you my mother? First, it asks the cow and then a dog and then it asks a cat. Wies says there are actually evil Wi-Fi networks out there in the world that are programmed to act like a hungry cat that, when approached by your little, baby telephone, will say, yes, I am your mother. Yes, I'm your network. And if your phone believes that cat...
WIES: At that point, it's in the middle, and it can basically intercept all traffic going through it.
HENN: The cat has captured all of your traffic. That open Wi-Fi connection opens doors for hackers. They can get in the middle of transactions between, say, you and your bank. And Oliver Wies used this kind of man-in-the-middle attack to capture an email password.
WIES: I don't know if you can read that.
HENN: Password equals ponies1 or ponies! So it just captured your username and password.
HENN: Now, if you set up your phone correctly and only sign onto Wi-Fi networks you know, you could make these attacks more difficult. But some of America's biggest companies, like AT&T and Comcast, are aggressively rolling out nationwide, open, public Wi-Fi networks - networks that are insecure.
(SOUNDBITE OF COMCAST COMMERCIAL)
UNIDENTIFIED WOMAN: Imagine taking your home Internet with you when you leave the house and connecting to the fastest hotspot with the most coverage on-the-go. Introducing...
HENN: Now, these guys aren't the only company doing this, but they're the biggest. Comcast is turning customers' cable boxes into public Wi-Fi hotspots and has a million hotspots across the country. AT&T offers open Wi-Fi connections at most Starbucks.
WIES: A big problem with AT&T phones is that they all have a preferred network on their list by default that's open and that's AT&T Wi-Fi.
HENN: And Oliver Wies says there's no password.
WIES: So when, you know, your AT&T phone is near an open AT&T Wi-Fi network, it will automatically connect.
HENN: It will connect to a legit AT&T Wi-Fi hotspot or hotspots called AT&T Wi-Fi that are set up by hackers 'r us. And Awk says, if folks are just walking by one of these evil hotspots and their phone connects, they will probably never know.
WIES: There's all this stuff going on behind the scenes. I mean, literally invisible packets in the air coming out of their pocket saying things about who they are and where they've been and what they do.
HENN: In the past year, the number of people using Xfinity Wi-Fi has almost tripled. Comcast told me that the number of out-of-home Wi-Fi sessions shot up 750 percent. Don Bailey, a security expert at Lab Mouse, says these public Wi-Fi connections don't have to be insecure.
DON BAILEY: There should be a way to identify whether or not you've attached to a public Wi-Fi.
HENN: He says that should happen automatically. He says when you connect to a Wi-Fi network like this, all your traffic should be encrypted without you having to do anything. And in fact, both Comcast and AT&T already offer consumers apps that will do this. But you have to buy them, install them and opt in. So most people don't. I asked both companies if these open Wi-Fi networks were opening up millions of their consumers to potential attacks. AT&T said it took extraordinary measures to keep its consumer safe. Comcast said it was planning to roll out a more secure Wi-Fi network sometime in the future. But it didn't say when.
GREENE: That reporting coming from Steve Henn. And Steve joins us on the line right now to talk about the series. And, Steve, one interesting lesson from this experiment - I mean, we are all really vulnerable in those moments when our mobile device or computer is trying to connect to a public Wi-Fi network. If Comcast can make networks like this more secure, I mean, what's the holdup?
HENN: Well, part of the problem is that, for Comcast to roll out a more secure system, it needs the cooperation of everyone who uses it - so Apple, Android device manufacturers - they all have to agree to use this same system. So that takes time. And it's one of the issues we've seen again and again throughout the series.
The other problem that we've noticed is that even when companies roll out encryption, there are often bugs. So we found a bug in Google's location data that they've now patched. We found that Snapchat was showing when kids signed up for their service in the clear. And they fixed that as well. And we've seen lots of examples. And unless you really dig through the packets in the traffic, you don't see when encryption is breaking down.
GREENE: And that's probably difficult for people like me who don't do this kind of stuff - to dig through things like that and find out when things are breaking down. Anything that I can do, given all the leaks that you found, to make myself more secure?
HENN: Well, there are lots of little things you can do, like you can mess with your settings on your phone, turn off Wi-Fi or turn off location services. But I think for most people, that really doesn't work. For encryption to keep us all safe, I think it has to be built into the background and so simple to use that it's happening without us even knowing it. I mean, the one positive thing that has come out of this reporting for me is that we're seeing companies begin to move to that. And that was just unheard of a year ago.
GREENE: Interesting week of reporting. NPR technology correspondent, Steve Henn. Steven, thanks a lot.
HENN: My pleasure.
MONTAGNE: This is NPR News.
NPR transcripts are created on a rush deadline by Verb8tm, Inc., an NPR contractor, and produced using a proprietary transcription process developed with NPR. This text may not be in its final form and may be updated or revised in the future. Accuracy and availability may vary. The authoritative record of NPR’s programming is the audio record.