Nearly half of home Wi-Fi networks can be hacked in less than five seconds, according to a new study based on a so-called 'ethical hacking' experiment conducted across six UK cities.
All in all nearly 40,000 networks were revealed as high-risk, opening up the personal data of thousands of individuals, says the company that arranged the test, a 'life assistance' (we think this means insurance) company called CPP.
In the test (an example of so-say "Wi-jacking") a hacker travelled within the main arterial routes of each city within a four-mile radius, using basic 'WarDriving' equipment. The aim was to identify networks that emanated wireless signals excessively into a public place. All information received beyond the type of network and level of security was deleted and we are assured the guy did not connect to any of these networks or crack any associated passwords.
It seems we are quite trusting, by the way. In order to review the potential issues around public hotspots, the chap says he used a portable wireless network router to attract users to connect with their wireless devices to see whether they would trust existing wireless connections and understand what potential information they were exposing.
According to his probes, nearly a quarter of private wireless networks had no password whatsoever attached, making them immediately accessible to criminals. This is despite the majority (82%) of UK residents (according to allied market research the firm did for this exercise) mistakenly thinking their network is secure.
Why is all this so bad? Hacking into a private network not only allows unscrupulous individuals to cloak criminal activities such as purchasing illegal pornography or selling on stolen goods - it also allows them to view the private transactions made by individuals over the network, accessing passwords and usernames which can then be used to impersonate the victim and commit identity fraud and other illegal activities. Worryingly, only one in 20 people knows for certain that their network has been used without their permission, indicating that the vast majority remain ignorant of the risk.
It gets worse. While nearly one in five wireless users say they regularly use public networks, hackers (it's not clear if this was the same guy or others), we are told, were able to 'harvest' usernames and passwords from unsuspecting people at a rate of more than 350 an hour, sitting in town-centre coffee shops and restaurants. In addition, the experiment showed that more than 200 people unsuspectingly logged onto a fake Wi-Fi network over the course of an hour, putting themselves at risk from fraudsters who could harvest their personal and financial information.
"This report is a real eye-opener in highlighting how many of us have a cavalier attitude to Wi-Fi use, despite the very real dangers posed by unauthorised use. We urge all Wi-Fi users to remember that any information they volunteer through public networks can easily be visible to hackers. It's vital they remain vigilant, ensure their networks are secure and regularly monitor their credit reports and bank statements for unsolicited activity," warned the experiment's sponsor, CPP.
As this experiment demonstrates, all a hacker requires is a laptop computer and widely available software to target his victims. This also has given us some actual data in terms of proportions of unsecured networks: in London, for example, out of 14,908 networks detected no less that 4,746 were not secure; in Manchester, 2,894 of which 870 were open; and so on.
Stunt or real expose of danger? Probably a bit of both. But as IT training provider Firebrand's CEO Robert Chapman puts it, "It appears this problem is still not being taken seriously by enough companies and individuals. One day - probably soon - there is going to be a security breach that does irreversible damage. Will it be only then that people wake up to this threat?"
Anyone reading that who thinks he's talking tosh - well, I wonder how secure your home Wi-Fi is?
Next week (18th to 20th October) is National Identity Fraud Prevention Week, which obviously helped prompt this as a PR exercise, sure - but it's also quite a good time to review one's security anyway, personal and corporate.