Olympic Surfing: The Hidden Dangers Of Free WiFi

When we think about securing the Olympics, most of us automatically think of physical security: the crowd control, access control and contingency planning that is integral to managing such a big event. Few of us stop to think about the impact on the communication networks that are a lifeline to everyday Londoners.

These networks are about to be joined by at least three massive WiFi networks which aim to bring free communications to the capital during the games. But users should look before they leap as its still possible to fall foul of the hackers when surfing for free.

In keeping with the open spirit of the Olympics, three projects will offer free connectivity to the masses in a bid to present London as the welcoming and technically advanced host. However, while every effort will be made to ensure these networks are secure, there is no way to prevent them being replicated: there will always be ways to ensnare the unsuspecting user.

The first network will see Transport for London provide WiFi access across up to 120 Tube station platforms via Virgin Media. The service will allow Wi-Fi access both below ground and at street level in underground stations with an unlimited service for all Tube passengers during the games (after which access will be available on a subscription basis from Virgin Media).

The second network sees restaurant owner Tragus team up with O2 to offer free Wi-Fi access to any user in and around 120 locations. Franchises such as Cafe Rouge, Strada and Bella Italia restaurants will all be taking part. And finally, O2 will also be creating what it claims is the largest free Wi-Fi network in Europe across Westminster, Kensington and Chelsea, just in time for the Olympics.

By their very nature, these public networks will be unencrypted and offer rich pickings for the criminal fraternity. It’s important to note that the security of these networks is not at issue here: it’s the captive audience they attract who, upon seeing these networks advertised, will connect in their droves.

Attacks such as the Evil Twin can then be brought into play to impersonate these access points using very little equipment often in the rudimentary form of a browser plug-in. The rogue access point, which to all intents and purposes appears identical to the bona fide WiFi hotspot, can then be set-up in the vicinity enabling it to broadcast a stronger signal to ensnare users.

And if that doesn’t work, why not just kick users off the legitimate hotspot? By terminating existing WiFi connections its much more likely that the user will then reconnect to the stronger signal.

During recent research we erected a hotspot in central London to see the type of data it would yield. Although our hotspot did not attempt to impersonate any other network we still attracted a number of connections and were able to establish the type of device, website visits and potentially log-in details for sensitive sites. An Evil Twin would be able to harvest precisely the same data and could even use the link to upload malware to the end device.

Determining whether a hotspot is of the rogue variety or bona fide can be extremely difficult. While it is possible to use tools clientside to detect whether traffic is being sniffed, or a scanning tool to sweep for duplicate access points, the most widely trusted form of authentication by Joe Public – SSL certificates – aren’t really useful because anyone can falsify and send them.

Business users may have an additional layer of protection in the form of client connection technology but the majority of users are unlikely to have this level of protection.

Interestingly, the rogue hotspot problem becomes more of an issue the longer the hotspot is active. Trusted hotspots which the device has previously connected to are often logged on a ‘preferred network’ list which the device runs a check against to save time whenever the device is in the same vicinity. A rogue hotspot need only scan for devices seeking to connect to the legitimate network and capture these packets to identify its sitting targets.

So what can the hapless user do to prevent this scenario? Some best practice advice would be to always ensure you only connect to low risk sites to prevent data leakage and don’t be tempted to log-in to your bank or building society website. Ideally you should try and avoid all log-in services, even Facebook.

And look at the device settings and suspend the ‘preferred network list’ to prevent hotspots being stored (failing that, delete any public hotspots upon disconnect). These tips may seem restrictive, but by limiting activity in this way you might just evade the network sniffer and while that’s not Olympian, it’s certainly no mean feat.

As a Director for Digital Assurance, Phil Robinson is responsible for overseeing technical services including risk assessment, business continuity planning, disaster recovery, gap analysis and information security management system implementation. His areas of expertise include Infrastructure and Application Testing, Risk Assessment, BIA, ISMS, Computer Forensics and Incident Response, Wireless, and Unix Security.