Consumers carelessly use public wi-fi without regard for their personal privacy. That is according to an IT security firm’s wi-fi check on the streets of London. In the experiment, which involved setting up a ‘poisoned’ wi-fi hotspot, unsuspecting users exposed their internet traffic, their personal data, the contents of their email, and even agreed to an outrageous clause obligating them to give up their first-born child in exchange for wi-fi use.
The investigation, supported by Europol, was carried out on behalf of F-Secure by the UK’s Cyber Security Research Institute and SySS, a German penetration testing company. SySS built a portable wi-fi access point from components costing around 200 euros and requiring little technical know-how, according to the firms. Researchers set the device up in prominent business and political districts of London. They then watched as people connected, unaware their internet activity was being spied on.
In a 30 minute period, 250 devices connected to the hotspot, most of them probably automatically without their owner realising it, the researchers add. Some 33 people actively sent internet traffic by carrying out web searches and sending data and email. Some 32 MB of traffic were captured (and destroyed in the interest of consumer privacy). And the researchers found that the text of emails sent over a POP3 network could be read, as could the addresses of the sender and recipient, and even the password of the sender.
For a short period, the researchers introduced a Terms & Conditions (T&C) page that needed to be accepted for use of the hotspot. The T&C included an outlandish clause that obligated the user to give up their firstborn child or most beloved pet in exchange for wi-fi use. In total, six people agreed to the T&C before the page was disabled. The clause illustrated the lack of attention people typically pay to T&C pages, which are often too long to read and difficult to understand.
Sean Sullivan, Security Advisor at F-Secure, took part in the experiment. He says: “We all love to use free wi-fi to save on data or roaming charges. But as our exercise shows, it’s far too easy for anyone to set up a hotspot, give it a credible-looking name, and spy on users’ Internet activity.” When it comes to hotspots provided by a legitimate source, even those aren’t safe, he says. Even if they aren’t in charge of the hotspot, criminals can still use ‘sniffer’ tools to snoop on what others are doing.
“The issue of wi-fi security is one that we at the European Cybercrime Centre (EC3) at Europol are very concerned about,” says Troels Oerting, Head of Europol’s EC3. “We wholeheartedly support activities which shine light on this everyday risk consumers face.”
The solution? Stay away from public wi-fi – or use wi-Fi security, says F-Secure Freedome.
Still don’t believe that public wi-fi poses risks? Take a closer look next time you’re faced with a Terms & Conditions page for public wi-fi hotspot. “A good number of open wi-fi providers take the time to tell you in their T&C that there are inherent risks with wireless communications and suggest using a VPN,” Sullivan says. “So if you don’t take it from me, take it from them.”
For details and stats of the investigation, visit http://safeandsavvy.f-secure.com/2014/09/29/danger-of-public-wifi/.