Uni's cyber experts help BBC lay bare the risks of Wi-Fi hotspots
Monday 01 February 2016
The risks of connecting to public Wi-Fi have been exposed in an exclusive experiment by BBC Inside Out West Midlands and Coventry University's cyber security experts.
The programme – which aired Monday 1st of February on BBC One at 8.30pm – highlights security issues associated with logging on to Wi-Fi hotspots that are offered in public places such as cafés and trains, and sees the University's academics simulate what is known as a 'man-in-the-middle' attack.
As part of the BBC's experiment, Dr. Siraj Shaikh and Madeline Cheah – both specialists in cyber security based in the University's Centre for Mobility and Transport – create a rogue access point disguised as a public Wi-Fi hotspot in the BBC's offices in Birmingham's Mailbox.
Volunteering members of the public – who were asked not to use any genuine personal information or passwords – are provided with tablets and smartphones and asked to connect to the hotspot, entering details through a bogus Wi-Fi login page which had been set up as part of the experiment.
The network was not connected to the internet for security reasons – meaning no real websites could be accessed – but Ms Cheah, who was posing as one of the volunteers, was able to intercept all the data which was requested through the bogus login page, as well as details like the type of device and its IP address.
The simulated attack was made possible with the use of a simple device the size of a smartphone, which is used by professional security analysts and enables a user to read and capture traffic over a network.
Although the only data being intercepted in the experiment is fictional information, the academics are keen to point out that in the wrong hands, such technology can be used to access a person's private and personal details without them knowing about it.
Dr Shaikh, reader in cyber security at Coventry University, said:
In today's connected world we're all very accustomed to having Wi-Fi access at our fingertips wherever we go, whether that's in a restaurant, on the bus, or while we're waiting in an airport. Unfortunately the convenience of it often trumps any security concerns we may have, and this has led us into bad habits.
This experiment by the BBC to raise awareness is important and timely, and we were keen to take part to help people understand just how vigilant they need to be to avoid falling victim to this kind of security breach. There are around 270,000 Wi-Fi hotspots in the UK, so they're an easy target for criminals. Our experiment was tightly controlled to ensure we were acting ethically and legally, but somebody with malicious intentions could go a lot further.
Madeline Cheah, who is researching a PhD in automotive cyber security, said:
The BBC experiment and the feedback from the participants afterwards highlighted just how much of a security issue this is, and how vigilant people need to be. It's easy for someone to do in real life what we simulated in the experiment, but they might be capturing bank details and social media passwords instead. It could be the person sitting next to you on the train, and you'd never know it because the technology is compact enough to sit in a small rucksack.
Our advice to people would be to use 3G or 4G wherever possible instead of free Wi-Fi, because it's much less easy to attack. If you're on a laptop, use your mobile phone to set up a personal, secure Wi-Fi hotspot. And if you really need to connect to public Wi-Fi, make sure you use a trusted VPN. VPNs are available as apps for smart devices and are often part of anti-virus suites, and they create a more secure, encrypted pathway for your data.
Coventry University has been teaching the next generation of security professionals to find ways to mitigate the threats posed by cybercrime. Around 50 students graduate each year from the course, many of whom go on to work in industry in roles such as penetration tester and security analyst. You can visit the Ethical Hacking & Cybersecurity MSC degree and MBA focused on Cybersecurity for more information.