The potential security risks of accessing a public WiFi hotspot are nothing new and yet a new F-Secure study of consumers in London has discovered that many users are continuing to connect themselves, without first checking the hotspots validity, to so-called “poisoned” wireless Internet access points (designed to steal your data).
On this occasion the poison hotspots were actually setup by anti-virus firm F-Secure, with help from SySS and the UK’s Cyber Security Research Institute, as part of an experiment to see how many unsuspecting users might expose their personal Internet traffic and emails to data thieves.
As part of the exercise SySS built a portable wifi access point from easily found components costing £150+ and these were then positioned in several “prominent business and political districts” of London. Comically one of the clauses that users of the poisoned hotspots needed to agree before they could get online was one that obligated them to “give up their firstborn child” in exchange for wifi use (seems like a fair trade) and apparently 6 people agreed to this before the page was disabled. As usual very few people ever read T&C’s, which are generally long, complex and often confusing hulks of text.
The hotspots then began to wait and over a period of 30 minutes some 250 devices connected (many were probably doing so automatically and perhaps without the owner realising), while 33 people actively made use of Internet traffic on the poisoned service (e.g. web searches, email etc.). Some 32MB (MegaBytes) of data was captured and later destroyed in the interests of consumer privacy.
The researchers also noted that the text of emails sent over their hotspot via POP3 networks could be read, including the addresses being used and surprisingly even the passwords! This is probably because the owners had not enabled encryption or were using an email server that didn’t support it (these are still quite common).
Sean Sullivan, Security Advisor at F-Secure, said:
“We all love to use free wi-fi to save on data or roaming charges. But as our exercise shows, it’s far too easy for anyone to set up a hotspot, give it a credible-looking name, and spy on users’ Internet activity.”
Sullivan notes that even hotspots provided by a legitimate source aren’t safe because criminals can still use “sniffer” tools to snoop on what others are doing. At this point F-Secure starts to promote its own products as the solution, although we have a few other tips that might help.
Firstly, never allow your device to “connect automatically to accessible hotspots within range“, this feature should always be disabled as otherwise you’re just asking for trouble. Always check the hotspot manually before you connect.
In addition, if you’re planning to do any work or exchange sensitive info. then do it from behind a Virtual Private Network (VPN) and make sure the data on your computer is secure (we always try to keep anything sensitive encrypted locally and there are lots of apps for doing that).
Ultimately a little paranoia goes a long way when considering your interactions with any form of open public network because the potential for abuse is significant. This is one of the reasons why we prefer Mobile Broadband links to public WiFi, wherever possible.
Comments are closed