Public Wi-Fi is becoming more and more popular. It’s becoming prominent absolutely everywhere, and almost everyone uses it when given the opportunity. But many people still seem to feel that public Wi-Fi networks are built to give the public free Wi-Fi access without having to make concession with their privacy, and this is in spite of growing evidence to the contrary. And based on the show of political support for Wi-Fi, one can extend this to include the perception of lawmakers.
So we here at F-Secure teamed up with ethical hacking firm Mandalorian and investigative journalist Peter Warren to conduct a little experiment that could highlight the risks that people (including politicians) take when they use public Wi-Fi.
Email, Social Media Accounts Hacked
The politicians, deliberately selected from the most powerful chambers in UK politics, were Rt. Hon. David Davis MP, Mary Honeyball MEP, and Lord Strasburger. The exercise was carried out with the permission of the politicians who, despite holding important positions within the different parliaments, admitted that they had received no formal training or information about the relative ease with which computers can be breached while using public Wi-Fi – a service they all admitted to using regularly.
The experiment saw Steve Lord (from Mandalorian) and Warren intercept various communications the politicians made while using public Wi-Fi hotspots. The duo set up malicious Wi-Fi hotspots using inexpensive, easily obtainable materials. The locations were everyday places that people visit regularly, such as cafes, hotels and offices, and in each case Warren and Lord successfully compromised the politicians’ devices. The experiment was designed to exploit the weaknesses inherent in Wi-Fi rather than weaknesses in the targets, making the security risks common to others using public Wi-Fi hotspots.
The experiment showed just how easy it was to monitor communications conducted over Wi-Fi, and information contained in calls, emails, and social media accounts were easily intercepted by Lord and Warren. Passwords and login details for different services were also easily obtained, essentially compromising access to various online services, such as social media and email accounts.
Wi-Fi Exposé Hits Home for Lawmakers
“I’ve used Wi-Fi all over Europe, so this is very worrying indeed. I need to use it in my work because I travel around a lot” said Honeyball. “I am surprised and shocked.”
Much of the information intercepted during the experiment, such as browsing history, seems harmless enough. But when this information is incorporated into hacking or other criminal enterprises, it can be used to launch highly effective attacks – such as spear-phishing campaigns, or various forms of identity theft.
“Well it’s pretty horrifying to be honest,” said Davis. “Gmail is pretty much my private conversation, so you were able to get into all of that, and quite frankly you would have been able to masquerade as me.”
When he was still working in cyber security for the Finnish government, Erka Koivunen met a NATO diplomat that there was "nothing new" about the era we now live in. Foreign envoys have always lived with the constant awareness that their private communications could be "leaked" for their enemies to exploit. "Anything that was written down could eventually be discovered," Erka, who is now an F-Secure Cyber Security Advisor, told me. "So the most sensitive conversations never took place in writing." Given the massive email leaks that have now hit the worlds of business, with the Sony hacks, and politics, with the leaks of U.S. political figures, is this how we should all start thinking? Does everyone alive in the twenty-first century have to operate like a NATO diplomat? Or a C-level executive who knows any word she types could be subpoenaed? Or the campaign chair of a presidential campaign? The answer, unfortunately, seems to be increasingly clear. "Whatever you write, you may need to defend your position in public," Erka said. Relying on an insecure medium The problems with email begin with the general insecurity of it as a means of communication. It's more like sending a postcard than sending a sealed letter, Erka explains. "As soon as the message goes out of your or your company’s systems, you lose control of it," Erka explained. "This is by far the biggest problem of the good-ole-email. Messages can be eavesdropped, altered, delayed, replayed or dropped altogether without you ever knowing." To actually spy on email as it's being transmitted generally requires legal access to telecommunications infrastructure or extraordinary technical knowhow and resources. Think law enforcement or intelligence agencies. Since these groups have a vested interest in cloaking their activities, they had little incentive to engage in the massive sort of leaking of gigabytes of private data we've seen from Wikileaks. However, we appear to be at the end of the era of "the gentleman's agreement" between countries, as cyber policy expert Mara Tam explained on a recent episode of the Risky.Biz podcast. This agreement went something like: "Gentlemen read each other's email, but they don't leak it to the public." The leaks from former CIA contractor Edward Snowden helped make the public aware of how much information the government potentially could access. But the exposure of a private individual's digital communication to the world presents a stark new reality for anyone who conducts business online. "Personal mailboxes store gigabytes’ worth of conversation history that will be a treasure trove for attackers for multiple reasons," Erka said. "There are sensitive discussions about business strategy, customers, competitors, products. There is also internal gossip, badmouthing and other damaging stuff." Activist Naomi Klein told The Intercept that "this sort of indiscriminate dump is precisely what Snowden was trying to protect us from." And we don't yet have a full sense of the potential ways this mass of data can be used against us. A competitor could use private information to tarnish someone’s reputation and hackers can mine the data to prepare for future cyber intrusions or to gain access to your other accounts through password resets. Letting the public decide what's private Leaks have already cost some executives their jobs and could swing the U.S. presidential election. But in a sense, we're all victims of this new risk to all of our privacy. "Whatever you write in an email you have to consider, are you ready for your boss, your spouse, your business partners to read it?" Erka asked. This new reality leads inevitably to the tragedy of self-censorship. Zeynep Tufekci -- a "techno-sociologist" -- has been doing a running commentary on the Wikileaks revelations and is very disturbed by what she's seeing. "People gossiping in internal conversation is not a scandal—but destroying public/private boundaries will paralyze dissent, not the powerful," she tweeted. Wikileaks is releasing more documents than it could ever sift through in the hopes that the newsworthy information will be discerned by interested researchers around the world. But along with potentially relevant items, intensely private information has been revealed. "For example, a suicide attempt was publicized through Podesta indiscriminate dump (Wikileaks tweeted it out)," she noted. "Who will want to be political?" This makes the loss of email seem dire, but perhaps it speaks to a not just a flaw in the medium's security but the medium itself. "The deeper problem with email is that it has never quite settled on a social mode," The New York Times Farhad Manjoo wrote. "An email can be as formal as a legal letter or as tossed off as drive-by insult. This invites confusion." What can you do? So, should you be like that NATO diplomat content to keep all of your deepest secrets out of writing? Can you expect yourself to remove all snark and potentially offensive thoughts from your emails? Should you assume that your email box is like a box of letters in your attic, vulnerable to anyone who can get access to it? These answers are ultimately up to you and how you use -- or don't use -- email. F-Secure security advisor Sean Sullivan has found that young people he's interviewed are increasingly abandoning email as communication tool. "They only have an account -- typically Gmail -- in order to sign up for stuff," he said. If this continues, email is on its way out, whether it's private or not. For now, lawyers, doctors and other professionals with explicit legal responsibilities, email has a much more defined role that cannot be easily abandoned or circumvented. As far as your work email goes, consult your IT staff for guidance as you may be under legal obligation to preserve your data. But for your personal email, Erka suggests you have to at least be aware of how likely you are to be a target and what you can do to contain any potential damage -- besides using a strong unique password for every email account you have and only entering your account information on the secure webpage of your email provider. If you are involved in international politics, for instance, there's no question. You are a target. Hackers are either after your emails or are trying to get access to powerful people in your contacts. If you're someone with no power, no tumultuous relationships and no interest in politics, you're likely not to be on anyone's radar... yet. The problem is no one knows where you'll be in a few years and our inboxes are big enough to last a lifetime. "When everyone is using cloud-based emails like Gmail, there's no need to save space," Erka said. "That's the whole selling point of those services: Never delete anything." If you see the potential for enough damage, you many want these recent leaks as an inspiration to launch a serious spring cleaning of your personal online inboxes, including email and social media. "You may want to delete the messages you don't need and sort the stuff you do want into folders that you take off the web and can store on a secure backup," Erka suggested. Yes, you will lose the convenience of being able to search your Gmail box through a simple interface, but so will potential hackers. He also recommends sharing documents through sharing platforms and cloud services such as Sharepoint, Salesforce or Dropbox. "These links can require separate authentication upon opening and the sender can control how long it will be valid," Erka said. "If the email gets stolen and leaked years later the chances are the link will be invalid by that time." For quick conversations, Sean suggests Wickr, which offers self-destructing messages through a mobile app or a desktop client with easy encryption, something that just doesn't exist for most email. "For professionals, Wickr has a paid service which will retain messages for a legal requirement, and will then securely delete them post-requirement," he said. Regardless of policy, employers have a vested interest in moving their staff away from an over-reliance on email for more than privacy reasons. "Actual phone calls and face-to-face discussions that get out of your chair are probably more useful than email or chat threats," Sean said. "So rather than swap from one to the other – just learn to better utilize what you work with best." These leaks offer a sobering reminder that email is not secure. But, perhaps, the more important message is that it as a means of communication, it was never very smart. [Image by Alan Levine |Flickr]
Why doesn't VPN work on my hotel Wi-Fi? What special benefits does a VPN give to me in my country? How does online tracking work? Who's that handsome dude who writes your blog? These questions (except for that last one) are the kind we get from our Freedome fans on a regular basis. Instead of always writing text responses like it's 2010 or something, we decided to start answering these questions on video - on an FAQ-style playlist that can be found on the F-Secure YouTube channel. Do you have any questions related to Freedome, VPN or anything even loosely related to privacy? Ask away and you might even win a a prize! You can comment on this blog post, drop us a line on Twitter with the hashtag #AskFreedomeVPN, or comment on this post or on one of the #AskFreedomeVPN videos on YouTube. They don't have to be easy! Keep checking out the playlist regularly, as we update new answers to frequently asked privacy questions all the time. https://www.youtube.com/playlist?list=PLkMjG1Mo4pKL0JFjRTd4vCvK4An5QTp5D
Occasionally we get a question on our privacy community about a Wi-Fi hotspot blocking VPNs. Thankfully this doesn't happen very often, but we decided to write this letter to let companies that do this know why they shouldn't. Dear business providing free Wi-Fi but blocking VPN, First of all, we don’t want to seem ungrateful. Thank you for giving us free internet on your premises. We all appreciate a reliable hotspot to occupy our time while we fight boredom in a hotel room, rest up before evening bingo on a cruise ship, or sip on a Mocacchino at a downtown café before picking up the kids. Data caps on our mobile plans are getting less and less in the way of us enjoying our time online when away from home, and we thank you for helping us avoid this problem. But what you may not realize is that every public Wi-Fi hotspot is also a golden opportunity for cyber criminals. It’s not your fault, this is just a fact of life we're trying to live with. Most traffic sent over Wi-Fi is basically out there for the taking, and anyone with a laptop and readily available programs can easily intercept all unencrypted data sent over your hotspot. There are a few tricks for users to make sure all their traffic stays encrypted and private, but using a VPN is arguably the easiest way. And yes, it is harder for you to monitor or control what VPN users do on your hotspot. But is having that control so important that you’re willing to trade your customers’ security for it? By blocking VPN on your Wi-Fi, you are actively telling your customers to put their private data at risk while surfing, or to not surf at all. It’s the equivalent of giving people access to a beautiful sandy beach, but telling them they can only use it if they don’t wear sunblock. Ultimately, it’s your hotspot and your call. But if you care about your customers, don't be in the minority of businesses that forces them to give up their online security and privacy. Best wishes, the FreedomeVPN team. https://www.youtube.com/watch?v=BnTFGiV27Zw