Jason Hart, chief executive of the security company Cryptocard in Europe, said: "An O2 iPhone will automatically connect, because BT Openzone connectivity is usually part of the package for free internet access. It will pass over its credentials and because it can see the internet through the hotspot, it will start sending and receiving data."
BT, which boasts of having 2.5 million Wi-Fi hotspots available to its 5 million broadband customers said: "This hack is known as 'Evil Twin' and has been known to the industry and others for some years."
The company is working with the Wireless Broadband Alliance, an industry group which aims to help hotspot providers deliver a "reliable and trustworthy" service, to introduce a security system known as 802.1x, which forces detailed authorisation when devices connect. But it is not clear whether the devices themselves will be able to detect fake hotspots.
Apple, manufacturer of the top-selling iPhone series, declined to comment. O2 did not respond to requests for comment.
BT broadband customers who agree to allow a part of their Wi-Fi bandwidth to be used publicly are, in turn, allowed to use the Wi-Fi of other subscribers. The resultant Wi-Fi community is called BT Fon and utilises wireless routers – boxes which broadcast the Wi-Fi signals – in people's homes. BT Openzone users have to provide usernames and passwords. Subscribers may use both services through their smartphones. On the first use anywhere, they must give a username and password – but after that, their phones forever hunt out hotspots with the names "BT Fon" and "BT Openzone" hotspots automatically, and will join them.
Stuart Hyde, the Association of Chief Police Officers' lead on e-crime prevention, said: "We became aware of the potential for criminals to use Wi-Fi in this way last year and have become increasingly concerned. All they need is to set themselves up in a public place with a laptop and a mobile router called 'BTOpenzone' or 'Free Wifi' and unsuspecting members of the public come along and connect to them.
"Once that happens, there is software out there that enables them to gather usernames and passwords for each site a user signs in to while surfing the net. And once criminals have access to your email accounts, Facebook account, Amazon history and so on, the potential for fraud and identity theft is very serious indeed.
"Until there are improvements in security, I would advise people to be very wary indeed when using insecure Wi-Fi in public places."
Professor Peter Sommer, a cyber-security expert at the London School of Economics, said: "This is all very alarming. It means that literally millions of people who use Wi-Fi in public could be at risk. If criminals are able to harvest the usernames and passwords of all the websites you visit, they could do significant damage in terms of identity theft and fraud.
"The safest route for existing users of mobile phones, particularly if they use BT Fon or Openzone, is to switch off their Wi-Fi when they leave home and only use it on systems they know to be secure – such as at home or at work. Everywhere else you use Wi-Fi – whether in a coffee shop, an airport, a railway station and especially out in the street – you are taking a calculated risk."
参考:http://www.guardian.co.uk/technology/2011/apr/25/wifi-security-flaw-smartphones-risk?CMP=twt_gu
No comments:
Post a Comment