An experiment carried out in London by the Cyber Security Research Institute, sponsored by security firm F-Secure, and with the support of Europol, created the eye-catching result of six unsuspecting WiFi users agreeing ‘to assign their first born child to us for the duration of eternity’ when they failed to read the Terms and Conditions attached to a ‘free’ public WiFi hotspot.
This ‘Herod clause’ was part of a project designed to highlight the dangers of using public WiFi hotspots, and while it is the most headline-grabbing result, news that many (most?) people do not bother to read the deliberately lengthy and obtuse ToCs attached to almost anything we do a computer is hardly a revelation, although it arguably highlights the urgent need for some form of regulation of Terms and Conditions contracts.
For the record, agreeing to hand over your kids is not legally binding, so if any of the affected users were parents, they can sleep peacefully at night.
More interesting are the findings made after the Herod clause was removed. 33 devices connected to the hotspot, which particularly alarmed researchers as they could see emails in clear text sent using the POP3 protocol, which included personal information such account passwords etc.
Had the researchers been crooks, they could have collected a treasure trove of information, which could be used to hack the ‘victims’ accounts. Sean Sullivan from F-Secure explained to the Guardian,
‘The authentication happens in plain text in some old protocols. You could probably snare a lot of people using email… you could do more to refine [an attack] to capture more people’s mail.’
Perhaps even more insidious is the metadata which was be collected. Often touted by governments as ‘harmless’ (which is of course why governments are so keen on collecting vast amounts of it!), the researchers found that even when not connected to WiFi hotspots, mobile devices on average kept records of the last 19 WiFi systems they had detected, and which could be used to accurately identify an individual user and track their locations as they moved around,
‘It‘s a particularly disturbing development as recent research has shown that individuals can be accurately identified by using just the last four access points where they have logged on.’
Other metadata, such as users’ device ID and websites visited, could be further used to build up an accurate picture of a targets movements.
The experiment was conducted using a portable WiFi hotspot constructed out of a Raspberry Pi, a battery pack, and a WiFi areal, ‘all held together with elastic bands’ – total cost £160 (US$260). To be honest, we think that ‘German ethical-hacking company’ SySS overcharged for this as a basic Rasberry Pi can be had for around $35, but the point that such a system can be very easily and cheaply made stands.
‘Sullivan advises users run a Virtual Private Networking (VPN) software product, which will encrypt the data being sent to and from their device.’