Daniel Cuthbert, Sensepost
What is your mobile phone telling criminals about you? Daniel Cuthbert is from the UK and South African security company Sensepost.
Kat - Now, I've just come back from 2 weeks off in the US, touring around, talking to some scientists and I have pretty much logged on to every free Wi-Fi network that’s going. I'm starting to maybe get the feeling from the look on your face that that was not such a smart thing to do. So, what information could hackers get from my mobile phone and how could they do this by me using things like free Wi-Fi?
Daniel - So, I guess the short answer is a lot. The way that we use our mobile devices today has changed. We’re no longer using a laptop or a PC to do online banking, online purchases, browsing our social media. We’re using these mobile devices. Unfortunately with that, we’re also using Wi-Fi. As James just eluded to, Wi-Fi is pretty much everywhere these days, from the internet of things to petrol stations, etc. And the promise of free Wi-Fi especially when you go abroad with roaming charges, what they are.
Kat - It’s ridiculous frankly.
Daniel - It’s almost criminal. It’s quite nice to use. You can stop into your local Starbucks or your McDonald’s or if you see something that says ‘Free Internet’. Well, why not? I can just quickly jump online and check my PayPal balance, etc. The problem is, one, you have no idea who controls the information that’s passing between your phone access point and to the rest of the internet. And there's no way of you really telling. And two, the information going out there could be your credentials, your Gmail account, your banking details and anything else that your phone sends out. Now, the problem is your mobile phones are quite chatty. So, when you connect to the internet, all your applications, all your social media apps all screaming out to everybody going, “Hey, I'm here. Give me some updates.” And if there's some evil person sitting in between, there's a very good chance that they're getting that information too.
Kat - So now, I'm kind of scared. How could someone be doing that? How could they be intercepting? For example, I was in a Starbucks in Manhattan. So, how could someone – and I logged into Starbucks Wi-Fi – how would someone be intercepting what I was doing there?
Daniel - Are you sure it was Starbucks Wi-Fi?
Kat - It said it was Starbucks Wi-Fi and I got like the Starbucks thing came up.
Daniel - We’re very trusting when it comes to the internet. It’s one of the mediums that attackers exploit that just because it says Starbucks – well it must be. Traveling here on the tube, I passed a number of access points pretending to be Vodafone Wi-Fi. I have no idea it’s controlled by Vodafone, but it says it’s Vodafone. So, what attackers can do is they can pretend to be these networks because you're trusting. And there's a very good chance that you’ve connected to these networks before. So, it’s very easy to do what's called a jargon thing, rogue access point, where I pretend to be another network and give you internet access.
Kat - And I guess like a lot of phones now, they'll automatically connect to something if they think they’ve seen it before.
Daniel - Yes. It’s called ‘Your preferred network list’. So, it’s a usability issue. You don’t want to have to keep on remembering say, “Right. I want to connect to Starbucks free Wi-Fi or Vodafone free Wi-Fi.” Your phone goes, “Hey, I've seen that before. Let me connect to it.” She wants to connect to the internet.
Kat - I'm still even more terrified. So, how likely is this to be happening to people? You know, so I've logged on to maybe – I don’t know – 10 free different Wi-Fis in the past couple of weeks - or someone who’s sort of every day, they're logging on somewhere. How big a risk is it really strictly?
Daniel - It’s very hard to put a number to it. Two years ago, we released a piece of research that called Snoopy where we looked at this risk itself, how trusting are people. During our test cases, the vast majority of people did connect to our rogue access points and browsed the internet. And we were doing nothing illegal, but if we were doing it, there's a very good chance that criminals are doing it because it is actually quite easy to do. The benefits and the yields that you get from doing it are actually quite lucrative at the moment.
Kat - Is it just people saying 'you shouldn’t obviously do your online banking if you're in a coffee shop', but how bad can something like checking Facebook be? Does that put me as much risk as doing say, my online banking?
Daniel - It does to a degree. Facebook is a good example. People are inherently lazy when it comes to the internet. So, we will re-use the same password because passwords are hard to remember. James mentioned having a good password, but on a mobile device, a really long, strong password is actually very hard to type in. So generally, you'll have one password and it could be the password for all your social media activities. So, if I can get that information and sell it on or contact your friends and say, “Listen. I'm stuck somewhere. Can I have some money? Here’s my bank account details.” Perfect scam gets used a lot today and a lot of people fall for it.
Kat - I've definitely had many of those emails. So basically, what can people do? So, we do need access to the internet whether that’s through ridiculous roaming charges or through free Wi-Fi, how can I, and all our listeners, protect ourselves from these risks?
Daniel - So, there's a couple of things. It’s not all doom and gloom. The first thing, stop being so trusting just because the network says it’s free. Ultimately, think why is it free? What does it do with my data? And that’s where the big money is being made today with your data. Secondly, if you are using something like online banking or other financial transactions, make use of a VPN.
Kat - What's that then?
Daniel - So, it’s a virtual private network and effectively, what it does, it will encrypt your data from your phone, through to a trusted server and then onto the internet. So, it stops people eavesdropping on your communications.
Kat - And how would I find one of those? Can I just sign up for one?
Daniel - Yeah, Google – not free VPN. I’d go for a paid VPN again. Why is it free? What are they doing with the data? They cost on average, a couple of pounds a month. But if you are mobile and you do rely on your phone a lot, I'd honestly say, get hold of a VPN. At SensePost, we only travel and use VPNs when it comes to our mobiles.
Kat - So, given that I obviously don’t have a VPN and I've just spent the past 2 weeks connecting promiscuously to as many Wi-Fis as I can, is there anything I could do to my phone, to check that I'm okay or should I be changing all my passwords?
Daniel - I think it’s a good idea to change your passwords on a frequent basis anyway so now is probably a really good time. It’s not a case of panic, “Oh no, somebody might have got my data.”
Kat - But they kind of have already then I guess.
Daniel - Then run to the hills screaming.
Kat - And broadly, do you think it’s really important that we do try and talk sensibly without panicking too much about these issues?
Daniel - Definitely. It’s not all doom and gloom. The security industry does like to play down this stuff a lot, but I’d say listeners, common sense has to prevail here.
Kat - So, be safe and it’s okay.
Daniel - Definitely.
Kat - Thank you. That’s Daniel Cuthbert from SensePost.
Generally creditable and covers the points. But not all. Certain very obvious if techical questions are ignored. This is typical of reporting on technical exposures: the things that make the risks less scary, are not reported. Why is that? About how wifi hackers could steal your facebook password. They can't: even the facebook password is sent over an https connection. Which means it's industrial level encryption. Right? Why no mention? More and more sites use https connections for almost all communications. For example, check your browser when you log onto facebook. Sure enough, it's an https connection as you log in. Then look AFTER you log on... you start looking at your messages and responding to them. These days... even THAT is sent encrypted over https. I just find it curious why such well-known factors are ALWAYS ignored on these shows about security scares... Richard Curzon, Thu, 25th Sep 2014