A new F-Secure WiFi investigation conducted on the streets of London shows that consumers carelessly use public WiFi without regard for their personal privacy. In the experiment, which involved setting up a ‘poisoned’ WiFi hotspot, unsuspecting users exposed their Internet traffic, their personal data, the contents of their email, and even agreed to an outrageous clause obligating them to give up their firstborn child in exchange for WiFi use.
The independent investigation, supported by Europol, was carried out on behalf of F-Secure by the UK’s Cyber Security Research Institute and SySS, a German penetration testing company. For the exercise, SySS built a portable WiFi access point from components costing around 200 euros and requiring little technical know-how. Researchers set the device up in prominent business and political districts of London. They then watched as people connected, unaware their Internet activity was being spied on.
In a thirty minute period, 250 devices connected to the hotspot, most of them probably automatically without their owner realizing it. 33 people actively sent Internet traffic by carrying out web searches and sending data and email. 32 MB of traffic were captured (and promptly destroyed in the interest of consumer privacy). And in a surprising finding that underscores the need for encryption, the researchers found that the text of emails sent over a POP3 network could be read, as could the addresses of the sender and recipient, and even the password of the sender.
For a short period, the researchers introduced a Terms & Conditions (T&C) page that needed to be accepted in order to use the hotspot. The T&C included an outlandish clause that obligated the user to give up their firstborn child or most beloved pet in exchange for WiFi use. In total, six people agreed to the T&C before the page was disabled. The clause illustrated the lack of attention people typically pay to T&C pages, which are often too long to read and difficult to understand.
“We all love to use free wi-fi to save on data or roaming charges,” says Sean Sullivan, Security Advisor at F-Secure, who participated in the experiment. “But as our exercise shows, it’s far too easy for anyone to set up a hotspot, give it a credible-looking name, and spy on users’ Internet activity.” When it comes to hotspots provided by a legitimate source, even those aren’t safe, he says. Even if they aren’t in charge of the hotspot, criminals can still use ‘sniffer’ tools to snoop on what others are doing.
“The issue of wi-fi security is one that we at the European Cybercrime Centre (EC3) at Europol are very concerned about,” says Troels Oerting, Head of Europol’s EC3. “We wholeheartedly support activities which shine light on this everyday risk consumers face.”
F-Secure said that the solution is either stay away from public WiFi– or use WiFi security. With WiFi security, user’s connection is invisible in the WiFi network and the data is made unreadable by encryption. So even if someone tries, they can’t tap into these encrypted data. F-Secure is recommending users to its its Freedome VPN product to secure their Internet traffic.
For full details and stats of the investigation, check out the “The Dangers of Public WiFi – And Crazy Things People Do To Use It”
During the course of this experiment, F-Secure said no user was compromised at any point nor user data exposed in a way that it could have been subject to misuse. The IT security company said it has not logged any user information, and during the experiment a lawyer supervised all the activities to avoid breaching any laws.