SOURCE: F-Secure Corp.

F-Secure Corp.

July 09, 2015 10:34 ET

Three Politicians From the UK House of Parliament Hacked Over Public Wi-Fi

F-Secure's Experiment Demonstrates the Ease With Which Email, Finance and Social Networking Details Can Be Stolen While Using Free Wi-Fi in Cafes, Hotels and Other Public Places

SAN JOSE, CA--(Marketwired - Jul 9, 2015) - An investigation conducted in London has shown the ease with which personal data can be hacked when the target is using public Wi-Fi. Security and privacy software company F-Secure teamed up with penetration testing expert Mandalorian Security Services and the Cyber Security Research Institute to conduct the test -- in this case, hacking into the devices of three politicians.

The politicians, deliberately selected from the most powerful chambers in UK politics, were Rt. Hon. David Davis MP, Mary Honeyball MEP and Lord Strasburger. The exercise was carried out with the permission of the politicians who, despite holding important positions within the different parliaments, admitted that they had received no formal training or information about the relative ease with which computers can be breached while using public Wi-Fi, a service they all admitted to using regularly.

Commenting on his email being accessed, Davis said, "Well, it's pretty horrifying, to be honest. What you have extracted was a very tough password, tougher than most people use. It's certainly not 'Password'." Alarmingly, the password would have been broken no matter how strong it was. Public Wi-Fi is inherently insecure, usernames and passwords are shown in plain text in the back of a Wi-Fi access point, making them simple for a hacker to steal.

To underline the risk, an email was drafted by ethical hackers Mandalorian and left in his drafts folder destined for the national press, announcing his defection to The UK Independence Party (UKIP). His PayPal account was then compromised, as it used the same username and password as his Gmail, a common habit.

In the case of Lord Strasburger, a Voice over IP (VoIP) call he made from a hotel room was intercepted and recorded using technology freely available on the Internet, and relatively easy to master.

"That's very worrying," said Strasburger. "This is very powerful equipment. The thought that a beginner could be up and running in a very few hours is really worrying. I think it proves that people (when they are using technology) need to know a lot more about it. In the end, they have to look after themselves, because it really is down to you, no one else is going to do it."

Mary Honeyball MEP, who sits on the EU committee responsible for the 'We Love Wi-Fi' campaign, was browsing the Internet in a café when the ethical hacker sent her a message, seemingly from Facebook, which invited her to log back into her account, as it had timed out. This was how she unwittingly gave her login credentials to the hacker, who then accessed her Facebook account.

Honeyball, who was using a tablet issued to her only days before by the European Parliament's technology officers, was particularly concerned about the lack of advice she had been given.

"I think something should be done because we all think that passwords make the whole thing secure. I always thought that was the point of passwords. I am surprised and shocked," she said.

Each hack not only demonstrated the simple steps a hacker can take to circumvent password-protected services, but also how the personal data could be used for further attacks.

"The average person will think that a hacker knowing which sports team I follow is a pretty useless piece of information," said Steve Lord, director at Mandalorian. "But once he knows that, he can craft a phishing email specifically for you and your likes, knowing that you will be more likely to open it. Once you click on a link within that email or open an attachment, they have you, they will load malware onto your devices and then you will end up giving away all of your information. Not only that, but your company information too, if you use your devices to access the company network."

Sean Sullivan, security advisor at F-Secure, has this advice for people using public Wi-Fi, "People shouldn't be afraid to use public Wi-Fi, it's a fantastic service, but they must understand that there are risks and it is their responsibility to protect themselves. This is simply done using a piece of software called a Virtual Private Network (or VPN). For phones and tablets, these are available as an app. Our Freedome VPN will encrypt all data travelling from the device to the network, meaning that the hacker will steal nothing of use. Simply turning it on gives you the best protection you can possibly have to stay safe over public Wi-Fi, so you can focus on what you're doing instead of worrying about staying safe."

More information:

The Great Politician Hack - Podcast and Video
Freedome

F-Secure - Switch on freedom

F-Secure has been defending tens of millions of people around the globe from digital threats for over 25 years. Our award-winning products protect people and companies against everything from crimeware to corporate cyberattacks, and are available from over 6000 resellers and 200 operators in more than 40 countries. We're on a mission to help people connect safely with the world around them, so join the movement and switch on freedom!

Founded in 1988, F-Secure is listed on NASDAQ OMX Helsinki Ltd.

f-secure.com | twitter.com/fsecure | facebook.com/f-secure

Mandalorian

Mandalorian was founded in 2005 and has been delivering high quality, high value security assessment services ever since. As a boutique consultancy, Mandalorian provide a professional, personal service with consistent commercial and technical support and a commitment to being as easy to work with as possible. To support this, Mandalorian's certifications demonstrate our technical capabilities in delivering a wide variety of testing services. Particular strengths include bespoke testing of all manner of devices, systems and applications. Whilst based in the UK, Mandalorian provide services around the globe to both the Public and Private sector including organisations in Defence, Government and Finance.

For additional information, call +44(0)1256 830 146, email info@mandalorian.com or visit http://www.mandalorian.com.