A group of security experts has hacked into the personal devices of several politicians to highlight the insecurity of public Wi-Fi.
F-Secure joined forces with pen-testing specialists Mandalorian Security Services and the Cyber Security Research Institute to hack UK MP David Davis, MEP Mary Honeyball and Lib Dem peer Paul Strasburger – with their prior consent.
Mandalorian gained access to Davis’ email account by grabbing his username and password via a simple public Wi-Fi attack, and left a draft message addressed to the national press announcing his defection to UKIP.
They were also able to compromise his PayPal account as it used the same credentials as his Gmail account, F-Secure revealed.
Mary Honeyball was hacked while browsing the web in an internet café. The ethical hackers sent her a phishing message purporting to come from Facebook which she then ‘logged into’ – giving them access to this account.
Honeyball, who was apparently using a tablet only recently given to her by the European Parliament, expressed concern about the lack of support and advice provided by its IT department.
“I think something should be done because we all think that passwords make the whole thing secure,” she said. “I always thought that was the point of passwords. I am surprised and shocked.”
Finally, Baron Strasburger had a VoIP call made from a hotel room intercepted and recorded using kit available on the internet.
F-Secure security advisor, Sean Sullivan, argued that educating the public on the dangers of public Wi-Fi use is extremely challenging.
He added that even for more savvy users, it’s difficult to know when personal information and account details are exposed to hackers. This is because mobile providers are increasingly extending their networks with Wi-Fi. Hardware makers build devices to switch over to Wi-Fi sporadically in the background, in order to improve connectivity.
“Unfortunately education doesn’t really scale, at least not as quickly as the security issues do,” Sullivan told Infosecurity.
“My hope would be to educate the politicians so that they then push for regulations that incentivize HTTPS encryption on sites – or to encourage service providers to nudge their customers to try services such as VPNs.”