CSRI experts have built a fake Wi-Fi hotspot and captured passwords, emails and IDs from users…
Part of an experiment and a report created for the Finnish cyber security company F-Secure called ‘Tainted love: How Wi-Fi betrays us’ the results went viral on the internet and led interviews in UK national and follow up articles in publications and websites around the globe due to the report’s development of a unique term called ‘The Herod Clause’.
This was an evolution from the terms and conditions for using the access point and getting free connectivity in two central London locations. The clause for W-Fi connectivity said:” In return for free use of this wireless hotspot you agree to give us your firstborn child or your favourite pet for all eternity“. This draconian measure did not appear to effect users’ readiness to tick the box accepting the Ts and Cs and six people agreed to it before it was removed from the legal conditions for using the experimental kit.
It is a kit that is worryingly easy and cheap to assemble, comprising a Raspberry Pi mini-computer, a portable wireless router and dongle, and a Wi-Fi aerial powered by a battery pack with a five-hour life. The bundle is strapped together with elastic bands. For the experiment – created by Future Intelligence editor Peter Warren – the services of Finn Steglich were required. Steglich works for Syss, a penetration testing company in Germany. He brought the fake Wi-Fi hotspot kit to London in bits, each in a separate part of his baggage.
Terms and Conditions
Peter Warren set up the hotspot at Canary Wharf in the heart of London’s Docklands financial district and soon attracted a number of people to connect to it. The experiment was repeated at Westminster in front of the British Parliament buildings and Queen Elizabeth Conference Centre where Government departments were holding official meetings. Around the corner is the headquarters of the National Crime Agency, the body responsible for policing cyberspace in the UK. With the world- famous Big Ben and Westminster Abbey landmarks also close, so there were many tourists passing through – all eager to hook up to a free Wi-Fi service. As in the earlier test, many people took the bait of free connectivity and started using the service. This time the Terms and Conditions did not include the ‘Herod Clause’ which claimed the right to take firstborn children of those signing. But still dozens of people signed up for free Wi-Fi. Those using Pop3 or IMAP email (the most common email protocols) revealed their email addresses, user names and passwords. They appeared in plain text on Finn Steglich’s laptop screen. And that meant that if Steglich were a criminal rather than an ethical hacker, they could have lost their IDs and their money.
http://safeandsavvy.f-secure.com/2014/09/29/danger-of-public-wifi/
FI editor Peter Warren comments: “Most people don’t realise that their smartphone uses a blend of 3G or 4G and Wi-Fi. The mobile phone companies and the technology industry should make this clear – people think they’re buying a 3G or 4G service but they don’t realise it has gaps, and the providers use free Wi-Fi to fill in those gaps. These devices are promiscuous. They are built to look for Wi-Fi and connect to it whenever they can without alerting the user. So the only way to protect your data is either to switch off the Wi-Fi on your device or to encrypt it, and my preference would be to encrypt.”
Europol, the European Union’s police force, has been warning since its report in March 2014 about the potential risks of public wifi.
Head of Cyber Crime Troels Oerting welcomed 
the F-Secure experiment and his team launched the test report across Europe to coincide with the UK launch in London, emphasising Europol’s wholehearted support for
the experiment. Troels Oerting is based at Europol’s headquarters in The Hague and co-ordinates cybercrime investigation across all 27 member states of the EU. Oerting advises that free Wi-Fi should be used with caution, and urges those using it to consider encrypting their data to protect themselves against thieves who might steal identities, passwords and access to bank accounts. ‘It’s scary‘ he says (click below to hear the full comments) However EU Vice President Neelie Croes is publicly backing the extension of free Wi-Fi and urging citizens to share hotspots in order to boost connectivity. In a report published in 2013, the European Commission’s working party on the Digital Agenda for Europe predicted that by 2016 78% of all communications via smartphone and tablet devices would be delivered by Wi-Fi. The study recommends that extra spectrum be made available to meet this extra demand, and applauds the fact that ‘Europe loves Wi-Fi’.
In the UK the Information Commissioner’s Technology Officer Andrew Patterson revealed to the testing team that the ICO has also been experimenting with fake Wi-Fi access in Manchester close to its headquarters at Wilmslow, with results that were presented at an internal meeting. Patterson agrees that there is a need for far greater public awareness about the potential security risks and data breaches that Wi-Fi brings.
F-Secure Technology Officer Sean Sullivan believes his company has the answer: a virtual private network (VPN) product called Freedom which encrypts data and metadata so that even if you use free public Wi-Fi with no security your privacy, IS and commercially confidential information are not revealed to anyone who can access the hotspot.
The F-secure Wi-Fi experiment has been widely covered in newspapers, TV, radio and blogs across Russia, the USA, Ireland and the Basque country of northern Spain as well as the national British newspapers and TV networks. No users’ accounts were compromised during the testing period and the data collected is securely held by Syss. The full text of the report is available and to obtain a copy you should email futureintelligence@outlook.com
