White hat hackers have shown that usernames, passwords, contact lists, details of e-commerce accounts and banking details can be sniffed easily from public Wi-Fi hotspots.
To illustrate one of the many ways people can have their data compromised, the white hat hackers from First Base Technologies conducted two tests in partnership with security firm Trend Micro.
The experiments were conducted as part of qualitative research commissioned by Trend Micro to run alongside quantitative research that showed poor UK attitudes to mobile security.
The information was intercepted using a variety of software available free of charge online.
Capturing data on public Wi-Fi
The first experiment used a Wi-Fi network in a public London location to which people were allowed to connect only if they gave their consent for data to be collected.
They were told that the aim of the experiment was to raise awareness of the risks of using the internet through mobile devices and public Wi-Fi.
Read more about mobile and Wi-Fi security
- Securing your Wi-Fi data network
- All quiet on the Wi-Fi security front
- Underexposed risks of public Wi-Fi hotspots
- Security, Wi-Fi top network technology purchasing survey for 2014
- Most businesses hit by mobile security incident, study shows
- How to secure mobile endpoints? Start with a mobile strategy
- Mobile Security Strategies
- Best practices for improving mobile data security
This experiment used a 4G router for internet access, wired to a separate wireless access point and a laptop between the two to sniff traffic using packet-capturing software.
Most participants were surprised at just how much data the packet-sniffing app was able to deliver from their activities while connected to the hotspot used for the experiment.
None of the participants was aware that hackers could set up rogue wireless access points or evil twins that masquerade as legitimate hotspots to be used for stealing personal information.
They were also surprised to discover that many details were exchanged with their online service provider in clear text and not in an encrypted form.
Rogue app strips encryption
The second set of experiments at First Base Technologies did not involve the public. It was conducted using firm’s own private wireless network and a variety of smartphones apps.
“What really surprised me was that we were able to do this using an easily available smartphone app,” Peter Wood, chief executive at First Base Technologies told Computer Weekly.
One experiment used an app designed for “educational” purposes to attack devices on the same wireless network.
This forced victim devices to use the attacking phone as the gateway to the Internet, said Mike McLaughlin, senior penetration tester and technical team lead at First Base Technologies.
“This meant all traffic was sent through the attacking phone, and in a lot of cases the app could ‘strip’ the encryption from a secure connection,” he said.
When it comes to improving security around the use of mobile data connections for business communications, education is extremely important, said Wood.
The human firewall
“I am a strong believer in colleagues, employees and managers as intelligent people who can fulfil the role of human firewall,” he said.
Failure to involve people in maintaining security and relying on technical controls alone is risky, he said, because people will always go around controls if they do not fully understand the consequences.
According to McLaughlin, the sooner the IT security teams realise they can empower users by educating them about the risks and making security their responsibility, the better.
Wood said larger organisations should appoint individuals to the role of dedicated security evangelist to inspire people in the organisation to follow good security practices.
These evangelists can also play the important role of taking feedback from employees where policies and processes do not work or hamper their ability to do their job.
“In an organisation of 500 or more employees, the salary of a security evangelist would not be that significant, but would make a bigger difference to security than any other single investment,” said Wood.
However, he also believes that every individual, employee or manager, has a responsibility to educate themselves about the risks of wireless computing, poorly designed websites, and poorly designed apps.
“There is certainly no excuse for anyone in the C-suite to say they have no interest in IT because they should be in a position to advise employees on best practices,” said Wood.
“In most organisations there needs to be a greater understanding of the threats and risks, starting at the top, but the C-suite are almost always setting a bad example,” he said.
Providers of public Wi-Fi hotspots also have a role to play, said Wood, by ensuring they deploy technologies that can make their facilities 200 times more secure, which could be used as a selling point.