Would you give up your firstborn child or favorite pet to use free WiFi? Of course not. Sounds crazy, right? But in an independent investigation conducted on behalf of F-Secure, several people agreed to do just that – just to be able to instantly, freely connect to the Internet while on the go.
For the experiment, we asked Finn Steglich of the German penetration testing company, SySS, to build a WiFi hotspot, take it out on the streets of London, and set it up and wait for folks to connect. The purpose? To find out how readily people would connect to an unknown WiFi hotspot. (You can view our complete report, see the video and listen to the podcast below.)
Thing is, public hotspots are insecure. Public WiFi simply wasn’t built with 21st century security demands in mind. When you use public WiFi without any added security measures, you leak data about yourself from your device. We know it, but we wanted to find out in general how well people out on the street know, whether or not they take precautions, and what kind of data they would actually leak.
We also enlisted the help of freelance journalist Peter Warren of the UK’s Cyber Security Research Institute, who came along to document it all. Accompanying the two was Sean Sullivan, F-Secure’s Security Advisor.
What we found was that people readily and happily connected, unaware their Internet activity was being spied on by the team. In just a half-hour period, 250 devices connected to the hotspot. Most of these were probably automatic connections, without their owner even realizing it. 33 people actively sent Internet traffic, doing web searches, sending email, etc. The team collected 32 MB of traffic – which was promptly destroyed in the interest of consumer privacy.
The researchers were a bit surprised when they found that they could actually read the text of emails sent over a POP3 network, along with the addresses of the sender and recipient, and even the password of the sender. Encryption, anyone? If you aren’t already using it, you should be!
For part of the experiment, the guys enabled a terms and conditions (T&C) page that people needed to agree to before being able to use the hotspot. One of the terms stipulated that the user must give up their firstborn child or most beloved pet in exchange for WiFi use. In the short time the T&C page was active, six people agreed to the outlandish clause.
Of course, this simply illustrates the lack of attention people pay to such pages. Terms and conditions are usually longer than most people want to take time to read, and often they’re difficult to understand. We, of course, won’t enforce the clause and make people follow through with surrendering their loved ones – but this should give us all pause: What are we really signing up for when we check the “agree” box at the end of a long list of T&C’s we don’t read? There’s a need for more clarity and transparency about what’s actually being collected or required of the user.
So what’s really the issue here? What’s going to happen to your data, anyway? The problem is there are plenty of criminals who love to get their hands on WiFi traffic to collect usernames, passwords, etc. It’s easy and cheap enough for them to set up their own hotspot somewhere (the whole hotspot setup only cost SySS about 200 euros), give it a credible-looking name, and just let the data flow in. And even if a hotspot is provided by a legitimate business or organization, criminals can still use “sniffing” tools to spy on others’ Internet traffic.
So be warned: Public WiFi is NOT secure or safe. But we’re not saying don’t use it, we’re saying don’t use it without proper security. A good VPN will provide encryption so even if someone tries, they can’t tap into your data.
F-Secure Freedome is our super cool, super simple wi-fi security product, or VPN. Freedome creates a secure, encrypted connection from your device and protects you from snoops and spies, wherever you go and whatever WiFi you use. (Bonus: It also includes tracking protection from Internet marketers, browsing protection to block malicious sites and apps, and lets you choose your own virtual location so you can view your favorite web content even when you’re abroad.)
Still don’t believe that public WiFi poses risks? Take a closer look next time you’re faced with a terms and conditions page for public WiFi hotspot.
“A good number of open wi-fi providers take the time to tell you in their T&C that there are inherent risks with wireless communications and suggest using a VPN,” Sullivan says. “So if you don’t take it from me, take it from them.”
Check out the full report here (PDF): Tainted Love – How Wi-Fi Betrays Us
Listen to the podcast, featuring interviews with Victor Hayes, the “Father of WiFi,” our Sean Sullivan and others:
Disclaimer: During the course of this experiment, no user was compromised at any point nor user data exposed in a way that it could have been subject to misuse. We have not logged any user information, and during the experiment a lawyer supervised all our activities to avoid breaching any laws.
Video by Magneto Films
If you read our post about why you should travel with glitter nail polish, you know we love unconventional OPSEC advice that keep strangers out of your business. That's why this quote in a recent GQ profile of Kim Kardashian, which was first pointed out by LA Times editor Amy Fiscus, stood out: "She's frighteningly organized: She tells me that before bed she deletes every single text message and e-mail from her phone, unless it's something she still needs to respond to." Is this good OPSEC? We asked one of our resident experts Camillo Särs and he was intrigued. "Yes – the practice of deleting any unnecessary copies as soon as possible is definitely good OPSEC," he explained. "Clearly that is not the actual intent here, but effective, nevertheless!" So be like the woman who broke the internet, and consider getting rid of anything you don't need to keep as soon as possible. And if you're about to go on vacation, here's a quick OPSEC tip for your email out-of-office message, which could be helping criminals trying to phish you. Is there an OPSEC tip you picked up that you've picked up and feel like sharing? Let us know in the comments.
In Finland, there is this thing called juhannus. A few years ago, our former colleague Hetta described it like this: Well, Midsummer – or juhannus – as it is called in Finnish, is one of the most important public holidays in our calendar. It is celebrated, as you probably guessed, close to the dates of the Summer Solstice, when day is at its longest in the northern hemisphere. Finland being so far up north, the sun doesn’t set on juhannus at all. Considering that in the winter we get the never ending night, it’s no surprise we celebrate the sun not setting. So what do Finns do to celebrate juhannus? I already told you we flock to our summer cottages, but what then? We decorate the cottage with birch branches to celebrate the summer, we stock up on new potatoes which are just now in season and strawberries as well. We fire up the barbecue and eat grilled sausages to our hearts content. We burn bonfires that rival with the unsetting sun. And we get drunk. If that isn't vivid enough, this video may help: [protected-iframe id="f18649f0b62adf8eb1ec638fa5066050-10874323-9129869" info="https://www.facebook.com/plugins/video.php?href=https%3A%2F%2Fwww.facebook.com%2Fsuomifinland100%2Fvideos%2F1278272918868972%2F&show_text=0&width=560" width="560" height="315" frameborder="0" style="border: none; overflow: hidden;" scrolling="no"] And because the celebration is just so... celebratory, it's easy to lose your phone. So here are a few ways to prepare yourself for a party that lasts all night. 1. Don't use 5683 as your passcode. That spells love and it's also one of the first passcodes anyone trying to crack into your phone will try. So use something much more creative -- and use a 6-digit code if you can on your iPhone. You can also encrypt your Android. 2. Write down your IMEI number. If you lose your phone, you're going to need this so make sure you have it written down somewhere safe. 3. Back your content up. This makes your life a lot easier if your party goes too well and it's pretty simple on any iOS device. Just make sure you're using a strong, unique password for your iCloud account. Unfortunately on an Android phone, you'll have to use a third-party app. 4. Maybe just leave it home. Enjoy being with your friends and assume that they'll get the pictures you need to refresh your memory. And while you're out you can give your phone a quick internal "clean" with our free Boost app. [Image by Janne Hellsten | Flickr]
Mikko Hyppönen -- our Chief Research Officer and probably the most famous code warrior ever to come out of Finland -- likes to point out that he was born the same year as the internet. Jani -- the ten-year-old from Helsinki who made international news by earning Instagram's top bug bounty prize for uncovering a security flaw in the photo-sharing site -- was born a couple a years after Facebook was invented in 2004 and just four years before Instagram went online in 2010. And he's already made some history. Jani discovered a flaw in the site that would have allowed him -- or anyone -- to delete content from any user from the site, even stars with tens of millions of followers including Taylor Swift, Selena Gomez and Beyonce. Like any good white-hat hacker he didn't take advantage of the vulnerability. Instead, he reported the bug to Facebook, which now owns the app, directly. His maturity paid off. Even though he is not technically old enough to use the site according Instagram's terms and conditions, he's become the youngest person ever to win a $10,000 bug bounty, which he's used to purchase a soccer ball, a bike and other essential gear for being ten. To celebrate his feat, F-Secure Labs invited Jani to visit our headquarters for a hamburger and a tour. The visit gave our experts a chance to share their stories about how they were drawn to cybersecurity. Mikko learned to love computers from his mother who was in the industry. Päivi was guided into the field by her father and discovered that she has a passion for rooting out spam. When Tomi was a kid striving to learn the rules of the coin games his friends played so he could hack them and win, he recognized that he didn't see the world like everyone else. Jani has already discovered the same thing. Though he finds plenty of time for school and playing with his friends, he spends 2-3 hours during his off days hunting for vulnerabilities and looking out for new bug bounty programs -- like our own -- that allow him to test his skills. How did he find the vulnerability in Instagram? First he created two accounts. He posted a comment using one account and then just using the publicly available content id number he was able to delete the comment using the other. Immediately he recognized the potential for such a flaw to be exploited. Mikko and Tomi were impressed by how Jani used Linux and Burp Suite -- a tool that pros like the analysts in our Labs use to analyze network traffic -- to help identify the bug. While he used to be interested in a career in video games, Jani says he's now thinking about becoming a cybersecurity specialist. Mikko and Tomi advised him to finish school and stay on the right side of the law. They also invited him to spend a week or two working at the Labs to see how he likes the job, when he's old enough. He's planning on taking them up on the offer, saying that F-Secure looks like a "fun and cool" place to work. Nice. We're always looking for new talent and even Mikko may retire one day.