James Lyne, Sophos
Your home internet may be secure, but do you ever connect to Wi-Fi? If so, you might want to take extra care to look at exactly who you are connecting to. Jame Lyne is head of security research at Sophos, a digital security company, and has been very busy looking into the worrying Wi-Fi habits of the public, as he explained to Chris Smith...
James - There's a myriad of different attacks that occur on wireless networks but the one that we were most interested in was really, people’s natural behaviours, their level of trust for just connecting to a wireless network. So, we set up eight or nine different wireless networks and for a period of two hours, walked around, offering people free Wi-Fi, Wi-Fi where they had to register, and in some cases, Wi-Fi where they had to pay.
Chris - Where?
James - Now, this was actually in New York City and I have to say, my most active Wi-Phishing area, as we’ve dubbed it, was the airport. It seems like people get off planes and are very hungry for wireless to check their emails. In just under 2 hours, we’re able to snare 109 people into handing over their credit card details to a company that had as much trust as well anyone on the internet. I bought the logo from a clipart site for about 5 US dollars. The domain name costs another $15 and I bought an SSL certificate, which gives you that little padlock that we’re all trained to trust. That was about 50 UD dollars. So, a high trust operation.
Chris - So, let’s just explain what you mean by this. You went to the airport or some places around New York. You set up like a Wi-Fi offering, “Connect to me. I'm offering you Wi-Fi” and it would allow people to connect to it to get an internet access and it even offered them a trustworthy looking padlock so they thought they were doing secure internet browsing.
James - That’s perfectly correct. We even actually went into the trouble of putting up an end-user license agreement. When you go to a coffee shop, it pops up and says, “Would you like to get online?” you’ve got that little agreement you have to scroll down. What was really fun was, in the agreement on paragraph two, it says, “This is a Sophos research project. You agree we can monitor your system entirely, log all of your data, and that we may contact you in the future to figure out why did something so stupid.” And no one reads it because the average time to click agree was 1.3 seconds.
Chris - So, they all agreed. They connected to your hotspot and invisibly to them you were sitting like the mad in the middle, listening or effectively eavesdropping on everything that they did online.
James - Well, exactly. Here’s the thing. When you connect to wireless network, you handover authority of where your computer is going to go on the internet to that network. In my case, the malicious attacker. So, if you ask for a resource like that nice news page we were just looking at, it’s very easy for me to redirect you off to a nasty copy that asks for information or maybe delivers some nasty malicious codes that gives me more access to your computer. And there are some mitigating technologies in practices to this but less than 1% of the people connecting actually took those.
Chris - Didn’t you do something like, call it, ‘do not connect to me’ or something and people even didn’t fall for that? They still connected to it.
James - Yeah, that was one of my personal favourites. Get online and free public Wi-Fi were very popular, but in capitals, DO NOT CONNECT saw 27 visitors and I envisage these people sitting in coffee shops going, “Challenge accepted.”
Chris - When they did connect, what did they do?
James - A mass of different things. Social media updates were of course very popular. We did see a little bit of internet banking. The good news is, most of that was actually encrypted by default so we couldn’t poke inside it. There are few kind of nastier techniques we could’ve used but we’re obviously doing this ethically. Of course, all the other websites they visited and there was lots of – in some cases, very strange web browsing. I'm looking to releasing that list at some point.
Chris - Was this in New York or elsewhere?
James - This was in New York although I have to say, we have done a series of Wi-Fi experiments in other locations. So far, Las Vegas has been the one that’s caused the most sleepless nights. When you go through that list, of course, any of those unencrypted sites could be targeted and once you’ve been compromised, your banking details are no longer safe. So, it only takes one kind of weak point in the chain to get you infected.
Chris - In other words, people connect trusting your connection, but you could be inserting data onto their computer that then compromises their computer, so that next time they do online banking, regardless of whether it’s got a secure connection to the bank, it’s still sending you all the data in the meantime.
James - Precisely and the nasty bit of this experiment that would’ve been trivial to do, but we stop short off for ethics purposes was to download that malicious code. At which point, you could not only access internet banking, you can access the webcam, you can record from the microphone, and consider – I mean, there are a large number of laptops or smartphones there too. I mean, there are over 1.6 million malicious applications for android devices now. I challenge listeners to think about a time where they don’t have their phone next to them. Now, they're making waterproof devices that’s getting even slimmer and how compromising that could be to you. We are handing over the keys to our physical lives to cyber riminals in the digital world.
Chris - And you can just plant data onto these devices and then basically, you own them.
James - Well, the good news is, if you follow some fairly simply practices, it makes it a lot harder for cybercriminals. As I say unfortunately, most people are not doing that, but little things like keeping your software up to date, making sure you update your browser. Running good endpoint security.
Although best of all, if you're out and about, don’t connect to a wireless network unless you really know who it belongs to. Maybe consider using data on your phone which is much, much harder to intercept.
Chris - You could easily envisage a scenario where people would come to an event like this one where they see big brands knocking around. So, you could be perched on the edge of a big brand tent or something and you could issue a Wi-Fi hotspot so people think, “That belongs to that big brand. They're trustworthy” and in fact, it’s you.
James - The only indicator of trust you have when you first connect to a wireless network is the name and you can set that to anything you want. Now, for legal reasons and lawyers spoiling all my fun, I wasn’t allowed to steal other people’s brands. Apparently, that’s passing off or something like that. And so, I was only able to use these generic names. But 2,000 people connected, 500 of them just handed over email addresses, 109 credit cards. Imagine if I was to park up in a coffee shop or outsider, even an enterprise and setup a network with the same name as their employee network, how many people could potentially been snared? Scary stuff.
We’ve got way to use to this protocol of connecting to any wireless network that professes to offer free Wi-Fi based on some text that anyone could enter.
Chris - We’ve got a couple of minutes left so let’s just explore one other thing which is getting to be big business. This is the internet of things. Now, you're saying, “Let’s keep our devices all up to date” but we’re all dependent on third party devices which really probably have quite shoddy security, so we can’t really do that.
James - Yeah, that’s been another one of my recent research projects. Another one with lots of lawyers involved telling me what I shouldn’t do. I've been following the rules.
So actually, I've got a little case here with me which is packed with various internet of things, devices. So, I went on to amazon and we bought about 5,000 pounds worth of CCTV cameras, various other bits and pieces, and went through them to find out how many of them had critical security vulnerabilities. Long story short, all of them did except for one, which actually was so poorly implemented, we couldn’t access it, which is what I like to call security through, well essentially, obscurity and unintelligence.