UK consumers are still failing to understand the security risks associated with surfing public Wi-Fi hotspots, according to new research from F-Secure.
The Finnish security firm commissioned German pen testing firm SySS to build a €200 ($252) portable access point and set it up in various areas of London.
It found that in just half an hour, 250 devices connected to the hotspot of which the majority are likely to have done so automatically without the intervention of their owner.
Some 33 people (13%) actually carried out web searches or sent data via the Wi-Fi point, with 32MB of traffic captured by the researchers. The text of POP3 emails, as well as the address of sender and recipient and the password of the sender were also visible.
To emphasize the lack of attention paid to Terms & Conditions, F-Secure introduced a cheeky clause in the T&Cs which required users to give up their firstborn child or most beloved pet in exchange for Wi-Fi use.
Amazingly, six people clicked through to accept even these T&Cs.
F-Secure explained in a blog post:
“We, of course, won’t enforce the clause and make people follow through with surrendering their loved ones – but this should give us all pause: What are we really signing up for when we check the “agree” box at the end of a long list of T&C’s we don’t read? There’s a need for more clarity and transparency about what’s actually being collected or required of the user.”
The experiment itself has shone yet another light on the security problems of using public Wi-Fi and the relative ease with which cybercriminals can harvest online account passwords and sensitive data with minimal financial outlay or technical know-how.
F-Secure security advisor, Sean Sullivan, argued that while the experiment showed it’s “far too easy for anyone to set up a hotspot, give it a credible-looking name, and spy on users’ internet activity,” even a legitimate hotspot can be dangerous.
Cybercriminals can use sniffer tools on these to conduct similar snooping exercises, he said.
F-Secure’s advice is to switch off Wi-Fi when out and about or use a Wi-Fi security tool which allows for an encrypted connection.
Security consultant, Brian Honan, a special advisor to Europol’s EC3, told Infosecurity that corporate users must all be trained in how to use wireless networks securely and protect their devices.
“Users should always use a VPN when connecting over any public network, or indeed any network that is not supplied by their own company,” he added.
“Also, users should configure the wireless settings on their devices to not connect automatically to a Wi-Fi network. Having to manually connect to a wireless network each time will act as a reminder to users to ensure they are connecting to a genuine hotspot.”