6 Nov 2013

Never mind the spies: the security gaps inside your phone

Our security agencies are feeling the heat amid revelations about the extent of their surveillance programmes. But as the Data Baby project can reveal, spying is now cheap and relatively easy…

The row over spying is set to intensify when the heads of GCHQ, MI6 and MI5 appear before a parliamentary committee on Thursday.

The last five months has seen a series of revelations over a multi-billion pound surveillance programme driven by the American NSA and its British counterpart, GCHQ.

But Channel 4 News has discovered that it’s possible to intercept private information online, including the content of emails, using kit costing just a couple of hundred pounds.

“You don’t need to be the NSA to do this,” said Glenn Wilkinson of security firm SensePost. “People can master this in just a couple of hours.”

As part of the Channel 4 News Data Baby project, we set out to discover how easy it is to intercept the online communications many of us engage in every day.

We assembled a group of students, offered them lunch, and told them we’d like them to participate in an experiment to find out what their phones say about them.

‘I can see her email going back and forth’

Meanwhile, hidden next door were two technology experts from SensePost (pictured right), a company that advises corporate customers on online security.

The experiment relied on a feature automatically built in as the default on the everyday smartphone: once a phone user connects to a free wi-fi hotspot, their phone will remember that network. From then on, the device will always try to connect to it again – without asking the user first.

It’s designed for convenience – in an “always-on” world, being able to switch seamlessly between wi-fi networks is useful. But it also creates a security problem.

SensePost’s tech experts have created (basic) software that listens out for the wi-fi network a phone is trying to find, and then impersonates it. The phone sees SensePost’s fake network, thinks it’s real, and connects.

“Your phone’s always trying to connect to networks it’s connected to in the past,” said Mr Wilkinson. “If you connected to Starbucks free wi-fi last week, it will be trying to find that network again.”

Sitting here I can see her email going back and forth. I can then impersonate the email account owner, browse the inbox and even send emails – Glenn Wilkinson

As far as our volunteers were concerned, they were online and everything was fine. But in fact, they were connected to a fake network and all their phones’ traffic was going via the experts’ computers.

Using this technology they were able to see almost everything our volunteers were doing on their phones: from their Google searches to the websites they visited.

Most worryingly, they were able to take control of the Yahoo email account of one of our volunteers. This is because after the initial login, the rest of the Yahoo traffic was transmitted “in the clear”.

“So sitting here I can see her email going back and forth,” said Mr Wilkinson. “I can then impersonate the email account owner, browse the inbox and even send emails seeming to come from her.”

Twitter Q&A
Worried about your wi-fi? Not sure who can see what from your phone? The Channel 4 News Data Baby project is hosting a Twitter Q&A with experts from SensePost, who will be able to answer your questions. Come and find us @DataBabyC4 after the show – from 8pm on Thursday.

The revelation

The SensePost tech experts eventually revealed all to the students, highlighting the risks to which their phones are exposing them, and advised them on how to make their phones more secure

“I do know I have quite an open profile,” said one of the volunteers, Allie, (pictured above). “But to see my emails come up on the screen that was shocking. All my work emails and personal things. It’s really scary to know that can happen.”

As smartphones hunt for wi-fi networks they’ve previously connected to, they are effectively broadcasting locations the phone owner has visited.

SensePost’s software can listen to see whether one of those networks looks like a home wifi (such as BTHomeHub12345) – this can then be used to locate the phone user’s home address.

“It’s quite likely there’s only one network in the world with that name,” said Mr Wilkinson. “There are websites where we can look up the physical location of that network. We can then pull up a Google Street View image of that street, and sometimes the individual’s home.”

SensePost’s technology can be built into an off-the-shelf mobile phone, which could be hidden in a public place, like a coffee shop table or train carriage, and left to intercept communications.

The phone can then send whatever it finds back to a central server for analysis – and whoever is behind the interception can use that information, from personal emails to identity information and location, to do whatever they want.

How to avoid falling foul of mobile phone snooping
– Be discerning about when you switch wi-fi on
– Check which wi-fi network you’re connecting to; if you’re connecting to Starbucks when you’re nowhere near a branch, something’s wrong
– Download the latest updates for your phone’s operating system, and keep the apps updated too
– Check your email providers security settings to make sure all your email traffic is secure, not just the login process