For a few days, my mobile device has been able to catch Wi-Fi signals that are within its radius. It's not asking for a password to use the service. So, I'm using the Wi-Fi service whenever I need to.
Is there any chance to hack my email and other accounts which I'm opening using this service? Are there any other security issues with this type of access?
Unprotected Wifi networks, particularly in public places, are most certainly a threat. This is because you are connecting to a network without knowing who else could be on the network.
'Free Wifi' provided by cafes, restaurants, etc serve as excellent places for harvesting passwords.
The attacker will perform a Man in the Middle attack, typically by employing ARP Cache Poisoning. At that point, the attacker can read all plaintext passwords, including unsecured email (Email that does not use TLS), unencrypted ftp, websites without SSL, etc. Not to mention they can see all your google searches, all domains that you visit (encrypted or not) and so forth.
And they got to this point without putting in any real effort, ARP Cache Poisoning and Packet Sniffing are easy. A more advanced attacker might set up an active proxy on his machine to perform attacks such as SSL Stripping, which would give him access to all sites you visit, including HTTPS. This means he now has your PayPal, Facebook and Twitter passwords.
Moving on, an attacker might target your machine directly, if you have not updated your software in a while, is it likely that he can spawn a shell with Metasploit and download all your files for later analysis. This includes any saved browser passwords, authentication cookies, bank statements etc.
TL;DR: When connecting to a network, you are exposing your device and all your traffic to all other users of that network. In an open WiFi this includes the girl sat across the street in the back of a van with a Kali laptop and a GPU array. Update your software and don't log into anything sensitive without using a VPN.
Well you are sending everything over untrusted channel. All communication protocols you use on the internet which do not provide an SSL interface (or similar) which also checks for validity (attackers love to perform MITM on free wireless hot spots) can therefore be sniffed and captured. So the minimum what they would be able to see is what websites you are visiting at which periods in time.
If you are using an unencrypted protocol like plain HTTP, POP3 or IMAP, then yes they will be able to obtain your credentials. While this issue isn't restricted to open WiFi access and can be done on any network, it becomes a lot easier for other people to monitor the wireless network.
So yea it might not be the best idea if you aren't sure everything sent over the network is encrypted and that there is a strict authentication between you as a client and the endpoint when setting up the encryption tunnel.
Just to state it simply, a common way to hack people is to go to a public place (airport) with a wifi hotspot leave it open or simply impersonate a valid one and wait for people to connect. They can simply listen for any unencrypted data. This basically means you need to be super careful when using a public hotspot...SO careful that it is nearly impossible for the layman, if someone has malicious intent.
The best way is to setup a VPN and once you connect to the public network connect to your VPN, this is of course more complicated then most laymen want to do.
In addition to what other have said, I think it's worth making clear that if you connect to a WiFi with security other than WPA/WPA2-Enterprise, you are vulnerable to sniffing, because all users share the same key (or no key at all if it is unsecured).
That goes against a common misconception that I found many users to have, who believed that using WPA/WPA2 PSK prevented sniffing because it uses a different link key for each user. The problem here is that it's trivial to recover that link key from the handshake, and from then on you can sniff without any problem.
So if you connect to any WiFi with non Enterprise security to which untrusted users may connect (say a cafe, restaurant, etc.), then use a secure VPN.
Yes, it is a threat. Not just with open networks, any network owned by someone you don't trust (like mall networks which are secured but provide a password) There are many things they can do:
Anything you send over an http connection can be read by them. Passwords, usernames, credit card numbers, the works. All of these are sent in plaintext and can be easily logged.
Many apps run on unencrypted connections as well. There's a lot of important information that can be snooped from those.
Usually it's hard to spoof HTTPS because you need a valid certificate for that to work. However, many times you type in an HTTP URL in the address bar and it redirects you to the HTTPS equivalent. For example, when you type http://mail.google.com in the address bar, you get the following (it's a redirect):
<html>
<head>
<meta http-equiv="Refresh" content="0;URL=http://mail.google.com/mail/"/>
</head>
<body>
<script type="text/javascript" language="javascript">
<!--
location.replace("http://mail.google.com/mail/")
-->
</script>
</body>
What if this wasn't there? While apps which directly access GMail will still work (they know about https), anything you type in the address bar that is not explicitly https can be phished. They can redirect you to a fake GMail, where you will log in and they will steal your credentials. While two-factor authentication helps, it does not prevent them from stealing your cookies, which will give them access to your account until you log out.
The reverse is also possible. They can use a 301 Moved Permanently redirect to serve you HTTP when you ask for HTTPS, and they'll give you something which says http://mail.google.com in the URL but really points to a completely different server. Both mobile and desktop browsers seem to allow 301 redirects without a fuss.Desktop browsers make a fuss when there's an unauthorized HTTPS redirect, but mobile browsers don't.
On modern desktop browsers, it is easy to identify when this is happening, for example, Chrome shows this:
when on an https connection. If you are alert, you'll notice if the HTTPS is replaced with HTTP on a desktop browser(since the icon is no longer green), but most mobile browsers don't seem to have any way of indicating a secure connection.
This problem can be solved (on the site side) by using HSTS, and on your side by using bookmarks and keeping browser history.
Depending on your sharing settings (and what you set the network as -- always, always use "Public" for networks you don't trust), it may be possible to access your Windows filesystem. Unless you have ssh or telnet set up (and if you do, I assume you know how to keep it secure), Linux is generally safe from this. Most phones are as well.
Along with everything that's been mentioned, you're also vulnerable to attacks such as NIGHTSTAND:
An active 802.11 wireless exploitation and injection tool for payload /exploit delivery into otherwise denied target space. NIGHTSTAND is typically used in operations where wired access to the target is not possible.
Being on a wireless network removes the ability to secure physical access. In this context, anyone within range can intercept communications and send traffic to your device. That traffic could target a vulnerability in how your OS handles certain protocols or even how the driver for your wireless card handles protocols. For this reason many security professionals will completely forego WiFi and instead use the internet connection from their tethered cell phone which goes over GSM/CDMA.
As pointed out by @schroeder, this vulnerability exists in all WiFi implementations not just open WiFi. However secured WiFi will encapsulate traffic in a secure protocol such as SSL. This greatly minimizes the attack surface from the perspective of NIGHTSTAND as there are fewer protocols to target. With an open WiFi system the connections are usually not encapsulated. The attacker then has visibility to see traffic sent to all destinations. For example, misconfigured SSL, clear text protocols, and interesting alternative protocols. This level of access into the network communications provides a much larger attack surface since any one of those protocols can now be targeted. It also greatly aides the attacker when trying to fingerprint the host.
Anyone with a wireless card under the signal's radius can join your wireless network. There are many tools that they can use to sniff and even manipulate traffic in your network. Usinf tools like Ettercap, anyone can launch Man In The Middle (MITM) attack where all traffic goes through hacker's laptop/computer before it reaches your devices.
They can use keyloggers to log any keystroke on your keyboard. And they can use softwares like wireshark to see everything thats going on in your network.
In worst case scenario, a hacker can use your computer to launch attack on other computers and even on a government systems. Since all traffic is coming from your network, you will be on chopping block when FBI knocks on your door.
Did you known their is a fine for people who have open unsecured home network :)
Couple suggestions:
