Times of London
May 4, 2007
Computer users have been warned of the dangers of using wi-fi hotspots after it emerged that cyber-criminals are targeting the networks in café chains including Starbucks.
Times Online has uncovered evidence that criminals are using a technique known as an ‘evil twin attack’, where victims think that they are logging on to the genuine network in a café but are in fact being diverted to a ‘rogue’ connection.
Once logged on to the twin network, the victim’s every keystroke is captured by the fraudster, who controls the connection from a nearby laptop and uses it to extract information for the purpose of committing identity fraud.
In a chatroom used to discuss the technique, also known as a ‘man in the middle’ attack, Times Online saw information changing hands about how security at wi-fi hotspots – of which there are now more than 10,000 in the UK – can be bypassed.
During one exchange in a forum entitled ‘T-Mobile or Starbucks hotspot’, a user named aarona567 asks: “will a man in the middle type attack prove effective? Any input/suggestions greatly appreciated?”
“It’s easy,” a poster called ‘itseme’ replies, before giving details about how the fake network should be set up. “Works very well,” he continues. “The only problem is,that its very slow ~3-4 Kb/s….”
Another participant, called ‘baalpeteor’, says: “I am now able to tunnel my way around public hotspot logins…It works GREAT. The dns method now seems to work pass starbucks login.”
From the language used, the criminals appear to be US-based, though at one point one says: “i doubt that the architecture of the tmobile hotspot networks in europe varies from the technologies deployed here in the US.”
T-Mobile, which runs a network of 2,000 hotspots, including those in Starbucks cafés, said it was aware of the technique, but was yet to have any incident reported in the UK. It advised customers to update their virus protection software and “ensure they were connected to a valid, certified website.”
Security experts said, however, that safeguards such as digital certificates could not always guarantee protection, and that users would continue to be fooled by imitation sites, which were increasingly sophisticated.
“This is the most pressing current security threat that remains to be addressed,” Paul Cronin, technical director at Pentura, which test wireless security, said. “People are spending all this money on firewalls and yet their machines with wireless cards immediately go searching for the nearest network.”
“It’s shocking how easy it is to set up a ‘soft access point’ and get devices to connect to it,” he added
A police source said that evil twin attacks were ‘not uncommon’, but that they mostly went undiscovered. The problem was being “talked about”, according to a spokeswoman for the Metropolitan Police, but she said there had been no reports of any crimes yet.
In a speech about wireless security last week, Phil Cracknell, a technology officer at Deloitte’s, said: “This type of attack where the operator sits around and harvests details while you are connected to the hotspot is destined to become the new type of phishing.
“All you need to clone the Starbucks hotspot is a laptop, and the software can be configured within two hours,” Mr Cracknell told an audience at InfoSec, in London.
Paul Vlissidis, technical director at NCC, another security firm, said: “It’s a more costly scam to run, but we’ll certainly see it happen as the number of wireless networks continues to grow.”
There are now more than 10,000 hotspots across the UK, and blanket wi-fi coverage is now offered in large portions of Manchester, Edinburgh and, as of last week, the City of London.