Tech

How to take over the accounts of UK politicians using public Wi-Fi hacks

The results of an experiment using public Wi-Fi against politicians was, as one victim said, "horrifying."

Written by Charlie Osborne, Contributing Writer July 9, 2015 at 4:40 a.m. PT

An experiment using public Wi-Fi networks to break into accounts belonging to UK politicians has highlighted a distinct lack of understanding basic security principles.

In the UK, the new currently budget dominates the news, but last week, comments made by the UK Prime Minister David Cameron caused uproar in the technology space. We know the US and UK have a fondness for surveillance and collecting data en masse, but following Edward Snowden's leaks to the media concerning government spying programs, tech firms began ramping up encryption efforts to make spying more difficult.

This has not sat well with the PM. Cameron, following in the steps of the US FBI director James Comey, wants to ban strong encryption to "ensure that terrorists do not have a safe space in which to communicate."

In other words, encryption protocols which would force officers of the law to go directly to a device owner instead of companies to demand data are not a popular idea for law enforcement and intelligence agencies. Security professionals slammed the demand as outrageous and portraying a lack of basic understanding of how security works.

The results of a recent test conducted by F-Secure suggest this lack of training and understanding trickles down the parliamentary chain.

Three UK politicians, Rt. Hon. David Davis MP, Mary Honeyball MEP and Lord Strasburger gave their consent to be test subjects in a recent experiment which focused on hacking into their devices with the help of public, freely available Wi-Fi networks across London.

The results of the test were revealed by security firm F-Secure on Thursday.

With the help of penetration testing firm Mandalorian Security Services and the UK's Cyber Security Research Institute, F-Secure researchers were able to break into the politician's accounts with relative ease through public Wi-Fi -- which all of the test subjects said they use regularly.

In the case of Rt. Hon. David Davis MP, his email account password was lifted through public Wi-Fi -- shown in plain text at an access point -- and an email was then drafted and left in a press folder which announced his defection to UKIP.

In addition, the password was the same for PayPal, allowing the researchers to compromise an additional account belonging to the politician.

When shown the results, Davis said:

"Well, it's pretty horrifying, to be honest. What you have extracted was a very tough password, tougher than most people use. It's certainly not 'Password.'"

In the case of Lord Strasburger, a Voice over IP (VoIP) call made from his hotel room was intercepted using software freely available online. Strasburger said:

"That's very worrying. This is very powerful equipment. The thought that a beginner could be up and running in a very few hours is really worrying. I think it proves that people (when they are using technology) need to know a lot more about it.
In the end, they have to look after themselves, because it really is down to you, no one else is going to do it."

HACKING TEAM BREACH TIMELINE

Mary Honeyball MEP, who holds a seat -- ironically -- on the EU committee responsible for the 'We love Wi-Fi' campaign, became a victim of a phishing attack. While browsing the Internet in an Internet cafe, Honeyball received a message seemingly from Facebook inviting her to log in to her account. The MEP then gave her credentials to the attacker, who then compromised her account.

Honeyball was particularly concerned about this, as she was using a tablet issued by the EU parliament only days earlier.

"I think something should be done because we all think that passwords make the whole thing secure," Honeyball said. "I always thought that was the point of passwords. I am surprised and shocked."

The experiment demonstrates how easily personal data can be stolen through the convenience of using public Wi-Fi networks. The networks save your mobile data, certainly, and can keep you online while on the road -- but they are far from secure. It is up to us individually to make sure our devices are kept locked up as tightly as possible -- as we cannot expect Wi-Fi operators to do the job for us.

On the political front, if the three willing subjects are an example of the state of things across the board, perhaps our politicians should take the time to learn about the basics of security before trying to impose policies concerning an area they do not understand.

Sean Sullivan, Security Advisor at F-Secure, says people should not be afraid to use public Wi-Fi -- but they do need to protect themselves if using the service.

"They must understand that there are risks and it is their responsibility to protect themselves," Sullivan says. "This is simply done using a piece of software called a Virtual Private Network (or VPN). For phones and tablets, these are available as an app."