Researchers have exposed the public's “reckless” attitude to WiFi security by trapping hundreds of people in a free Trojanised hotspot in London that harvested their account details - and even got people to sign away their first-born child in its terms and conditions agreement.
The hotspot was set up as part of an investigation by Peter Warren from the UK's Cyber Security Research Institute and Finn Steglich of German pen test firm SySS for security firm F-Secure, and backed by the European police agency Europol and the UK's privacy watchdog, the ICO.
The researchers offered a free hotspot – built for less than £160 from an easily hidden Raspberry Pi, battery pack and a WiFi and UTMS cable – in two locations, Cafe Brera in Canary Wharf and outside the Queen Elizabeth Centre near the Houses of Parliament.
More than 250 people logged on to the Trojan hotspot in a 30-minute test period. Each could be identified by the details they left behind on their previous access points, the researchers say.
In that time, 33 devices actively used the hotspot to carry out web searches and send data and email, and the widely used POP3 email systems involved revealed the user's name and password.
The researchers say this weakness “has profound implications”, explaining: “It would allow any criminal operating a WiFi hotspot to harvest account information that would allow them to masquerade as that person via their email account.
“It can effectively mean that all of an individual's data can be stolen as many people use the same details for multiple accounts, such as online banking, and an email address is often used as a user name.”
More worryingly, they say that the hotspot in Canada Square briefly carried a T&Cs page with a deliberately ridiculous term – dubbed ‘the Herod clause'– that said, in return for free WiFi, the individual agreed to “render up their eldest child for the duration of eternity” or their most beloved pet.
“Six people decided that it was a fair exchange and signed up,” they say.
The investigation had a serious purpose. A recent Ofcom survey found more than 77 percent of people were not concerned about the security of public WiFi, and the experiment exposed a “reckless attitude to security”, the report says.
Their findings are backed by Troels Oerting, head of Europol's European Cybercrime Centre (EC3), who says in the report: “The problem is that WiFi is much more insecure than 99 percent of our population know. With public WiFi, you could just as easily put it up on a big white screen wherever you are.”
Oerting said Europol has already seen criminals exploiting the public's weakness for free access: “We have got reports from member states that criminals have provided free WiFi in areas where they want to steal people's information. So we have already seen this in operation. “
The report is also backed by the ICO, which, with Europol, advises people: “Use a Virtual Private Network (VPN), turn off the WiFi on hand-held devices when on the move and only use trusted WiFi access points secured with a password.”
F-Secure security advisor Sean Sullivan told SCMagazineUK.com that the hotspot involved was called ‘Free WiFi' and a lot more people could have been trapped if the researchers had used a more devious, legitimate-sounding name.