The well-understood risk of insecure, public Wi-Fi networks has been graphically illustrated with demonstration hacks against three prominent UK politicians.
The pen-testing style experiment demonstrates the ease with which email, finance and social networking details can be stolen while using free Wi-Fi in cafes, hotels and other public places. The exercise was carried out with the permission of the politicians: Rt Hon David Davis MP, Mary Honeyball MEP, and Lord Strasburger.
Despite holding important positions within their respective assemblies, all three admitted they had received no formal training or information about the relative ease with which computers can be breached while using public Wi-Fi – a service all three admitted to using regularly.
F-Secure teamed up with penetration testing expert Mandalorian Security Services and the Cyber Security Research Institute to conduct the tests. The hacks were mounted after first establishing a malicious Wi-Fi hotspot, controlled by the pen testers.
The politicians – who were well aware that they were being tested – connected to this evil twin network, opening the door to all manner of attacks. The white hats broke into the email account of Tory MP David Davis.
To underline the risk, an email was drafted by ethical hackers Mandalorian and left in his drafts folder destined for the national press, announcing his defection to UKIP. His PayPal account was then compromised, as it used the same username and password as his Gmail, a common habit.
Commenting on his email being accessed, Davis said: “Well, it’s pretty horrifying, to be honest. What you have extracted was a very tough password, tougher than most people use. It’s certainly not ‘Password’."
”Alarmingly, the password would have been broken no matter how strong it was. Public Wi-Fi is inherently insecure: usernames and passwords are shown in plain text in the back of a Wi-Fi access point, making them simple for a hacker to steal," he added.
In the case of Lib Dem peer Lord Strasburger, a Voice over IP (VoIP) call he made from a hotel room was intercepted and recorded using Wireshark, a network security tool that's freely available online.
Mary Honeyball MEP – who sits on the EU committee responsible for the "We Love Wi-Fi" campaign – was browsing the internet in a café when the ethical hacker sent her a message seemingly from Facebook which invited her to log back into her account, as it had timed out.
This was how she unwittingly gave her login credentials to white hat hacker Steve Lord, who then accessed her Facebook account.
Honeyball, who was using a tablet issued to her only days before by the European Parliament’s technology officers, was particularly concerned about the lack of advice she had been given. “I think something should be done, because we all think that passwords make the whole thing secure. I always thought that was the point of passwords. I am surprised and shocked,” she said.
A video documenting the hacks can be found below.