Researchers have exposed the public's “reckless” attitude to WiFi security by trapping hundreds of people in a free Trojanised hotspot in London that harvested their account details - and even got people to sign away their first-born child in its terms and conditions agreement.
The hotspot was set up as part of an investigation by Peter Warren from the UK's Cyber Security Research Institute and Finn Steglich of German pen test firm SySS for security firm F-Secure, and backed by the European police agency Europol and the UK's privacy watchdog, the ICO.
The researchers offered a free hotspot – built for less than £160 from an easily hidden Raspberry Pi, battery pack and a WiFi and UTMS cable – in two locations, Cafe Brera in Canary Wharf and outside the Queen Elizabeth Centre near the Houses of Parliament.
More than 250 people logged on to the Trojan hotspot in a 30-minute test period. Each could be identified by the details they left behind on their previous access points, the researchers say.
In that time, 33 devices actively used the hotspot to carry out web searches and send data and email, and the widely used POP3 email systems involved revealed the user's name and password.
The researchers say this weakness “has profound implications”, explaining: “It would allow any criminal operating a WiFi hotspot to harvest account information that would allow them to masquerade as that person via their email account.
“It can effectively mean that all of an individual's data can be stolen as many people use the same details for multiple accounts, such as online banking, and an email address is often used as a user name.”
More worryingly, they say that the hotspot in Canada Square briefly carried a T&Cs page with a deliberately ridiculous term – dubbed ‘the Herod clause'– that said, in return for free WiFi, the individual agreed to “render up their eldest child for the duration of eternity” or their most beloved pet.
“Six people decided that it was a fair exchange and signed up,” they say.
The investigation had a serious purpose. A recent Ofcom survey found more than 77 percent of people were not concerned about the security of public WiFi, and the experiment exposed a “reckless attitude to security”, the report says.
Their findings are backed by Troels Oerting, head of Europol's European Cybercrime Centre (EC3), who says in the report: “The problem is that WiFi is much more insecure than 99 percent of our population know. With public WiFi, you could just as easily put it up on a big white screen wherever you are.”
Oerting said Europol has already seen criminals exploiting the public's weakness for free access: “We have got reports from member states that criminals have provided free WiFi in areas where they want to steal people's information. So we have already seen this in operation. “
The report is also backed by the ICO, which, with Europol, advises people: “Use a Virtual Private Network (VPN), turn off the WiFi on hand-held devices when on the move and only use trusted WiFi access points secured with a password.”
F-Secure security advisor Sean Sullivan told SCMagazineUK.com that the hotspot involved was called ‘Free WiFi' and a lot more people could have been trapped if the researchers had used a more devious, legitimate-sounding name.
He said the experiment showed “some people would just use it regardless”.
Sullivan said mobile phone operators are expanding their networks with WiFi as they evolve to 4G, but it is “an inferior technology. It was never really something that was made to be used across a cityscape, but this is the technology the operators have used to fill in the cracks, and anybody can easily doppelganger that.”
He warned: “If businesses were thinking, ‘What do we need to be worried about in the future?' – if you've got a BYOD employee and they're not using a VPN with their device and they're operating on these network spaces, it's going to be a disaster in the not too distant future.”
F-Secure's findings have been backed by security firm SensePost, whose well-publicised experiment using the ‘Snoopy' drone flying over London to steal user data from WiFi hotspots featured at this year's SC Congress.
Daniel Herbert, COO of SensePost, told SC: “It's nothing new but I think it's good that there's more media focus on the fact that WiFi today is still not as secure as it should be.
“The proliferation of WiFi is so huge, it's pretty much everywhere. It's now the way most people connect to the internet and WiFi security is still not very good.
“When it comes to open WiFi networks, people are incredibly trusting. It's no surprise that six people did sign away their first born.”
Herbert said the industry needs a similar event like the recent ‘Celebgate' that exposed cloud insecurity “so people say enough's enough. Something's got to change. People need to stop being so trusting when it comes to WiFi networks. They aren't what they say they are sometimes.”
The F-Secure researchers say regulators like the ICO could do more to alert consumers to the potential risks. Their report urges regulators that: “WiFi access points should be certified as safe in the same way that https:/ websites display a padlock and colour the URL green to show that they are safe to use.”
They also warn that increasing public reliance on WiFi means mobile phone companies are offering a blend of cellular and WiFi that often uses open WiFi hotspots – but “most mobile internet consumers are totally unaware that their service is being seamlessly switched between the different networks”.
F-Secure says: “The industry needs to be transparent about what it is offering, clearly alerting people to the fact that whenever they are on WiFi their security is at risk.”