I wonder how many of us have sat in a public location like a coffee shop and used the public wifi on offer. Stab in the dark, I’d guess it’s north of 90% and that those numbers are getting bigger. Whilst businesses used to be hell-bent on squeezing a few extra pounds out of customers for wifi access, the growth in both mobiles and people’s expectation that connectivity should be provided as a basic service has seen the provision of free wifi become more common.
But with convenience comes danger. A couple of months ago, the risks of simply relying on public networks were clearly highlighted by security firm F-Secure following an experiment that they carried out in London. Using a mobile hotspot device hacked together for the princely sum of £160 (comprising a Raspberry Pi, a battery pack and a wifi aerial, held together with elastic bands), they set up a temporary network in busy locations and sat back to see what would happen.
As random people logged onto their temporary free network, F-Secure could read their passwords (displayed in plain text via the POP3 email protocol) and also view the last 19 or so networks that each had logged into (valuable information if you’re tracking someone down).
There’s more details about the experiment in the document they produced here and a short video:-
We obviously need to think more carefully about the data that we’re leaking across our devices. I consider myself to be fairly tech-savvy but whilst I pay for a VPN service that I use across all my devices in public, I’m as guilty as anyone else of having connected to public wifi occasionally for the sake of convenience. The solution to this problem has to get over two interrelated barriers, namely education and cost. The risks must be clearly understood by the wider public before the majority can justify paying that additional cost.
I suspect the solution is either going to have to come via phone companies who choose to integrate VPN-like protections directly within the devices (challenging in such a competitive business) or from consumer demand (driven by more high-profile security scares no doubt).
An interesting aside: I originally heard of this experiment when it transpired that F-Secure had hidden a clause away in the terms and conditions that people had to accept before accessing their wifi hotspot. The so-called “Herod clause” meant that people were entitled to use the wifi but only if “the recipient agreed to assign their first born child to us for the duration of eternity”.
In case you’re wondering, they didn’t follow through with it:-
“We have yet to enforce our rights under the terms and conditions but, as this is an experiment, we will be returning the children to their parents…..Our legal advisor Mark Deem points out that – while terms and conditions are legally binding – it is contrary to public policy to sell children in return for free services, so the clause would not be enforceable in a court of law.”