Read Time: 5 Minutes
Would you give up your firstborn child or favorite pet to use free WiFi? Of course not. Sounds crazy, right? Even if you are in desperate need of WiFi for that one important call or conference, absolutely need to connect to Facebook on your mobile, there are limits. But in an independent investigation conducted on behalf of F-Secure, several users agreed to do just that – just to be able to instantly, freely connect to the Internet while on the go.
For the experiment, we asked Finn Steglich of the German penetration testing company, SySS, to build a WiFi hotspot, take it out on the streets of London, and set it up and wait for folks to connect. The purpose? To find out how readily people would connect to an unknown WiFi hotspot. (You can view our complete report, see the video and listen to the podcast below.)
Thing is, public hotspots are insecure. Public WiFi simply wasn’t built with 21st century security demands in mind. When you use public WiFi without any added security measures, you leak data about yourself from your mobile device. And this could cost you and your company money, because everyone has data they want protected. We know it, but we wanted to find out in general how well the public out on the street knows, whether or not they take precautions, and what kind of data they would actually leak without being protected by software that prevents breach of their mobile defenses.
We also enlisted the help of freelance journalist Peter Warren of the UK’s Cyber Security Research Institute, who came along to document it all. Accompanying the two was Sean Sullivan, F-Secure’s Security Advisor.
Leaking personal information
What we found was that people readily and happily connected, unaware their Internet activity was being spied on by the team. In just a half-hour period, 250 devices connected to the hotspot. Most of these were probably automatic connections, without their owner even realizing it. 33 people actively sent Internet traffic, doing web searches, sending email, connecting to Facebook, etc. The team collected 32 MB of traffic – which was promptly destroyed in the interest of consumer privacy.
The researchers were a bit surprised when they found that they could actually read the text of emails sent over a POP3 network, along with the addresses of the sender and recipient, and even the password of the sender. Encryption software or algorithms, anyone? If you aren’t already using it, you should be!
The Herod clause
For part of the experiment, the guys enabled a terms and conditions (T&C) page that people needed to agree to before being able to use the hotspot. One of the terms stipulated that the user must give up their firstborn child or most beloved pet in exchange for WiFi use. In the short time the T&C page was active, six people agreed to the outlandish clause.
Of course, this simply illustrates the lack of attention people pay to such pages. Terms and conditions are usually longer than most people want to take time to read, and often they’re difficult to understand. We, of course, won’t enforce the clause and make people follow through with surrendering their loved ones – but this should give us all pause: What are we really signing up for when we check the “agree” box at the end of a long list of T&C’s we don’t read? There’s a need for more clarity and transparency about what’s actually being collected or required of the user.
So what’s really the issue here? What’s going to happen to your data, anyway? The problem is there are plenty of criminals who love to get their hands on WiFi traffic to collect usernames, passwords, etc. It’s easy and cheap enough for them to set up their own hotspot somewhere (the whole hotspot setup only cost SySS about 200 euros), give it a credible-looking name, and just let the data flow in. And even if a hotspot is provided by a legitimate business or organization, criminals can still use “sniffing” tools to spy on others’ Internet traffic.
So be warned: Public WiFi is NOT secure or safe. But we’re not saying don’t use it, we’re saying don’t use it without proper security. A good VPN will provide encryption so even if someone tries, they can’t tap into your data.
Tainted love: how wi-fi betrays us – report
Download the full WIFI-security report (PDF) by entering your e-mail:
F-Secure Freedome is our super cool, super simple wi-fi security product, or VPN. Freedome creates a secure, encrypted connection from your device and protects you from snoops and spies, wherever you go and whatever WiFi you use. (Bonus: It also includes tracking protection from Internet marketers, browsing protection to block malicious sites and apps, and lets you choose your own virtual location so you can view your favorite web content even when you’re abroad.)
Still don’t believe that public WiFi poses risks? Take a closer look next time you’re faced with a terms and conditions page for public WiFi hotspot.
“A good number of open wi-fi providers take the time to tell you in their T&C that there are inherent risks with wireless communications and suggest using a VPN,” Sullivan says. “So if you don’t take it from me, take it from them.”
Disclaimer: During the course of this experiment, no user was compromised at any point nor user data exposed in a way that it could have been subject to misuse. We have not logged any user information, and during the experiment a lawyer supervised all our activities to avoid breaching any laws.