The weaponisation of WiFi

New research shared with the New Statesman reveals how hackers launched nearly 1,600 fake WiFi networks in central London to spy on the public.

Sign Up

Get the New Statesman's Morning Call email.

In October 2017, it emerged that suspected Russian agents had launched an unconventional intelligence operation in Europe. The agents equipped a small fleet of drones with WiFi routers, and then flew them to NATO bases in Poland and Estonia. As the aircraft approached the military compounds, soldiers’ smartphones began connecting to the WiFi.

According to the Wall Street Journal, the Russian agents exploited these connections to compromise devices, identify troop numbers and steal sensitive personal information that could later be used in intimidation campaigns. NATO described the incident at the time as an example of the “hybrid challenge” allied troops were facing.

The weaponisation of WiFi is not confined to the military, however. In major global cities, WiFi networks have quietly become prized assets for cyber criminals. New research shared with the New Statesman reveals that, between August 2018 and August 2019, nearly 1,600 fraudulent WiFi networks were in operation across central London, imitating familiar brands such as O2, BT and Hyatt.

Zimperium, the mobile security provider which produced the research, blocked 5,561 attacks over the course of the year. But given that only a small percentage of phones would have been running Zimperium’s software in the studied area, it’s possible that tens of thousands more attacks would have gone undetected, exposing users’ data and potentially leaving their devices vulnerable to further surveillance.

So-called “man in the middle attacks” exploit a fundamental flaw in the way mobile devices operate. “The dumbest part of smartphones is the phone introduces itself to the network, not the other way around,” explains Zimperium’s JT Keating. “So the phone literally goes through every network it’s ever connected to and says: ‘Hey are you Starbucks? Hey are you Google? Hey are your Marriott?’ All it takes is for the network to go, ‘well yes I am,’ and then it connects.”

Owning a network enables hackers to watch the traffic that passes through and “see what passwords float by”, says Keating. While most major websites now employ encryption, making it harder for hackers to intercept passwords, the study suggests that they have not been deterred from trying. Redirecting users to phishing sites is a common way to steal login credentials. “But the ultimate objective,” says Keating, “is to be persistent on the device.”

There are two common ways hackers exploit WiFi to break into a smartphone. The network may send users to a fake version of a popular website that delivers malicious code without their knowledge. Alternatively, hackers can deploy security exploits through the “captive portal” - the page which first appears when a user joins a new WiFi network. Simply agreeing to the terms and conditions may be enough to deliver the payload.

For sophisticated hackers, breaching a personal device is often just the first part of a grander plan. If a phone has been compromised, a user who returns to their office and logs into the work WiFi may infect the corporate network. This, says Keating, is one of the easiest ways to hack into an organisation.

Most of the attacks in London took place around major tourist spots. Zimperium’s analysis shows that it thwarted a high number of attacks in Soho, Mayfair and Fitzrovia. But there were also distinct clusters in the City and Westminster. “What we see in cities like London,” says Keating, “is significant concentrations around government buildings and [...] significant concentrations around tourist environments.”

On the streets surrounding the Palace of Westminster and Parliament Square, at least a dozen “critical attacks” were blocked by Zimperium’s software, which is typically used by government agencies and major businesses. While this suggests that a number of fraudulent networks had been established in the area, the analysis does not show the number of attacks on phones which were not protected by mobile security software and may have been successfully compromised.

In 2016, reportedly Russian hackers breached the personal email account of John Podesta, a senior member of the US Democratic National Committee, exposing thousands of messages. A year later, a cyberattack was launched on the Palace of Westminster, with hackers compromising dozens of MPs’ email accounts.

The National Cyber Security Centre (NCSC), which launched in 2016, meets with politicians from all parties in Westminster every quarter as part of its work to protect British democracy. In late October its director, Ciaran Martin, warned that “too many basic attacks” in the UK are still succeeding. “There are too many incidents causing too much harm.”

The NCSC says that one of the simplest ways individuals can protect themselves is to ensure that their phones are constantly updated with the latest software. Members of the public and politicians alike would do well to follow the advice. After all, as Zimperium’s research shows, it isn’t just NATO troops who are finding themselves in the cross-hairs of hackers.

Oscar Williams is editor of the New Statesman's sister site NSTech.