30 Sep 2014

Never mind your child: wi-fi can expose passwords, emails

An experiment revealed Londoners signed away their eldest child in the terms and conditions of free wi-fi. But there’s more: here’s what unprotected wi-fi can expose on you – and what to do about it.

Providing free wi-fi in a café is no longer just an added extra: like free tap water, it is more a human right than a bonus freebie in many towns and cities.

So when security experts set up a free “Trojan” wi-fi hotspot in London for half an hour, it is no surprise that hundreds of people logged on to get their fix, most without even realising that their phone had logged on automatically.

In a café in Canada Square, six people even logged onto a network with a “Herod clause” in the terms and conditions: in return for free wi-fi, users said they were prepared to “render up their eldest child for the duration of eternity”. Either they were looking for a way to get rid of some moody teenagers, or they didn’t read the contract. Luckily the researchers aren’t holding these people to what they signed up to.

The investigation into our wi-fi use was carried out by the Cyber Security Research Institute and the German penetration testing company SySS, on behalf of the ethical computer security company F-Secure, and the findings were published in a report, aptly called Tainted Love: how wi-fi betrays us.

It follows an Ofcom survey which found that 77 per cent of people are not concerned about the security of public wi-fi.

The eldest child giveaway may have hit the headlines. But the report and investigation highlights how little thought we give to what we’re doing on our devices while using wi-fi networks. Many of us are more concerned with trying to save our 3G data allowance by logging on to any available wi-fi, than keeping track of what we’re doing when we’re connected to it.

What does your wi-fi say about you?

As part of the 30 minute “Trojan” wi-fi experiment, a total of 250 devices were identified by the access point, 33 of whom connected to the wi-fi.

In total, 32MB of data was captured, including emails, passwords and data.

“The sending of email caused the researchers some unexpected issues,” the report reads. “We had not realised that user and password data from the highly popular Pop3 email protocol is visible as it passes through wi-fi access points and we had to take steps to anonymise this.

“One such email had been sent from the managing director of a large London office lettings agency – we then took steps to prevent this happening again.”

Much of this is down to a well-known vulnerability in POP3 – a protocol that most email clients use to send and receive emails. Any data sent via POP3 over an insecure wi-fi network, can then be “seen” by those who are spying on the wi-fi.

Criminal use

Europol has already seen criminals exploiting the public weakness for free wi-fi, said Troels Oerting, Europol’s assistant director, either by tapping into an already existing wi-fi service that doesn’t have robust security, or by setting up their own network, both of which are very easy to do.

The Channel 4 News Data Baby project last year revealed how anyone with access to basic software can impersonate a wi-fi network which a phone or laptop has connected to previously. Your device thinks it is the same one, and connects automatically – and the person who created the “fake” network can “see” any data the device user is sending. Channel 4 News uncovered emails, photos, contact details – and where participants had been in the past, via the wi-fi networks they had logged on to.

The risks are huge, said Mr Oerting: “The problem with this is that this is much more insecure than 99 per cent of our population know. With public wi-fi, you could just as easily put it up on a big white screen wherever you are,” he said.

“We have got reports from member states that criminals have provided free wi-fi in areas where they want to steal people’s information. So we have already seen this in operation.”

Is there anything we can do?

The report is calling for stricter control on wi-fi access points and a certification model so users know what is secure. It also said that network operators should be banned from access, harvesting or exploiting data gleaned from wi-fi.

But users can also take steps to protect their personal information by using VPN technology while on public wi-fi. Or better yet, leaving the personal emails, the sending of contracts or and logging onto the bank while in the comfort of your own secure wi-fi network.