Security firms F-Secure and Mandalorian Security Services have teamed up to show how risky public WiFi hotspots can be, which they did by hacking into the Internet surfing activities of three politicians (David Davis MP, Mary Honeyball MEP and Lord Strasburger) while they were connected in London.
Now before anybody shouts.. “Hay, that’s illegal!“, it should be stressed that the hacking was done with the full permission of all three politicians. Never the less all three admitted that they make regular use of public WiFi and have received no formal training or information about the relative ease with which computers can be breached while on such networks.
The stage was set and so the ethical hackers dutifully went about their business by breaking into and manipulating emails, as well as manipulating and extracting financial and social networking details. Here’s a summary of some of the things they did.
Highlights from the Public Wi-Fi Hacking
* The hackers drafted an email and left it in David Davis’s drafts folder, which was destined for the national press and comically announcing his defection to UKIP.
* David Davis’s PayPal account was compromised, as it used the same username and password as his Gmail – a common habit.
* Mary Honeyball MEP, who ironically sits on the EU committee responsible for the “We Love Wi-Fi” campaign, was browsing the Internet in a café when the ethical hacker sent her a message seemingly from Facebook which invited her to log back into her account, as it had timed out. This was how she unwittingly gave her login credentials to the hacker, who then accessed her Facebook account. Honeyball was using a tablet that had been issued to her only days before by the European Parliament’s technology officers.
Suffice to say that all of the politicians were surprised by the fact that simply setting a password isn’t always enough, with Mary Honeyball saying, “I think something should be done because we all think that passwords make the whole thing secure.”
In fact anybody with some proper IT knowledge will already know that hackers can often get around passwords (i.e. there can be other ways of breaking into networks, particularly open public WiFi) and this perhaps also demonstrates the general lack of basic IT understanding that some politicians have.
Steve Lord, Director at Mandalorian, said:
“The average person will think that a hacker knowing which sports team I follow is a pretty useless piece of information. But once he knows that, he can craft a phishing email specifically for you and your likes, knowing that you will be more likely to open it.
Once you click on a link within that email or open an attachment, they have you – they will load malware onto your devices and then you will end up giving away all of your information. Not only that, but your company information too, if you use your devices to access the company network.”
Sean Sullivan, Security Advisor at F-Secure, added:
“People shouldn’t be afraid to use public Wi-Fi – it’s a fantastic service. But they must understand that there are risks and it is their responsibility to protect themselves. This is simply done using a piece of software called a Virtual Private Network (or VPN). For phones and tablets, these are available as an app.
Our Freedome VPN will encrypt all data travelling from the device to the network, meaning that the hacker will steal nothing of use. Simply turning it on gives you the best protection you can possibly have to stay safe over public Wi-Fi, so you can focus on what you’re doing instead of worrying about staying safe.”
It’s worth pointing out of course that a VPN might help to provide some protection, but this doesn’t mean to say that an advanced hacker won’t still be able to use the WiFi network in order to access your computer. Ultimately it’s safest to simply avoid public WiFi, particularly open networks that don’t ask for a password.
Another common trick in the hacking toolkit is to simply setup a fake SSID (network name) that mirrors a legitimate hotspot, such as for example calling it “McDonalds Official Wi-Fi” (i.e. tricking some end-users into connecting to the wrong network). Never underestimate the power of simple social engineering attacks.
But if you do wish to use public WiFi then try to avoid open hotspots unless necessary and always make use of a trusted VPN provider as that’s one of the safest ways to keep your activity secure and private.