Wi-Fi security flaw for smartphones puts your credit cards at risk

Millions of smartphone users and BT customers who use Wi-Fi wireless internet "hotspot" connections in public are vulnerable to fraud and identity theft, a Gaurdian investigation has established.

In tests conducted with volunteers - to avoid breaching telecommunications and computer misuse laws - security experts were able to gather usernames, passwords and messages from phones using Wi-Fi in public places.

In the case of the best-selling Apple iPhone 4 and other smartphone handsets, the information could be harvested without the users' knowledge and even when they were not actively surfing the web if the phone was turned on.

BT. the UK's biggest provider of such hotspots with five million of its "Openzone" connections in the UK in train stations, hotels and airports, admitted that it has known of the weakness for "year" and that it is working on a permanent fix. But it has no timetable for when it might be implemented.

Using a $49 piece of communications equipment and software freely available for download from the internet, the investigation established that crooks could set up bogus Wi-Fi "gateways" to which the lastest generation of mobile phones would automatically connect. Once a connection is established, all the information passing through the gateway can be either be read directly or decrypted using software that will run on a laptop.

In another test, a fake Wi-Fi hotspot invited people to "pay" for internet access with their credit card - but required them to click a box to accept terms and conditions which clearly stated "you agree we can do anything we like with your credit card details and personal logins".

A number of people entered their details. The Guardian did not retain any users' details in the experiment.

Not only could the information be used to steal identities, hijack email accounts and commit fraud but also to gather information about individuals and company employees. With the information gained in our investigation, fraudsters could have bought goods online or sent multiple e-gift voucher worth as much as $1,000 each to pre-set email addresses. It is believed that such vouchers are already being traded by crook over the internet.

The attack works because public Wi-Fi hotspots have no form of identification except their name, which an off-the-shelf device can mimic. Many smartphones are sold with automatic connectivity to BT's Openzone Wi-Fi hotspots to enhance the contract and reduce the load on the mobile carrier's data network form the phones, while offering faster connectivity.

Jason Hart, chief executive of the security company Cryptocard in Europe, said: "An O2 iPhone will automatically connect, because BT Openzone connectivity is usually part of the package for free internet access. It will pass over its credentials and because it can see the internet through the hotspot, it will start sending and receiving data."

BT, which boasts of having 2.5 million Wi-Fi hotspots available to its 5 million broadband customers said: "This hack is known as 'Evil Twin' and has been known to the industry and others for some years."

The company is working with the Wireless Broadband Alliance, an industry group which aims to help hotspot providers deliver a "reliable and trustworthy" service, to introduce a security system known as 802.1x, which forces detailed authorisation when devices connect. But it is not clear whether the devices themselves will be able to detect fake hotspots.

Apple, manufacturer of the top-selling iPhone series, declined to comment. O2 did not respond to requests for comment.

BT broadband customers who agree to allow a part of their Wi-Fi bandwidth to be used publicly are, in turn, allowed to use the Wi-Fi of other subscribers. The resultant Wi-Fi community is called BT Fon and utilises wireless routers – boxes which broadcast the Wi-Fi signals – in people's homes. BT Openzone users have to provide usernames and passwords. Subscribers may use both services through their smartphones. On the first use anywhere, they must give a username and password – but after that, their phones forever hunt out hotspots with the names "BT Fon" and "BT Openzone" hotspots automatically, and will join them.

Stuart Hyde, the Association of Chief Police Officers' lead on e-crime prevention, said: "We became aware of the potential for criminals to use Wi-Fi in this way last year and have become increasingly concerned. All they need is to set themselves up in a public place with a laptop and a mobile router called 'BTOpenzone' or 'Free Wifi' and unsuspecting members of the public come along and connect to them.

"Once that happens, there is software out there that enables them to gather usernames and passwords for each site a user signs in to while surfing the net. And once criminals have access to your email accounts, Facebook account, Amazon history and so on, the potential for fraud and identity theft is very serious indeed.

"Until there are improvements in security, I would advise people to be very wary indeed when using insecure Wi-Fi in public places."

Professor Peter Sommer, a cyber-security expert at the London School of Economics, said: "This is all very alarming. It means that literally millions of people who use Wi-Fi in public could be at risk. If criminals are able to harvest the usernames and passwords of all the websites you visit, they could do significant damage in terms of identity theft and fraud.

"The safest route for existing users of mobile phones, particularly if they use BT Fon or Openzone, is to switch off their Wi-Fi when they leave home and only use it on systems they know to be secure – such as at home or at work. Everywhere else you use Wi-Fi – whether in a coffee shop, an airport, a railway station and especially out in the street – you are taking a calculated risk."

参考：http://www.guardian.co.uk/technology/2011/apr/25/wifi-security-flaw-smartphones-risk?CMP=twt_gu