Everybody loves free wifi, especially if it means we can get online without incurring expensive roaming charges when a long flight arrives at its destination. But maybe we should think twice about sharing personal information in exchange for free wifi. Do you really know who is supplying the wifi, or what they will do with the data you give them? The Australian Federal Police (AFP) has charged a man who allegedly operated fake free wifi hotspots at airports. The police referred to this as ‘evil twin’ wifi because it mimicked legitimate networks of a type often found in transport hubs like airports, and hence lured passengers into divulging usernames and passwords for other comms services.
The police began their investigation in April following a tip-off from an airline whose employees had identified a suspicious wifi network during a domestic flight. A suspect was soon identified and his baggage was searched when a subsequent flight landed at Perth Airport, at which time the police found and confiscated a portable wireless access device, a laptop and a mobile phone. They also searched his home in Palmyra, a suburb of Perth. These searches yielded evidence of fraudulent wifi webpages. They additionally discovered personal data which had apparently been harvested from dozens of victims.
Evidence suggests the bogus wifi had been provided at the airports serving Perth, Melbourne and Adelaide. Police also believe it was used during flights and at other locations connected to the suspect’s previous work. The login webpages for the fake wifi asked victims to provide credentials associated with their email or social media accounts. Such information could then potentially be used to access those accounts, leading to more personal information being compromised.
The official press release quoted AFP Western Command Cybercrime Detective Inspector Andrea Coleman giving some advice that will please a certain kind of privacy business.
If you do want to use public WiFi hotspots, install a reputable virtual private network (VPN) on your devices to encrypt and secure your data when using the internet.
The suspect has been charged with:
- three counts of unauthorised impairment of electronic communication, with a maximum penalty of 10 years in prison;
- three counts of possession or control of data with the intent to commit a serious offence, which has a maximum penalty of three years’ imprisonment;
- one count of unauthorised access or modification of restricted data, carrying a maximum penalty of two years’ imprisonment;
- one count of dishonestly obtaining or dealing in personal financial information (the victims’ usernames and passwords), with a maximum penalty of five years in prison; and
- one count of possession of identification information with the intention of committing, or facilitating the commission of, conduct that constitutes the dealing offence, which has a maximum penalty of three years’ imprisonment.
This is not the first time I have heard about crooks targeting the mobile phones of passengers as they pass through an airport. Airports are a very appealing location for harvesting personal data. There is an unusually high concentration of people, almost all of whom have phones. Many passengers want to access wifi to avoid roaming charges. Airports are also an effective location for fake base stations because they can provide the strongest radio signal at a time when people are switching their phones back on and trying to connect to a network. Information about people leaving or entering a country could be used to identify especially vulnerable targets or to circumvent anti-scam controls by logging the mobile phone numbers of individuals who will soon be roaming abroad. Airports are also the kind of place where victims will let their guard down because they are tired and distracted. Instead of just noticing the unusual risk profile of airports, the smart response would be to proactively protect the public by installing honeypot radio devices with the intention of discovering any fake wifi hotspots or base stations that come into range.
