BBC Watchdog: Is your Wifi secure?

Tony

What Consumer Founder
Apr 7, 2008
18,307
3
38
Bolton
Wi-fi hot-spots across the country are not secure and are vulnerable to attack.

An investigation by Watchdog has revealed that the UK's top three wi-fi providers; BT Openzone, The Cloud and T-Mobile are all susceptible to attack by hackers - leaving tens of thousands of users at risk of fraud.


Thousands of these hotspots are available nationwide in hotels, trains, airport lounges and high street food outlets but they may not be as safe as some users had anticipated.

According to Tom Illube, from internet security firm Garlik, over the last year there has been a 207% increase in 'account takeover fraud', where criminals try and access existing accounts rather than using stolen identities. In light of this he thinks the vulnerability of wi-fi hotspots is worrying.

Tom Illube said: "I think a lot of people don't realise that using public wi-fi that's insecure is pretty much like writing your bank details onto a postcard and popping it in the post and being surprised that someone's read it."

Watchdog used equipment readily available on the internet to hijack wireless traffic at a variety of hotspots, while experts working with the programme-makers could have been able to take control of other hotspot users' internet accounts. Once inside these accounts, malicious hackers would have then been able to harvest masses of personal data which could enable them to access the users' accounts on a variety of websites, including those for shopping and banking.

Watchdog asked 'Crimewatch' presenter and former policeman Rav Wilding to set up an email account on a laptop at a wireless hotspot. The 'Watchdog' team were able to access Rav's email within seconds before freezing him out of his account altogether. So although Rav was no longer able to use his email, the team still had full access to it.

The Watchdog team were also able to access the email accounts of two members of the Watchdog audience viewing everything the users were doing online, including their email and social networking activities.

Believing the process demonstrated by Watchdog is particularly alarming as it does not require particularly high-level skills or know-how, Tom Illube also said: "You don't have to be a super hacker to get into this sort of information and therefore it's becoming more widespread and we as consumers need to be more careful about how we use them and what we use them for."

One way of protecting wi-fi connections at public hotspots is to use a Virtual Private Network or VPN. Although BT Openzone, The Cloud and T-Mobile all suggest using VPNs, only T-Mobile offer them as a software download when users log on.

Following Watchdog's investigation the three big hotspot providers told the programme that they would do more to encourage the use of VPNs to protect wi-fi users.


BT Openzone Statement
"BT Openzone offers encryption at log-in, a standard used by all global Wi-Fi operators. To help customers receive a safe, reliable and robust Wi-Fi service we also advise using up to date firewall and anti-virus software to guard against most attacks. We have always strongly recommended a secure remote access virtual private network (VPN) to protect against data interception. The industry as a whole has a responsibility to give users the option to choose to keep their sessions secure.
We constantly review our approach to security and there will now be a direct link to security guidance from the BT Openzone landing page. We are also reviewing our proactive approach to providing secure and user friendly authentication."
"Security threats evolve and we constantly review our policies to combat these. The security measures we recommend are adequate against most attacks. In the instance of a cookie-based attack, our advice protects customers to the best of our ability."
"Our security advice protects our users from most attacks if executed to the letter however the industry as a whole has a responsibility to give users the option to choose to keep their sessions secure."
"Following your investigation, our landing pages at the hotspots will now feature a direct link to the relevant BT security information, which can be found at http://www.btopenzone.com/help/security/index.jsp"
"BT Openzone provides encryption at log-in, and we advise customers to follow basic and familiar security measures including firewall and anti-virus software, plus installation of a VPN. Solving this type of attack requires BT to provide the above solution and for all technology suppliers to give users the option to choose to keep their sessions secure, which means their cookies are not recorded."
"BT is in the process of reviewing its approach to providing secure and user friendly authentication. This will include continued review of our frequently asked questions ("Common questions") pages."
"...we constantly review our approach but will take two immediate steps regarding the location of security information and reviewing our provision of secure and user friendly authentication."




The Cloud:

"The Cloud welcomes the opportunity to respond to the questions posed by Watchdog regarding the security aspects of public Wi-Fi networks. We take security very seriously and adhere to all of the current industry standards and protocols to run our networks.
The Cloud operates an Open (unencrypted) Wi-Fi network in the UK. It is the industry standard for Wi-Fi Internet Service Providers and is adopted by the vast majority of operators worldwide. It is considered a reasonable trade-off between ease of use, simplicity of deployment and security of access.
Wireless communication in a public place however is intrinsically subject to threats and malicious security attacks. The use of private keys, such as WEP (Wired Equivalent Privacy) and more recently, the not entirely secure WPA (Wi-Fi Protected Access) protocols, are not suitable for public hotspots particularly when using mobile and hand-held devices, as the users would have to obtain security credentials before being able to access the network. This would make accessing the Internet beyond the skill levels of ordinary consumers.
The Cloud has put in place a number of features which allows safer internet access. These are within the limitation of using unencrypted channels for wireless transmission between the User's computer and the Wireless Access Point. Among other features, The Cloud network includes:

• Firewalling and Network Address Translation, ensuring protection of the users within the hotspot from attacks generated elsewhere on the Internet.
• SSL (Secure Sockets Layer) encryption technology to protect sensitive details such as user names, passwords and credit card details when you interact with any of our hotspots. The SSL standard is used by a wide variety of online providers such as online bank accounts and provides protection from the interception of sensitive data by third parties, as well as the misrepresentation of access control and credit card processing services.

• Unrestricted internet access and VPN (virtual private network) pass-through, which allows clients to use their own VPN clients to connect to their home or corporate network securely.

Ultimately, when using an unencrypted wireless channel, the responsibility for securing the end user device (laptop or Smartphone) must rest with the end user. Many Wi-Fi hotspot users do not fully understand the risks associated with using open wireless networks, so it is imperative that users must also take precautions.
In response to some of the specific questions you raise:
Cookie replay and Man in the middle attack
Cookie-Replay and Man-In-The-Middle attacks are well-known threats for unencrypted wireless networks, which is the industry standard for providing public WiFi Internet Access.
The Use of VPN tunnels, which is fully supported by our network and encouraged in the support section of the website and landing pages, would minimize the risk of such attacks. We are looking at different VPN technologies for future developments with some of our partners, however many existing solutions are device specific making it difficult for the Wi-Fi operator to cover all eventualities.
Security awareness on The Cloud's hotspot landing page
We take on board your feedback regarding more obvious warnings about security vulnerabilities on The Cloud's hotspot landing page. We always intend to provide the clearest and most up to date information about security. Both our Website and landing page currently have a help section which covers security aspects of our Network (see below). We have already taken steps to ensure the section on security is more easily accessible via our website: http://www.thecloud.net/About-us/
VPNs
Our security information, accessible via our website and landing page recommends the use of VPN technology. However we do recognise that they are not currently user friendly, especially for consumers. We are looking at how VPN technology can be developed in the future with some of our partners, however many solutions are device specific making it difficult for the Wi-Fi operator to cover all eventualities.
We should also point out that without sufficient security, the same type of attacks could happen on Home Wi-Fi networks, whereby a technically proficient person with ill intent can sit outside a domestic residence and carry out the same attacks as demonstrated by your researcher on our Hotspot."


T-Mobile
"T-Mobile takes the security and privacy of its customers seriously, especially as broadband internet has become an essential tool for many people. Wherever people are accessing the internet, whether at home or on the move, there are a small number of hackers who will use their specialist knowledge to take advantage of others by accessing their information. While most of the time customers don't experience problems, T-Mobile takes steps to offer protection to users of Wi-Fi HotSpots. On the landing page of the HotSpot service, advice is prominently displayed alerting customers they should use free software provided by T-Mobile. This VPN (virtual private network) software encrypts the radio link between the laptop and the HotSpot, providing a level of security typically enjoyed by business users.

While T-Mobile takes all reasonable steps to ensure the security of its infrastructure, security is also dependent on users taking care to protect their information. Basic best practice includes checking the privacy and security settings of their computers and that virus protection is in place. Additionally, when using sites which may involve providing confidential information, people should check that the closed padlock symbol is displayed, indicating that the site is encrypted and therefore secure."

"We have revised the wording on the HotSpot landing page to emphasise use of a VPN connection for optimal security."

Let us know what you think - have you had any problems? Are you worried about security?




Is your Wifi secure?