Smartphone wi-fi security flaw leaves users vulnerable to fraud and identify theft, according to a Guardian report.
The so-called 'evil twin' attack involves mimicking an existing wi-fi hotspot network. Smartphones are pre-configured by several mobile networks to automatically connect to wi-fi hotspots such as BT's Openzone.
The hotspots aren't protected by any form of encryption and are merely identified by the SSID name. Smartphones with wi-fi enabled, including the iPhone, will happily connect to fake hotspots and route internet data through the connection.
Furthermore, devices will automatically send log-in credentials which are liable to be captured. The Guardian report also highlighted the ease of setting up public wi-fi hotspots which redirect to a page to pay for internet access via a credit card.
However it's the automatic connection to unencrypted networks that's likely to have wider ramifications. With smartphones connecting to rogue access points, cybercriminals can then place themselves in the data path of all internet access.
"Once that happens, there is software out there that enables them to gather usernames and passwords for each site a user signs in to while surfing the net," Police e-crime prevention lead Stuart Hyde told the Guardian.
And once criminals have access to your email accounts, Facebook account, Amazon history and so on, the potential for fraud and identity theft is very serious indeed," he added.
A couple of easy fixes are possible for those with the knowledge and inclination to dig into their phone settings such as turning off wi-fi and deleting any default access points.
However smartphone operating systems like Android often nudge users to enable wi-fi for the purpose of increasing accuracy in mapping applications such as Google Maps.
Advertisement
Related Stories
- iOS update fixes bugs and security flaws May 8th 2012 at 5:45AM
- O2 to launch free WiFi in Costa coffee May 6th 2012 at 11:04PM
- Microsoft fingers Chinese firm in RDP flaw leak May 4th 2012 at 3:00AM
- Microsoft fixes '0-day' Hotmail flaw Apr 30th 2012 at 12:19AM
- Global Payments breach of 1.5m credit cards Apr 3rd 2012 at 8:29AM
- Hacktivists lifted more data than criminal gangs Mar 22nd 2012 at 11:14PM
- Microsoft accused of leaking attack code Mar 18th 2012 at 9:30PM
- Lulzsec leader Sabu turned by the FBI Mar 7th 2012 at 1:15AM
- O2 hosts NFC 'accelerator' event in London Feb 16th 2012 at 10:28PM
- Over half of UK companies infected by malware Feb 13th 2012 at 11:57AM
