Photo - Goh Su Gim, Security Advisor, F-Secure Corporation
Malaysians can learn from a recent Europol supported investigation in London, which reveals some of the risks associated with free Wi-Fi hotspots, according to online security and privacy firm F-Secure Corporation.
Goh Su Gim, Malaysia based security advisor at F-Secure Corporation [F-Secure] said using free Wi-Fi connectivity carried with it the risk of losing personal data to criminals.
"For Malaysians, like millions around the world, public Wi-Fi connectivity has become a must-have service," said Goh. "Equipped with mobile devices like smartphones and tablets bundled with numerous apps and services, users are seeking free Wi-Fi connectivity where ever they go - hotels, airports, cafes and even hospitals."
"However, Wi-Fi networks are not built with security demands in mind and the public Wi-Fi access points are not regulated. This means, anyone can set up a Wi-Fi access point anywhere. And it is not that difficult or expensive to install a Wi-Fi system," he said.
"The other pressing problem is that people implicitly trust their technology and are not aware of the implications of that trust. Such weaknesses are being exploited by criminals by offering rogue hotspots to deceive users and steal personal data," Goh said.
Fake Wi-Fi hotspots can deliver a 'man-in-the-middle attack', where information - text, photos and videos - send across the network, as long as not encrypted, can be intercepted and stolen, he said.
"Even an existing genuine Wi-Fi service, such as that of a hotel can be 'forced out' by using an access point with a stronger signal and no password on it that allows everyone using the service to reconnect without realising they are now on a rogue system," said Goh.
F-Secure conducted an investigation, supported by law enforcement authority Europol, in London, which showed people used public Wi-Fi without taking personal privacy into consideration. The investigation used 'poisoned' Wi-Fi hotspot to expose users' data, including the contents of their email.
He said that in a thirty minute period, 250 devices connected to the hotspot, most of them probably automatically without their owner realising it and 33 people actively sent Internet traffic by carrying out web searches and sending data and email. The researchers also found that the text of emails sent over a POP3 network could be read, as could the addresses of the sender and recipient, and even the password of the sender, which emphasised the need for encryption.
"What was also a disturbing finding was that people were not reading the terms and conditions before agreeing to the service. In the experiment, people were willing to give up their firstborn child or most beloved pet in exchange for Wi-Fi use," said Goh.
The independent investigation was carried out by the UK's Cyber Security Research Institute and SySS, a German penetration testing company. For the research, SySS built a portable Wi-Fi access point from components costing around 200 euros and requiring little technical know-how.
Sign up for CIO Asia eNewsletters.