The Herod Clause - What would you give up for free WiFi?

A recent experiment in London showed that some people were prepared to give up their first born children in return for free wifi!, the story is here.

The reality is how many of us actually read the terms and conditions before we click agree on our way to some free surfing?

Here's the story:

A handful of Londoners in some of the capital’s busiest districts unwittingly agreed to give up their eldest child, during an experiment exploring the dangers of public Wi-Fi use.

The experiment, which was backed by European law enforcement agency Europol, involved a group of security researchers setting up a Wi-Fi hotspot in June.

When people connected to the hotspot, the terms and conditions they were asked to sign up to included a “Herod clause” promising free Wi-Fi but only if “the recipient agreed to assign their first born child to us for the duration of eternity”. Six people signed up.

F-Secure, the security firm that sponsored the experiment, has confirmed that it won’t be enforcing the clause.

“We have yet to enforce our rights under the terms and conditions but, as this is an experiment, we will be returning the children to their parents,” wrote the Finnish company in its report.

“Our legal advisor Mark Deem points out that – while terms and conditions are legally binding – it is contrary to public policy to sell children in return for free services, so the clause would not be enforceable in a court of law.”

Ultimately, the research, organised by the Cyber Security Research Institute, sought to highlight public unawareness of serious security issues concomitant with Wi-Fi usage.

The experiment used a mobile hotspot device built for less than £160 by German ethical-hacking company SySS using a Raspberry Pi computer, a battery pack and Wi-Fi aerial, all held together with elastic bands.

I'm pleased they won't be enforcing the clause, but the scary bit comes later in the article:

The experiment used a mobile hotspot device built for less than £160 by German ethical-hacking company SySS using a Raspberry Pi computer, a battery pack and Wi-Fi aerial, all held together with elastic bands.

The device “could have been easily concealed in a woman’s handbag and could be deployed in seconds,” claimed the report. It was first deployed in Cafe Brera in Canada Square, in the heart of Canary Wharf, and later just outside the Queen Elizabeth Centre near the Houses of Parliament.

After the initial Herod clause experiment, the research continued with the terms and conditions removed. In Westminster, 33 devices connected to the hotspot, with researchers startled to find that the popular POP3 email protocol revealed passwords in plain text when used over Wi-Fi.

This vulnerability dates back 13 years to 2001, showing how little effort has been put into fixing a potentially critical issue. If the researchers had been malicious, they could have easily siphoned off critical data like usernames and passwords and logged into people’s accounts.

“The authentication happens in plain text in some old protocols,” F-Secure’s Sean Sullivan told the Guardian. “You could probably snare a lot of people using email… you could do more to refine [an attack] to capture more people’s mail.”

Thats actually very scary, yet the allure of free wifi is really really strong. Here's the useful information from the end of the article:

But more mundane data can also be useful for hackers. Even when they aren’t connected to a hotspot, devices on average reveal the last 19 access points they hooked up to, the study found.

“It‘s a particularly disturbing development as recent research has shown that individuals can be accurately identified by using just the last four access points where they have logged on,” F-Secure’s report read.

Other metadata, such as websites people have visited or their device ID, would also prove useful to criminal or government spies hoping to piece together a fuller picture of targets.

The report concluded that there needs to be much more education around the use of public Wi-Fi, especially hotspots that are of unknown origin. F-Secure is also calling for more transparency from the telecoms industry.

Currently, users are suffering because of “collusion between different branches of the industry”, which has sacrificed security for the sake of usability, the researchers claimed.

“People haven’t had anything to compare it to to wrap their head around,” Sullivan added. “People are thinking of Wi-Fi as a place as opposed to an activity... You don’t do unprotected Wi-Fi at home, why are you doing it in public?”

Sullivan advises users run a Virtual Private Networking (VPN) software product, which will encrypt the data being sent to and from their device.

Turning Wi-Fi off when in public or when around untrusted hotspots can also be helpful wherever and whenever possible. Deleting old and known networks broadcasted by the device can help protect from metadata snoops too.

Good stuff to remember, it got me thinking about this story from a couple of years ago about the feasibility of digital pickpockets using a malicious android app to read NFC credit cards while they are still in your wallet! 

In a talk at the Defcon hacker conference in Las Vegas Friday, Lee demonstrated an Android software tool called NFCProxy that’s capable of both reading and “replaying” data from contactless credit cards–any of the common payment cards with embedded RFID chips that allow payments at retail outlets’ wireless point-of-sale devices like these. undefined

After using a Nexus S phone to read his own contactless Visa card onstage at Defcon, he then used his tool to relay the data a moment later to a point-of-sale device, where it was accepted as a payment. “I’ve just skimmed, abused and spent someone’s credit card within a couple minutes. It’s really simple,” he told the crowd.

That is really scary and we now have our banks and telco's rushing to get into payments before Apple Pay launches here.

But have they got the security sewn up tight?

2014 is shaping up to be the year of big security scares!