In a Europol-supported investigation, researchers found consumers recklessly exposing their personal details via public wi-fi and carelessly agreeing to outlandish terms and conditions.
A new F-Secure wi-fi investigation conducted on the streets of London shows that consumers carelessly use public wi-fi without regard for their personal privacy. In the experiment, which involved setting up a ‘poisoned’ wi-fi hotspot, unsuspecting users exposed their Internet traffic, their personal data, the contents of their email, and even agreed to an outrageous clause obligating them to give up their firstborn child in exchange for wi-fi use.
The independent investigation supported by Europol, was carried out on behalf of F-Secure by the UK’s Cyber Security Research Institute and SySS, a German penetration testing company. For the exercise, SySS built a portable wi-fi access point from components costing around 200 euros and requiring little technical know-how. Researchers set the device up in prominent business and political districts of London. They then watched as people connected, unaware their Internet activity was being spied on.
In a thirty minute period, 250 devices connected to the hotspot, most of them probably automatically without their owner realizing it. 33 people actively sent Internet traffic by carrying out web searches and sending data and email. 32 MB of traffic were captured (and promptly destroyed in the interest of consumer privacy). And in a surprising finding that underscores the need for encryption, the researchers found that the text of emails sent over a POP3 network could be read, as could the addresses of the sender and recipient, and even the password of the sender.
For a short period, the researchers introduced a Terms & Conditions (T&C) page that needed to be accepted in order to use the hotspot. The T&C included an outlandish clause that obligated the user to give up their firstborn child or most beloved pet in exchange for wi-fi use. In total, six people agreed to the T&C before the page was disabled. The clause illustrated the lack of attention people typically pay to T&C pages, which are often too long to read and difficult to understand.
“We all love to use free wi-fi to save on data or roaming charges,” says Sean Sullivan, Security Advisor at F-Secure, who participated in the experiment. “But as our exercise shows, it’s far too easy for anyone to set up a hotspot, give it a credible-looking name, and spy on users’ Internet activity.” When it comes to hotspots provided by a legitimate source, even those aren’t safe, he says. Even if they aren’t in charge of the hotspot, criminals can still use ‘sniffer’ tools to snoop on what others are doing.
“The issue of wi-fi security is one that we at the European Cybercrime Centre (EC3) at Europol are very concerned about,” says Troels Oerting, Head of Europol’s EC3. “We wholeheartedly support activities which shine light on this everyday risk consumers face.”
The solution? Either stay away from public wi-fi – or use wi-Fi security. With wi-fi security, your connection is invisible in the wi-fi network and your data made unreadable by encryption. So even if someone tries, they can’t tap into your data. F-Secure Freedome is a wi-fi security product, or VPN, that creates a secure, encrypted connection from your device and protects you from snoops and spies, wherever you go and whatever wi-fi you use.
Still don’t believe that public wi-fi poses risks? Take a closer look next time you’re faced with a Terms & Conditions page for public wi-fi hotspot. “A good number of open wi-fi providers take the time to tell you in their T&C that there are inherent risks with wireless communications and suggest using a VPN,” Sullivan says. “So if you don’t take it from me, take it from them.”
For full details and stats of the investigation, check out the report “Tainted Love: How Wi-Fi Betrays Us” at http://safeandsavvy.f-secure.com/2014/09/29/danger-of-public-wifi/.
Disclaimer: During the course of this experiment, no user was compromised at any point nor user data exposed in a way that it could have been subject to misuse. We have not logged any user information, and during the experiment a lawyer supervised all our activities to avoid breaching any laws.