The Herod Clause: Open Wifi As Cybersecurity Threat

‘Europe loves wifi’. That is the message from the vice president of the EU Commission Neelie Kroes, and the title of the Digital Agenda for Europe report of 2013 recommending greater use of public and shared wifi hotspots.

But like any love affair, it can end in tears.

A unique experiment backed by Europol (the EU’s police force) has been staged by Finnish security company F-Secure, with Finn Steglich, an ethical hacker from Germany and Peter Warren the chairman of Britain’s Cyber Security Research Institute. It showed just how promiscuous our beloved smartphones, tablets and i-watches can be when it comes to finding any available connectivity – and how this exposes us to risks.

The testers created a dummy wifi hotspot called ‘FreeWifi’ and switched on the access point outside the UK Houses of Parliament in London. Dozens of people logged on, and those using POP3 or IMAP (the most commonly-used email protocols) revealed to the testers their email addresses, user names and passwords. They were revealed in plain text on Finn Steglich’s laptop. The wifi we all love betrayed crucial details too of all the hotspots visited recently by each user and each device. Research shows that with only four earlier hotspot locations visible, it is possible to piece together the user’s identity. Yet on the FreeWifi hotspot in some cases up to nineteen different locations were listed. If Finn Steglich and Peter Warren had been criminals instead of ethical researchers, they could easily have offered this information for sale on the Dark Web, or enslaved the smartphones and tablets in a botnet or simply used the IDs and other credentials to set up false bank accounts for money-laundering.

It is this aspect of free public wifi that really worries Troels Oerting, Europol’s Head of cyber crime, based at The Hague in the Netherlands.

It’s really scary, he says. This experiment shows that we need to encrypt our data and use a VPN so that we cannot spill this data.

It’s really scary, he says. This experiment shows that we need to encrypt our data and use a VPN so that we cannot spill this data.

A VPN or Virtual Private Network is a kind of encrypted ‘tunnel’ through which all the user’s messages and pictures are sent, linked to a secure home server. F-secure manufactures one such VPN called ‘Freedom’ and of course other similar products are available from other manufacturers.

F-secure’s security officer Sean Sullivan explains:

All my communications are routed through the Freedom app to my office computer in Helsinki. So if I come to London and access a free wifi point, it doesn’t matter if it’s not secure. If I’m going to leak data it’s going to be encrypted data.

There are many other forms of encryption using biometrics, password vaults and even facial recognition based on Facebook friends. Yet they are not widely used, since rapid universal access, connectivity and broadband are regarded as more important than individual privacy and safety. Typical users want to be able to watch videos and content-rich websites on the move without constant buffering and delays.

And we cannot only blame the technology, although Peter Warren of the CSRI says that mobile phone operators should do more to make their services transparent. For example, users on 3G and 4G will not usually realise that they have travelled to the edge of a particular cell in the cellular network and so their device has switched over to using the local wifi. Most users travel around with wifi enabled on their devices and so the switchover cannot be perceived. But it exposes them to security risks, as the F-Secure wifi experiment shows. Technically it was easy to accomplish and the kit cost less than 150 euros. It comprised a Raspberry Pi mini-computer of the kind used to teach children how to write code, a long-life battery pack, wifi dongle and wireless router. Strapped together with a few stout elastic bands, the kit was ready for use as a honeytrap for the unwary.

Finn Steglich, the penetration tester from Hamburg-based security firm Syss, says:

Of course I have some IT knowledge but even if I did not, it was easy to find out how to create this wifi hotspot just by searching for a few hours on the Internet.

Steglich’s gizmo was first deployed in a coffee bar in London’s Canary Wharf, a skyscraper housing many banks, insurance and financial services firms as well as a large retail shopping mall. The FreeWifi access point proved popular – in spite of a sting in the tail of the legal Terms and Conditions which users must agree by ticking the box before logging on. This said that in return for free use of the wifi access point they would ‘render up their firstborn child or favourite pet to the provider for all eternity’. Whilst this draconian clause was included in the terms and conditions, six people signed on. The clause had been cleared as legal by technology lawyer Mark Deem of Edwards Wildman. In theory, he says, all terms and conditions are enforceable if they are presented to the user before he or she starts to use the service. But in practice it would not be possible to legal claim ownership of someone else’s children because it runs contrary to public policy – an over-riding condition in English law. After six people had agreed to the clause it was removed for the remainder of the experiment as the testers did not wish to acquire a larger family or menagerie of pets! This condition – known as The Herod Clause, after King Herod in the Bible who claimed the life of all firstborn sons – has ‘gone viral’ around the world since it was revealed. It makes an amusing anecdote but its purpose is serious: to create a new consciousness of the risks inherent in free public wifi.

The F-Secure wifi experiment aims to provide evidence – like the lipstick on the collar of a cheating husband – of how wifi betrays us. Now the politicians – as well as the Europol police – might heed this long overdue wake-up call.

Jane Whyatt
Journalist