Would you give up your firstborn child or favorite pet to use free WiFi? Of course not. Sounds crazy, right? But in an independent investigation conducted on behalf of F-Secure, several people agreed to do just that – just to be able to instantly, freely connect to the Internet while on the go.
For the experiment, we asked Finn Steglich of the German penetration testing company, SySS, to build a WiFi hotspot, take it out on the streets of London, and set it up and wait for folks to connect. The purpose? To find out how readily people would connect to an unknown WiFi hotspot. (You can view our complete report, see the video and listen to the podcast below.)
Thing is, public hotspots are insecure. Public WiFi simply wasn’t built with 21st century security demands in mind. When you use public WiFi without any added security measures, you leak data about yourself from your device. We know it, but we wanted to find out in general how well people out on the street know, whether or not they take precautions, and what kind of data they would actually leak.
We also enlisted the help of freelance journalist Peter Warren of the UK’s Cyber Security Research Institute, who came along to document it all. Accompanying the two was Sean Sullivan, F-Secure’s Security Advisor.
What we found was that people readily and happily connected, unaware their Internet activity was being spied on by the team. In just a half-hour period, 250 devices connected to the hotspot. Most of these were probably automatic connections, without their owner even realizing it. 33 people actively sent Internet traffic, doing web searches, sending email, etc. The team collected 32 MB of traffic – which was promptly destroyed in the interest of consumer privacy.
The researchers were a bit surprised when they found that they could actually read the text of emails sent over a POP3 network, along with the addresses of the sender and recipient, and even the password of the sender. Encryption, anyone? If you aren’t already using it, you should be!
For part of the experiment, the guys enabled a terms and conditions (T&C) page that people needed to agree to before being able to use the hotspot. One of the terms stipulated that the user must give up their firstborn child or most beloved pet in exchange for WiFi use. In the short time the T&C page was active, six people agreed to the outlandish clause.
Of course, this simply illustrates the lack of attention people pay to such pages. Terms and conditions are usually longer than most people want to take time to read, and often they’re difficult to understand. We, of course, won’t enforce the clause and make people follow through with surrendering their loved ones – but this should give us all pause: What are we really signing up for when we check the “agree” box at the end of a long list of T&C’s we don’t read? There’s a need for more clarity and transparency about what’s actually being collected or required of the user.
So what’s really the issue here? What’s going to happen to your data, anyway? The problem is there are plenty of criminals who love to get their hands on WiFi traffic to collect usernames, passwords, etc. It’s easy and cheap enough for them to set up their own hotspot somewhere (the whole hotspot setup only cost SySS about 200 euros), give it a credible-looking name, and just let the data flow in. And even if a hotspot is provided by a legitimate business or organization, criminals can still use “sniffing” tools to spy on others’ Internet traffic.
So be warned: Public WiFi is NOT secure or safe. But we’re not saying don’t use it, we’re saying don’t use it without proper security. A good VPN will provide encryption so even if someone tries, they can’t tap into your data.
F-Secure Freedome is our super cool, super simple wi-fi security product, or VPN. Freedome creates a secure, encrypted connection from your device and protects you from snoops and spies, wherever you go and whatever WiFi you use. (Bonus: It also includes tracking protection from Internet marketers, browsing protection to block malicious sites and apps, and lets you choose your own virtual location so you can view your favorite web content even when you’re abroad.)
Still don’t believe that public WiFi poses risks? Take a closer look next time you’re faced with a terms and conditions page for public WiFi hotspot.
“A good number of open wi-fi providers take the time to tell you in their T&C that there are inherent risks with wireless communications and suggest using a VPN,” Sullivan says. “So if you don’t take it from me, take it from them.”
Check out the full report here (PDF): Tainted Love – How Wi-Fi Betrays Us
Listen to the podcast, featuring interviews with Victor Hayes, the “Father of WiFi,” our Sean Sullivan and others:
Disclaimer: During the course of this experiment, no user was compromised at any point nor user data exposed in a way that it could have been subject to misuse. We have not logged any user information, and during the experiment a lawyer supervised all our activities to avoid breaching any laws.
Video by Magneto Films
Reports that half a billion Yahoo accounts were hacked in 2014 "by a state-sponsored actor" were confirmed today by the tech giant. This hack of "names, email addresses, telephone numbers, birth dates, encrypted passwords and, in some cases, security questions" is the largest in the company's history and one of the most consequential breaches of all time. Our security advisor Sean Sullivan told CNN what Yahoo users need to know right now: [youtube https://www.youtube.com/watch?v=kO-70yKF4bE] He also gave a longer interview to Data Breach Today about the wider implications of the hack. The most important takeaway from this attack is you should always use an extra layer of protection -- in this case Yahoo's two-factor authentication on all your accounts -- and never reuse any important password. Even though Yahoo's passwords stored your passwords with encryption, it's still possible for criminals to get access to them, especially if they are weak. A former Yahoo employee told Reuters that the answers to security questions were deliberately left unencrypted to help catch fake accounts more easily because fake accounts that used the same answers over and over. Sean always uses nonsense answers for so-called security questions so they aren't guessable by anyone who knows him or follows him on social media. He recommends you do the same. So what should you do now? Sean recommends you "walk, not run" to your Yahoo account to disable your security questions and change your password -- and change them on any other site where you've used them to something unique. Make sure you create non-human passwords -- not patterns like yahoo1985. Make them long and difficult to remember. If they're between 20 and 32 characters, they are nearly uncrackable, as our senior researcher Jarno Niemelä recommends. And to deal with all that complexity, use a password manager like our F-Secure KEY, which is free on one device. You can also store your nonsense answers to your security questions in there. Then turn on two-factor authentication, if you haven't already. If you're wondering who might have carried out such a massive attack, Sean does have a hypothesis. [Image by Christian Barmala | Flickr]
Many Android users (myself included) have long found it annoying that creating a working portable hotspot is not possible while using a VPN on the device that shares the connection. From the user interface to the lines of code that power the app behind it, a driving principle of designing Freedome has always been to make the kind of VPN that only makes your online experience better, without hindering it in any way. Tethering with VPN is now possible This is why we are extremely happy - both personally and for our users - to announce that our new Android release (out now on Google Play) makes it possible to have Freedome turned on while sharing your connection with other devices. We are also the first (as far as we know) major VPN provider to make this happen. Instructions on setting up a portable hotspot The new update automatically allows you to create a portable hotspot with Freedome VPN, so the instructions are fairly simple. Download Freedome VPN on your Android Turn on the portable hotspot feature from your Android settings Keeping it simple, as usual! A note on privacy It’s worth noting for the sake of your privacy that the tethered device’s traffic will NOT go through the VPN tunnel of the device sharing the connection. As Freedome lead Android developer Antti Eskola (who, by the way, you can thank for making this feature a reality) says: “Android does not allow tethered devices access to the VPN tunnel. This is a deliberate choice forced by Android for security reasons. For instance, when using VPN to access your employer’s network, they might not want your friends and family there. Also a VPN tunnel shared with others wouldn’t really be a private network anymore” In other words, remember to use Freedome on laptops and any other devices you connect to your own hotspots with. If you have any questions, drop us a line on Twitter. Enjoy!
If you don't want to read the manual for the new Wi-Fi-connected device you just installed in your home, do yourself a favor and at least check how to change the default password. A new report finds that more than 100,000 devices in the United Kingdom alone could be possibly be accessed by peeping strangers. How is this possible? "Two words," explains F-Secure security advisor Sean Sullivan. "Default settings." Most consumers don't seem to imagine that their baby monitor, web cam of Wi-Fi router might be targeted by a hacker. "That’s called security through obscurity and it just does not work," Sean explains. "There are 'deep-web' search engines --such as Shodan -- that routinely scan for devices on the Internet. And just about anybody can find interesting things there that shouldn’t be publicly accessible but are." Often all online intruders need to do is type in the password that the manufacture sent the device out with. "You need to change the webcam’s password to something complex and unique," he says. "Don’t worry about having to type it all the time, you’ll probably only need to configure the associated mobile app once. And then the app will remember the password for you." This one simple step will greatly reduce your risk of having your devices hacked. Still many of us won't do it. The time to get rid of this terrible habit of leaving default passwords untouched is now, before our homes become so overrun by Wi-Fi-connected devices that hackers begin to devote serious resources to this sort of intrusion and possibly find some convenient way to monetize it. So don't let your fear of not being able to remember the passwords for all these devices become the weak link in your security. "Once you’ve set your secure password, store it someplace safe for future use," Sean says. He suggests a using a password safe like F-Secure KEY or a piece of paper in a secure location in your home. Just don't store it anywhere in sight of a webcam that still is using its default password. [Image by DAVID BURILLO | Flickr]