Research finds top politicians easy targets for hackers
Joint research by the Cyber Security Research Institute and the penetration testing company Mandalorian sponsored by the data protection specialists F-Secure has exposed a worrying levels of vulnerability to cyber attack among the UK’s top legislators.
The research, aimed at highlighting the general level of technological knowledge among the population found that MPs, MEPS and peers were all unaware of the risks they face when logging onto the internet and that like the public at large, receive little or no advice in how to protect themselves.
To show just how easy it is to attack people while they are using mobile devices on the move a hacker targeted MEP Mary Honeywell’s I-Pad by providing her with a free wifi service at a coffee bar. Once she signed on and had logged onto her Facebook account, the hacker then posted a fake Facebook message asking her to her to change the password.
The Labour representative for London was browsing on her EU-issued Ipad at a coffee bar near the Eurostar terminal. She changed her password – and was astonished to find that the intruder could then post messages on her behalf. He could use Facebook to log in as ‘Mary Honeyball’ to other online services, retrieve and re-set passwords and access her Twitter account to tweet potentially damaging comments.
The intruder was ethical hacker Steve Lord of cybersecurity company Mandalorian. He had Ms Honeyball’s permission to snoop on her browsing activities in an experiment by Peter Warren – chair of the Cyber Security Research Institute – for the Finnish computer security company F-Secure.
An early tech adopter, she was one of the first EU parliamentarians to launch a blog, the Honeyball Buzz. http://thehoneyballbuzz.com She also tweets prolifically.
Honeyball travels widely in her role as the European Parliament’s Women’s Rights spokesperson. So public wifi on the move is crucial. Planning, logistics and communications with her constituents and parliamentary colleagues all rely on connectivity in hotels, cafes, bars and public buildings.
“I really use public wifi a lot, she told the experiment team. And I’m shocked to find out how quickly this could happen.”
Although the EU Parliament had issued her with the Ipad to use in her work, Honeyball said she had received no training in cyber security.
Official EU policy is to promote the increasing use of wifi, championed by former Commissioner Neelie Kroes. She campaigned with the slogan ‘Europe loves wifi’. A 2013 EU report recommended more support for greater use of public wifi and shared spectrum, with multiple users on the same frequency.
Kroes’s crusade for connectivity now looks naïve and foolhardy.
For the experiment proves that public wifi hotspots can easily be mocked-up by criminals or spies – be they political, commercial or state actors. The software tools required are readily available on the regular internet. There is no need to search underground websites via TOR, nor spend more than a few pounds. http://bit.ly/1gIstY9
Ethical hacker Steve Lord from Mandalorian took just a few hours to produce a dummy hotspot that was convincing enough to fool not only Mary Honeyball but also two veteran Westminster parliamentarians, Lord Strasburger and David Davis.
Lord Strasburger, the Liberal Democrat peer, was staggered to hear that a phone call he made using a VOIP (Voice Over Internet Protocol) service, a system now very popular for those wanting to cut mobile phone bills could be eavesdropped on. Over breakfast at the County Hotel opposite the House of Lords, the experimenters played the call back to him. Within a few metres of the UK’s seat of government, researchers proved how easy it is to gain access to the personal communications of politicians at the highest level.
When interviewer Peter Warren pointed out that the searches he had made – the BBC news website, a rugby club in the West Country – would provide valuable clues to anyone trying to steal his identity he was visibly shocked. And reflecting on his own role in the law-making process that ought to protect citizens’ digital rights, Lord Strasburger admitted:
“For the past few years it looks like the politicians have been asleep at the wheel.”
Former Conservative Shadow Home Secretary David Davis was the third ‘victim’ in the F-Secure film. He is a campaigner for citizens’ digital rights. With Labour MP Tom Watson he has challenged the British Government in court over its Data Retention investigatory Powers Act and won. The High Court judges ruled that sections 1 and 2 of DRIPA are incompatible with our right to a private life and right to protection of personal data, under EU law.
By using the same method of providing a free wifi service for Davis to log onto the team were once again easily able to break into personal systems as user names and passwords are clearly visible when they are sent to a wifi access point, which means that whoever is controlling the access point can retrieve and use them.
Mandalorian’s Steve Lord cracked Davis’s email password within minutes and then – with access to this high-profile MP’s personal account – composed a fake press release claiming that he had defected to a rival party. That could become a stick of political dynamite! Being totally ethical, the hacker did not press ‘send’ but confronted the MP with the possibility.
“This shows how easy it would be for criminals – and if this isn’t a crime, then it certainly should be,” said Davis, who added that setting up a fake wifi access point in the restaurants, cafes, bars and pubs surrounding Westminster would almost certainly reap a rich haul of credentials from MPs, researchers and civil servants innocently logging onto a free service.
All three politicians – Davis, Strasburger and Honeyball – confessed that they felt inadequately briefed about the potential risks of public wifi.
Yet these are the very people who are setting the digital agenda, shaping regulations that prioritise online free trade at the expenses of personal privacy and commercial confidentiality. There are 3,177,331, 977 internet users in the world at the time of writing, and 19% of them are in Europe. How many of them would have been tricked by Peter Warren and his team, and how many know how to surf safely?