An investigation conducted in London has shown the ease with which personal data can be hacked when the target is using public Wi-Fi. Security and privacy software company F-Secure teamed up with penetration testing expert Mandalorian Security Services and the Cyber Security Research Institute to conduct the test – in this case, hacking into the devices of three politicians.
The politicians, deliberately selected from the most powerful chambers in UK politics, were Rt. Hon. David Davis MP, Mary Honeyball MEP and Lord Strasburger. The exercise was carried out with the permission of the politicians who, despite holding important positions within the different parliaments, admitted that they had received no formal training or information about the relative ease with which computers can be breached while using public Wi-Fi – a service they all admitted to using regularly.
Commenting on his email being accessed, Davis said: “Well, it’s pretty horrifying, to be honest. What you have extracted was a very tough password, tougher than most people use. It’s certainly not ‘Password’.” Alarmingly, the password would have been broken no matter how strong it was. Public Wi-Fi is inherently insecure – usernames and passwords are shown in plain text in the back of a Wi-Fi access point, making them simple for a hacker to steal.
To underline the risk, an email was drafted by ethical hackers Mandalorian and left in his drafts folder destined for the national press, announcing his defection to UKIP. His PayPal account was then compromised, as it used the same username and password as his Gmail – a common habit.
In the case of Lord Strasburger, a Voice over IP (VoIP) call he made from a hotel room was intercepted and recorded using technology freely available on the Internet, and relatively easy to master. Strasburger said, “That’s very worrying. This is very powerful equipment. The thought that a beginner could be up and running in a very few hours is really worrying. I think it proves that people (when they are using technology) need to know a lot more about it. In the end, they have to look after themselves, because it really is down to you, no one else is going to do it.”
Mary Honeyball MEP, who sits on the EU committee responsible for the ‘We Love Wi-Fi’ campaign, was browsing the Internet in a café when the ethical hacker sent her a message seemingly from Facebook which invited her to log back into her account, as it had timed out. This was how she unwittingly gave her login credentials to the hacker, who then accessed her Facebook account.
Honeyball, who was using a tablet issued to her only days before by the European Parliament’s technology officers, was particularly concerned about the lack of advice she had been given. “I think something should be done because we all think that passwords make the whole thing secure. I always thought that was the point of passwords. I am surprised and shocked,” she said.
Each hack not only demonstrated the simple steps a hacker can take to circumvent password protected services, but also how the personal data could be used for further attacks. “The average person will think that a hacker knowing which sports team I follow is a pretty useless piece of information,” said Steve Lord, director at Mandalorian. “But once he knows that, he can craft a phishing email specifically for you and your likes, knowing that you will be more likely to open it. Once you click on a link within that email or open an attachment, they have you – they will load malware onto your devices and then you will end up giving away all of your information. Not only that, but your company information too, if you use your devices to access the company network.”
Sean Sullivan, Security Advisor at F-Secure, has this advice for people using public Wi-Fi: “People shouldn’t be afraid to use public Wi-Fi – it’s a fantastic service. But they must understand that there are risks and it is their responsibility to protect themselves. This is simply done using a piece of software called a Virtual Private Network (or VPN). For phones and tablets, these are available as an app. Our Freedome VPN will encrypt all data travelling from the device to the network, meaning that the hacker will steal nothing of use. Simply turning it on gives you the best protection you can possibly have to stay safe over public Wi-Fi, so you can focus on what you’re doing instead of worrying about staying safe.”