Millions of users connecting every day to public WiFi networks in the UK’s capital are putting their sensitive data at risks as more than a half of those wireless hotspots use weak protection hackable by ‘every IT college student,’ world’s leading cyber security firm said.
Presenting the findings of its global WiFi hack experiment, Prague-headquartered Avast, the maker of the world’s most popular antivirus software, said London scored the worst of the three European cities examined in the experiment but fared much better than a trio of Asian metropolises involved.
“In that experiment, our experts flew into nine cities around the world,” explained Avast spokesperson Marina Ziegler. “In Europe it was London, Barcelona and Berlin and in London we found that 54 per cent of routers were weakly encrypted and easily accessible to hackers.”
According to Avast’s virus analyst Filip Chytry, many public routers use default passwords allowing hackers to access private data transmitted via the network including browsing history, passwords and emails.
“Many routers are either completely unsecured or have very weak or even default passwords,” Chytry said. “That means that if a hacker walks into a pub, he can access the router’s settings and for example reroute the traffic via another malicious server. That’s very easy. Every IT college student can do that.”
A similar operation can be performed by skilled hackers remotely via the Internet with identical results.
“If you have a router with an open IP address, it can be accessed from outside the Internet and if you keep a default password, the hacker can then easily find it, change the DNS to reroute the traffic via his server and you as a user won’t see any difference but you are in trouble,” Chytry explained.
The vulnerabilities are of an even graver concern as the experiment revealed that most of the web browsing still takes place via unprotected HTTP websites that expose all data to the attacker including passwords and usernames without any encryption in the form of a plain text.
According to Avast, the situation is the most serious in Asia were 97 per cent of websites was found to still run the weak HTTP protocol. For comparison, only one third of the US and one quarter of the European traffic has been found to use HTTP.
“If you are transferring your data via the HTTP protocol, for example if you have a blog, which you think doesn’t need to be secured properly, you will be using your email and your password to log in,” Chytry explained. “And with the HTTP those data can be read as plain text without any encryption and the credentials could be used in different systems. Even though everyone tells you that you shouldn’t be using the same credentials for different services, the truth is that most people do exactly that.”
The study also found that globally between 80 and 99 per cent of users would connect to a completely unsecured public WiFi hotspot without a second thought. South Korea scored the worst with 99 out of 100 users using unsecure public WiFi networks. Residents of Barcelona and San Francisco proved to be the most cautious with only 80 out of 100 users connecting to the unprotected networks. London fared slightly worse with 83 out of 100 users.