Internet security provider F-Secure has exposed the risk of using public WiFi hotspots by carrying out an experimental hack on three British politicians.
F-Secure teamed up with penetration testing experts at Mandalorian Security and the Cyber Security Research Institute, and was able to gain access to the private data of MP David Davis, Lord Strasburger and MEP Mary Honeyball.
The researchers used a virtual private network to demonstrate the insecurity of data flowing through a public internet connection.
They were able to access social media, email and PayPal accounts, and even intercept and record a phone conversation using Voice over IP.
The politicians all gave permission for the exercise to take place and admitted that, despite regularly using public WiFi connections, they had received no formal training on how to protect their data.
Conservative MP Davis, who recently joined forces with Labour's Tom Watson to challenge emergency surveillance legislation being rushed through parliament last year, said that he was alarmed at the ease of password theft.
“Well, it’s pretty horrifying, to be honest. What you have extracted was a very tough password, tougher than most people use. It’s certainly not ‘Password’.”
Mandalorian also demonstrated just how easy it is to tamper with personal data over a public connection by drafting an email destined for the national press claiming that Davis was defecting to UKIP, before using the same password to access his PayPal account.
Honeyball, who sits on the EU committee responsible for the ‘We Love WiFi' campaign, was using a government-issued tablet at the time of the experiment. She said that the lack of guidance she had been given was particularly concerning.
"I think something should be done because we all think that passwords make the whole thing secure. I always thought that was the point of passwords. I am surprised and shocked," she added.
Each experiment was a demonstration of how easy it is for a hacker on a public connection to find personal information and exploit it for further attacks.
Lord Strasburger warned that people using public internet connections need to be aware of how to protect their personal data.
"The thought that a beginner could be up and running in a very few hours is really worrying. I think it proves that people, when they are using technology, need to know a lot more about it," he said.
Sean Sullivan, security advisor at F-Secure, told V3 that there is a fundamental problem with public WiFi security.
"The problem with our technology is that it doesn't know when and where to limit itself. It's not actually all that 'smart' because it is always willing to be very personal," he explained.
"That's what we like about it, the personal services, but that also means that all of our personal information is being dropped into a leaky bucket.
"That's my main concern - not that you'll be individually attacked while using public WiFi, but that your data will leak, will be collected and will eventually be contained in a database breach. At which time, it will be converted into a commodity and used by criminals."
The team at F-Secure carried out another experiment last year which inserted a ‘first-born' clause into the terms and conditions of public WiFi.
The clause stated that the user must give up their ‘first-born child or most beloved pet' in exchange for WiFi use and found that it mostly went unnoticed.
A new RSA report urges coders to sign a 'Hippocratic Oath' before embarking on AI programmes.
IT security vendor believes APT33 is working for the Iranian government
Darktrace pushes machine learning to take some of the pressure off of IT and security teams
Google also gets its hands on HTC's IP in a non-exclusive deal