Public at risk of data theft from fake Wifi networks

Security experts have warned that free public Wifi is "inherently unsafe", with criminals able to steal people's information and login details easily.

The warning follows a Computeractive test that revealed how easy it is for people to fall foul of rogue wireless networks.

Working with security experts from Bitdefender, we conducted experiments at Euston railway station, Covent Garden and near a busy London hotel. Using a smartphone and laptop, we set up a wireless connection and renamed its SSID as ‘Free Wifi'. Within seconds, people started trying to connect to our ‘Free Wifi'.

Computeractive made it clear that using the network would reveal personal details. Despite this, 85 per cent of people (34 out of 40) who connected to the Wifi agreed to the terms (and in doing so, authorised the disclosure of their details) and connected to our network.

While unverified Wifi networks pose a risk, there are ways that users of laptops and other portable devices can browse sites in safety – these are outlined in a detailed article and step-by-step guide in the current issue of Computeractive magazine.

Alexandru Balan, senior product manager at Bitdefender, explained what a criminal running a rogue network would see. "Connecting to an unknown network is inherently unsafe. Once a Wifi network is set up its owner can monitor all the traffic made by its users.

"If you access an unencrypted service, the criminal can see everything you see. For example, if you connect to Facebook, an attacker can hijack your account," said Mr Balan.

Read more: wireless news and reviews| Wifi news and reviews

We presented our findings to Homayoun Sarkechik, a senior product manager at Norton, which produces a range of security software.

"I'm not surprised that 85 per cent of people accepted your terms and conditions," he said. "Wifi service providers need to explain the risks of using public Wifi. Spoofing a public hotspot is really easy; people shouldn't do anything confidential on them."

The risks posed by Wifi hotspots
The main risk of using freely available public Wifi is that there is no reliable way for people to identify who is running the network. Anyone can set up a network and call it ‘Free Public Wifi'.

The dialogue boxes and messages users see when making the connection can be made to look like those of legitimate providers such as BT by using logos stolen from web pages.

Once connected, criminals can use freely available software to record and analyse all unencrypted pages. Login details cannot be viewed but criminals can view the content of Facebook accounts, emails and more.

In another test, conducted with volunteers to avoid breaking the law - each of whom willingly provided clear authority to disclose their personal information – we saw further security flaws that can be exploited by criminals.

When shopping online or using online banking a secure connection is used. This means the connection between you and the website can't be intercepted. But it can be exploited using a fake SSL certificate.

An SSL certificate verifies that a connection is secure but if a fake certificate is approved by a user, all login data can be viewed by hackers. In our volunteer test we entered the password for a Paypal account after accepting a fake SSL - the password immediately appeared on the hacker's PC.

What the terms of our public Wifi network warned

The law is clear on matters of both accessing PCs without consent and intercepting network traffic, and Computeractive took care to ensure no data from the devices of the people who tried to connect to our network was recorded.

We also clearly warned them about what joining the network could reveal about them, and barred access to the network until they explicitly agreed to our terms by clicking the 'I agree' button in a dialogue box.

Despite this explicit warning, 34 people in effect agreed to let us see everything they did on the internet using a portable device. Of course, the more likely explanation is that people did not read the warning, clear as it was, and instead clicked the button in their rush to take advantage of ‘free' Wifi access.

How to use public Wifi hotspots safely
The willingness of peope to trust practically anything described as free online has lead many to lower their defences when it comes to internet access. Despite the clarity of the warning we displayed when users tried to connect, it was clear that most ignored it and clicked 'OK' – giving us permission to view their browsing session in the process.

But how can you tell the difference between fake networks set up by criminals, and legitimate free networks operted by the likes of BT? It's not as simple as you may think – but the current edition of Computeractive magazine explains the issue in detail, and provideds a step-by-step guide to using free Virtual Private Network software to scramble the data and keep your peronal information safe and secure.