Hackers are intercepting public Wi-Fi networks, such as those in coffee shops and airports, to "poison" users' browser caches in order to present fake web pages or steal data at a later time, says a security researcher.
"Open networks have no client protection," said Kershaw, who also uses the handle Dragorn.
"Nothing stops us from spoofing the [wireless access point] and talking directly to the client [the user's Wi-Fi-enabled device]."
Knowledge gained from researchers over the past year, he said, is showing that browser-cache poisoning over Wi-Fi can be kept in a persistent state unless the user knows how to effectively empty the cache.
"Once the cache is poisoned, it's going to stay there," Kershaw said.
This means that an attacker can intercede to "poison the URL" of the victim so that he will see a fake web page when they try to visit a specific website or try to insert a 'shim' that could "ship your internal pages off to a remote server once you're in a VPN".
The few defences Kershaw suggested were continuously manually clearing the cache, or using private-browser mode. "Who knows how to clear the browser cache in an iPhone?" he asked.
Kershaw acknowledged he doesn't know how widely attacks based on poisoning the browser cache via 802.11 actually are.
But the potential for trouble is so evident he said he'd advise corporate security professionals to try to "forbid users from taking laptops onto open networks", though he admitted, "your users may lynch you".
He said some vendors, including Verizon, are looking at solving this problem with a custom client that is tied to specific operating systems.
See also: Wi-Fi boom fueled by Apple iPhone