Wi-Fi hotspot operators have said security is the responsibility of their customers, after the BBC demonstrated a hack of users' email at public open-access hotspots.
In a demonstration aired on Watchdog on Thursday, security vendor Garlik sniffed wireless traffic at hotspots run by BT Openzone, The Cloud, and T-Mobile. The Garlik team used equipment and software that was "readily available on the internet," the programme's makers wrote in a blog post.
"We would always advise users to take precautions, such as using VPNs and firewalls," said Chris Bruce, general manager at the operator. "As Wi-Fi is growing so much in the consumer market, we will be more prominent in our warnings."
Bruce said that with open-access Wi-Fi, operators had to make a balance between security and accessibility. Business users already tended to use VPNs to access corporate networks, he added.
The Cloud also recommended that customers use VPNs. It has not implemented its own VPN service due to the proliferation of internet devices available, according to the company's UK managing director, Graham Cove. He added that it is considering redirecting users with commonly used devices to device-specific landing pages.
"We open up the network to VPNs, but the onus is on the end user," said Cove. "We may recommend VPNs for the most frequently used devices."
In a statement, T-Mobile also urged customers to mitigate risk by using VPNs. "On the landing page of the HotSpot service, advice is prominently displayed alerting customers they should use free software provided by T-Mobile," the operator said. "This VPN software encrypts the radio link between the laptop and the HotSpot, providing a level of security typically enjoyed by business users."
Watchdog intercepted traffic from two audience members — who had not given consent to having their Wi-Fi sniffed — and accessed their email inboxes. The BBC told ZDNet UK it had been aware of possible privacy issues, but that its editorial policy department had given permission to access the audience member accounts, as this was deemed to be in the public interest. The audience members had also given retrospective permission.
Garlik declined to give any technical details of how it had performed the hacks.