Consumers carelessly use public Wi-Fi without regard for their personal privacy, even blithely agreeing to surrender their first born in exchange for the opportunity to check their emails without paying.
That's according to an experiment which involved setting up a "poisoned" Wi-Fi hotspot. Unsuspecting users who connected to the network agreed to expose their internet traffic and personal data – such as the contents of their email. They even agreed to an outrageous clause obligating them to give up their firstborn child in exchange for Wi-Fi use.
The independent investigation, supported by policing group Europol, was carried out on behalf of F-Secure by the UK’s Cyber Security Research Institute and SySS, a German penetration testing company. SySS built a portable Wi-Fi access point from components costing around €200 and requiring little technical know-how. Researchers set the device up in prominent business districts of London. They then watched as consumers connected, unaware their internet activity was being spied on.
In a 30-minute period, 250 devices connected to the hotspot, most of them probably automatically without their owner realising it. Thirty-three people actively sent internet traffic by carrying out web searches and sending data and email. 32MB of traffic was captured (and promptly destroyed in the interest of consumer privacy). In a finding that underscores the need for encryption, the researchers found that the text of emails sent over a POP3 network could be read, as could the addresses of the sender and recipient, and even the password of the sender.
This is a well-known risk, famously illustrated by the Firesheep browser extension several years ago. Firesheep allowed users logged into the same *unencrypted* network to snaffle the login cookies of other surfers – clearing the way towards hijacking private accounts. Always-on crypto by websites such as Twitter defends against such threats on a case-by-case basis but surfers always have a responsibility to protect their own security.
In another phase of the experiment, the researchers introduced a Terms & Conditions (Ts&Cs) page that needed to be accepted in order to use the hotspot. The Ts&Cs included the outlandish clause that obligated the user to give up their firstborn child or most beloved pet in exchange for Wi-Fi use. Six people agreed to the Ts&Cs before the page was disabled. The clause illustrated how people typically do not read the Ts&Cs pages, which are often too long to read and difficult to understand.
“We all love to use free Wi-Fi to save on data or roaming charges,” says Sean Sullivan, security advisor at F-Secure, who participated in the experiment. “But as our exercise shows, it’s far too easy for anyone to set up a hotspot, give it a credible-looking name, and spy on users’ internet activity.
"When it comes to hotspots provided by a legitimate source, even those aren’t safe. Even if they aren’t in charge of the hotspot, criminals can still use ‘sniffer’ tools to snoop on what others are doing," he added.
Surfers are advised to use VPN technology when they need to connect to public Wi-Fi hotspots, using products such as Hotspot Shield or F-Secure's Freedome.
More details of the investigation can be found in a report Tainted Love: How Wi-Fi Betrays Us here.
F-Secure and Europol have jointly warned about free Wi-Fi not-so-hotspots before. Troels Oerting, head of Europol's cybercrime centre, has been campaigning on the well-understood but frequently ignored issue for months, since warning about a growing number of attacks being carried out via public Wi-Fi back in March. ®