Hackers Catch MEP on Public Wifi

A hacker has broken in to MEP Mary Honeyball’s email account and posted a fake Facebook message prompting her to change the password. The Labour representative for London was browsing on her EU-issued Ipad at a coffee bar near the Eurostar terminal. She changed her password – and was astonished to find that the intruder could then post messages on her behalf. He could use Facebook to log in as ‘Mary Honeyball’ to other online services, retrieve and re-set passwords and access her Twitter account to tweet potentially damaging comments.

The intruder was ethical hacker Steve Lord of cybersecurity company Mandalorian. He had Ms Honeyball’s permission to snoop on her browsing activities in an experiment by Peter Warren – chair of the Cyber Security Research Institute – for the Finnish computer security company F-Secure. An early adopter, she was one of the first EU parliamentarians to launch a blog, the Honeyball Buzz. http://thehoneyballbuzz.com She also tweets prolifically.

Honeyball travels widely in her role as the European Parliament’s Women’s Rights spokesperson. So public wifi on the move is crucial. Planning, logistics and communications with her constituents and parliamentary colleagues all rely on connectivity in hotels, cafes, bars and public buildings.

– I really use public wifi a lot, she told the experiment team. And I’m shocked to find out how quickly this could happen.

Although the EU Parliament had issued her with the Ipad to use in her work, Honeyball said she had received no training in cyber security.

Official EU policy is to promote the increasing use of wifi, championed by former Commissioner Neelie Kroes. She campaigned with the slogan ‘Europe loves wifi’. A 2013 EU report recommended more support for greater use of public wifi and shared spectrum, with multiple users on the same frequency.

Kroes’s crusade for connectivity now looks naïve and foolhardy.

For the experiment proves that public wifi hotspots can easily be mocked-up by criminals or spies – be they political, commercial or state actors. The software tools required are readily available on the regular internet. There is no need to search underground websites via TOR, nor spend more than a few dollars. http://bit.ly/1gIstY9

Ethical hacker Steve Lord from Mandalorian took just a few hours to produce a dummy hotspot that was convincing enough to fool not only Mary Honeyball but also two veteran Westminster parliamentarians, Lord Strasburger and David Davis.

Lord Strasburger, the Liberal Democrat peer, was staggered to hear that a phone call he made using a VOIP (Voice Over Internet Protocol) service could easily be hacked. Over breakfast at the County Hotel opposite the House of Lords, the experimenters played the call back to him. Within a few metres of the UK’s seat of government, researchers proved how easy it is to gain access to the personal communications of politicians at the highest level.

When interviewer Peter Warren pointed out that the searches he had made – the BBC news website, a rugby club in the West Country – would provide valuable clues to anyone trying to steal his identity he was visibly shocked. And reflecting on his own role in the law-making process that ought to protect citizens’ digital rights, Lord Strasburger admitted:

– For the past few years it looks like the politicians have been asleep at the wheel.

For the past few years it looks like the politicians have been asleep at the wheel.

Former Conservative Shadow Home Secretary David Davis was the third ‘victim’ in the F-Secure film. He is a campaigner for citizens’ digital rights. With Labour MP Tom Watson he has challenged the British Government in court over its Data Retention investigatory Powers Act and won. The High Court judges ruled that sections 1 and 2 of DRIPA are incompatible with our right to a private life and right to protection of personal data, under EU law.

Mandalorian’s Steve Lord cracked Davis’s email password within minutes and then – with access to this high-profile MP’s personal account – composed a fake press release claiming that he had defected to a rival party. That could become a stick of political dynamite! Being totally ethical, the hacker did not press ‘send’ but confronted the MP with the possibility.

– This shows how easy it would be for criminals – and if this isn’t a crime, then it certainly should be, Davis responded.

This shows how easy it would be for criminals – and if this isn’t a crime

All three politicians – Davis, Strasburger and Honeyball – confessed that they felt inadequately briefed about the potential risks of public wifi.

Yet these are the very people who are setting the digital agenda, shaping regulations that prioritise online free trade at the expenses of personal privacy and commercial confidentiality. There are 3,177,331, 977 internet users in the world at the time of writing, and 19% of them are in Europe. How many of them would be tricked by Peter Warren and his team, and how many know how to surf safely?


by Jane Whyatt