News: 1719812709

  ARM Give a man a fire and he's warm for a day, but set fire to him and he's warm for the rest of his life (Terry Pratchett, Jingo)

Police allege ‘evil twin’ of in-flight Wi-Fi used to steal passenger’s credentials

(2024/07/01)


Australia’s Federal Police (AFP) has charged a man with running a fake Wi-Fi networks on at least one commercial flight and using it to harvest fliers’ credentials for email and social media services.

The man was investigated after an airline “reported concerns about a suspicious Wi-Fi network identified by its employees during a domestic flight.”

The AFP subsequently arrested a man who was found with “a portable wireless access device, a laptop and a mobile phone” in his hand luggage.

[1]

That haul led the force to also search the man’s home – after securing a warrant – and then to his arrest and charging.

[2]

[3]

It’s alleged the accused’s collection of kit was used to create Wi-Fi hotspots with SSIDs confusingly similar to those airlines operate for in-flight access to the internet or streamed entertainment. Airport Wi-Fi was also targeted, and the AFP also found evidence of similar activities “at locations linked to the man’s previous employment.”

Wherever the accused’s rig ran, when users logged in to the network, they were asked to provide credentials.

[4]

The AFP alleges that details such as email addresses and passwords were saved to the suspect’s devices.

The charges laid against the man concern unauthorized access to devices and dishonest dealings. None of the charges laid suggest the accused used the data he allegedly accessed.

However three charges of “possession or control of data with the intent to commit a serious offence” suggest the alleged perp was alive to the possibilities of using the data for nefarious purposes.

[5]

AFP Western Command Cybercrime detective inspector Andrea Coleman pointed out that free Wi-Fi services should not require logging in through an email or social media account.

Perhaps curiously, she advocated users of public Wi-Fi should “install a reputable virtual private network (VPN) on your devices to encrypt and secure your data when using the internet.” He also recommended disabling file sharing, avoiding sensitive apps like banking while using public networks, and manually forgetting connections after use so that devices don’t automatically reconnect to naughty networks.

The accused appeared before a magistrate last week and was released on bail, and on condition he restrict his use of the internet in certain ways. ®

Get our [6]Tech Resources



[1] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2ZoJ@QFhF5loWgU5MVheifwAAAIQ&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0

[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44ZoJ@QFhF5loWgU5MVheifwAAAIQ&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33ZoJ@QFhF5loWgU5MVheifwAAAIQ&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44ZoJ@QFhF5loWgU5MVheifwAAAIQ&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33ZoJ@QFhF5loWgU5MVheifwAAAIQ&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[6] https://whitepapers.theregister.com/



"on condition he restrict his use of the internet"

Pascal Monett

How naive. Really ? Go back home and be nice is all he gets ?

He knows how to set up this stuff, he will do it again. How is the police going to monitor his connection to be sure he plays nice ? They won't. They don't have the means and, frankly, they have more important criminals to catch - and I'm furious that I have to acknowledge that.

Re: "on condition he restrict his use of the internet"

trindflo

No kidding! They should have at least done something to slow him down, like only allowing him to connect through AOL via dialup.

Re: "on condition he restrict his use of the internet"

RT Harrison

He lives in Australia not the American mid-west... Oh wait...

Name them?

Anonymous Coward

Was his name, "Assange"?

I blame

FlamingDeath

The Wifi-Alliance

Yorick Hunt

"The charges laid against the man concern... dishonest dealings."

If "dishonest dealings" are an indictable offence, why are there so many politicians on the loose?

Eh?

Dave@Home

AFP Western Command Cybercrime detective inspector Andrea Coleman pointed out that free Wi-Fi services should not require logging in through an email or social media account

Pretty much every free WIFI offering asks for these details

Re: Eh?

Anonymous Coward

Right? And even if you have to “sign up”, so many people re-use credentials that there’s a high chance of being able to use their details anyway.

Also, obviously, the VPN hokey is just parroting the nonsense that the VPN peddlers say, too.

Re: Eh?

FrogsAndChips

But 90% of the time they don't bother checking the (fake) email address you have provided and just wave you through the portal.

Re: Eh?

chris street

I mean the number of times that the Ayatollah Khomeni, living at SW1A 1AA * logs in, you have to conclude there is zero checking of these details.... Mind you a little salting and pollution of their mailing lists is always a good thing. If they are harvesting valuable data, then it is not a "free" WiFi is it - so I give them non valuable data so they don't get nabbed for telling porkies.

* Buckingham Palace to save you looking it up

Re: Eh?

VonDutch

Michael Mouse using an info@[wifi provider's domain] logs in on a few access points around the world.

He often agrees to receive their spam emails too.

Re: Eh?

Unoriginal Handle

Michael.Mouse@disney.com

Michel.Souris@disney.fr

Who's been copying my lead ...

Tubz

So charged with unauthorized access to devices and dishonest dealings.- Unless I am missing something, users voluntarily gave up details to access his AP and network services and he stored them like many ISPs do, so what crime was committed, unless he deliberately tried to imitate an airline free wi-fi to get credentials, if he just put up a page saying free wi-fi, then that's the users own fault?

However three charges of “possession or control of data with the intent to commit a serious offence” suggest the alleged perp was alive to the possibilities of using the data for nefarious purposes. - So just because he had the data freely given and that he "could" use it for naughty means, is now a crime, smells like he cops are desperate to pin something on him?

WonkoTheSane

"unless he deliberately tried to imitate an airline free wi-fi to get credentials"

The article says he did exactly that:-

"It’s alleged the accused’s collection of kit was used to create Wi-Fi hotspots with SSIDs confusingly similar to those airlines operate for in-flight access to the internet or streamed entertainment."

Every morning is a Smirnoff morning.