Earlier this summer several unsuspecting Londoners offered their first born in exchange for free WiFi. Wait, what? Yes, you read that correctly. During an experiment sponsored by security firm F-Secure, researchers set up a hotspot in the city’s busiest shopping areas and watched unsuspecting people connect to it. Those initially connecting to the access point agreed to terms and conditions that included a “Herod” clause, promising free wireless if “the recipient agreed to assign their first born child to us for the duration of eternity.”
Six people agreed to the terms and conditions of the Herod clause (which was obviously not enforced by the security firm) before the page was disabled. Research continued without the absurd clause and in just half an hour, 250 devices connected automatically with 33 of those conducting web searches and transmitting internet data.
The mobile hotspot device, built by German ethical-hacking company SySS using a raspberry Pi computer, battery pack and a WiFi aerial, was small enough to fit in a woman’s purse. The device captured 32 MB of data including user credentials and contents of emails during this experiment. Researchers noted that the popular POP3 email protocol revealed the actual texts of emails, addresses of the sender and recipient and even the password of the sender. Obtaining this information could give a potential hacker access to confidential data such as banking account information.
The experiment, organized by the Cyber Security Research Institute, sought to highlight the dangers of using public WiFi. The study also found that devices on average reveal the last 19 access points they have connected to. A perpetrator could accurately identify an individual knowing just four of those networks.
This is more than enough evidence to show how easily an attacker can steal your user credentials. Through a wireless man-in-the-middle attack, a perpetrator could impersonate a WiFi network your device has connected to previously. Before realizing anything is amiss, the device could connect to the phony SSID and send user credentials and personal information to the attacker. Now this is serious business.