Smartphone wi-fi security flaw leaves users vulnerable to fraud and identify theft, according to a Guardian report.
The so-called ‘evil twin’ attack involves mimicking an existing wi-fi hotspot network. Smartphones are pre-configured by several mobile networks to automatically connect to wi-fi hotspots such as BT’s Openzone.
The hotspots aren’t protected by any form of encryption and are merely identified by the SSID name. Smartphones with wi-fi enabled, including the iPhone, will happily connect to fake hotspots and route internet data through the connection.
Furthermore, devices will automatically send log-in credentials which are liable to be captured. The Guardian report also highlighted the ease of setting up public wi-fi hotspots which redirect to a page to pay for internet access via a credit card.
However it’s the automatic connection to unencrypted networks that’s likely to have wider ramifications. With smartphones connecting to rogue access points, cybercriminals can then place themselves in the data path of all internet access.
"Once that happens, there is software out there that enables them to gather usernames and passwords for each site a user signs in to while surfing the net," Police e-crime prevention lead Stuart Hyde told the Guardian.
And once criminals have access to your email accounts, Facebook account, Amazon history and so on, the potential for fraud and identity theft is very serious indeed," he added.
A couple of easy fixes are possible for those with the knowledge and inclination to dig into their phone settings such as turning off wi-fi and deleting any default access points.
However smartphone operating systems like Android often nudge users to enable wi-fi for the purpose of increasing accuracy in mapping applications such as Google Maps.