back to article Police allege 'evil twin' of in-flight Wi-Fi used to steal passenger's credentials

Australia's Federal Police (AFP) has charged a man with running a fake Wi-Fi network on at least one commercial flight and using it to harvest flier credentials for email and social media services. The man was investigated after an airline "reported concerns about a suspicious Wi-Fi network identified by its employees during a …

  1. Pascal Monett Silver badge
    Flame

    "on condition he restrict his use of the internet"

    How naive. Really ? Go back home and be nice is all he gets ?

    He knows how to set up this stuff, he will do it again. How is the police going to monitor his connection to be sure he plays nice ? They won't. They don't have the means and, frankly, they have more important criminals to catch - and I'm furious that I have to acknowledge that.

    1. trindflo Silver badge
      Joke

      Re: "on condition he restrict his use of the internet"

      No kidding! They should have at least done something to slow him down, like only allowing him to connect through AOL via dialup.

      1. RT Harrison
        Joke

        Re: "on condition he restrict his use of the internet"

        He lives in Australia not the American mid-west... Oh wait...

    2. Our Lord and Savior Rahl

      Re: "on condition he restrict his use of the internet"

      At the moment he's been tried rather than convicted - he's bailed till his hearing not sentenced ;)

      Though given the circumstances, I'd have also thought a complete ban would probably have made more sense

  2. Anonymous Coward
    Trollface

    Name them?

    Was his name, "Assange"?

  3. Anonymous Coward
    Anonymous Coward

    I blame

    The Wifi-Alliance

  4. Yorick Hunt Silver badge
    Trollface

    "The charges laid against the man concern... dishonest dealings."

    If "dishonest dealings" are an indictable offence, why are there so many politicians on the loose?

  5. Dave@Home

    Eh?

    AFP Western Command Cybercrime detective inspector Andrea Coleman pointed out that free Wi-Fi services should not require logging in through an email or social media account

    Pretty much every free WIFI offering asks for these details

    1. Anonymous Coward
      Anonymous Coward

      Re: Eh?

      Right? And even if you have to “sign up”, so many people re-use credentials that there’s a high chance of being able to use their details anyway.

      Also, obviously, the VPN hokey is just parroting the nonsense that the VPN peddlers say, too.

      1. Catkin Silver badge

        Re: Eh?

        I think this is one of those cases where a good VPN actually lives up to the benefits touted by VPN providers. The annoying bit is that free WiFi often blocks VPNs, especially if they're trying to upsell you access to certain parts of the Internet.

    2. FrogsAndChips Silver badge

      Re: Eh?

      But 90% of the time they don't bother checking the (fake) email address you have provided and just wave you through the portal.

      1. chris street

        Re: Eh?

        I mean the number of times that the Ayatollah Khomeni, living at SW1A 1AA * logs in, you have to conclude there is zero checking of these details.... Mind you a little salting and pollution of their mailing lists is always a good thing. If they are harvesting valuable data, then it is not a "free" WiFi is it - so I give them non valuable data so they don't get nabbed for telling porkies.

        * Buckingham Palace to save you looking it up

        1. VonDutch

          Re: Eh?

          Michael Mouse using an info@[wifi provider's domain] logs in on a few access points around the world.

          He often agrees to receive their spam emails too.

          1. Unoriginal Handle

            Re: Eh?

            Michael.Mouse@disney.com

            Michel.Souris@disney.fr

            Who's been copying my lead ...

            1. Eclectic Man Silver badge

              Re: Eh? - Aside

              True story:

              The local soccer referees were gathered together fro a briefing where they were informed that there really was a player whose name was "Donald Duck", so if booked and asked his name he should not be sent off for dissent if he stated his name.

          2. Anonymous Coward
            Anonymous Coward

            Re: Eh?

            I sometimes use abuse@<the provider>.com - after all, their in-house abuse team will look into any in-house spam, surely? And if they don't send spam, then all's good.

          3. Anonymous Coward
            Anonymous Coward

            Re: Eh?

            Wasn't there some FBI email address to report spam to?

            Could be amusing to enter that.

        2. Fruit and Nutcase Silver badge
          Alert

          Re: Eh?

          Alternatively, use:

          Prince Harry,

          at SW1A 1AA

          1. Anonymous Coward
            Anonymous Coward

            Re: Eh?

            Surely you'd direct that to Prince Andrew..

    3. rafff

      Re: Eh?

      "free Wi-Fi services should not require logging in through an email or social media account

      Pretty much every free WIFI offering asks for these details"

      And I always give them fake data: somesillyname@gmail.com generally works.

      1. Ian 55

        Re: Eh?

        This is a reason one of my Gmail accounts gets the spam/misdirected email it does - plenty of people use the address.

        1. veti Silver badge

          Re: Eh?

          Yeah, in retrospect somesillyname wasn't the most sensible user name to register, huh?

      2. NoneSuch Silver badge

        Re: Eh?

        mailer-daemon@gmail.com works even better.

    4. Anonymous Coward Silver badge
      Go

      Re: Eh?

      They generally ask for your email address (but can't confirm it, because you don't have internet access at that point) - they never need your email password.

      I've always assumed that the "log in with $social" was an IQ test to determine what speed you should be permitted to use. I may be overthinking that though.

    5. Anonymous Coward
      Anonymous Coward

      Re: Eh?

      Pretty much every free WIFI offering asks for these details

      .. and usually breaks GDPR compliance in the process.

      I'm not bored enough yet, but I can ship enough breaches to the EU to keep them busy for a year. Unless there are big fines, everyone continues as is, only it's now called 'legitimate interest'.

      Which was, of course, totally unexpected when they came up with that daft idea.

  6. Tubz Silver badge

    So charged with unauthorized access to devices and dishonest dealings.- Unless I am missing something, users voluntarily gave up details to access his AP and network services and he stored them like many ISPs do, so what crime was committed, unless he deliberately tried to imitate an airline free wi-fi to get credentials, if he just put up a page saying free wi-fi, then that's the users own fault?

    However three charges of “possession or control of data with the intent to commit a serious offence” suggest the alleged perp was alive to the possibilities of using the data for nefarious purposes. - So just because he had the data freely given and that he "could" use it for naughty means, is now a crime, smells like he cops are desperate to pin something on him?

    1. WonkoTheSane
      Headmaster

      "unless he deliberately tried to imitate an airline free wi-fi to get credentials"

      The article says he did exactly that:-

      "It’s alleged the accused’s collection of kit was used to create Wi-Fi hotspots with SSIDs confusingly similar to those airlines operate for in-flight access to the internet or streamed entertainment."

      1. sten2012

        Still though. Unless they used those credentials I can't see how unauthorised access to a computer system occurred.

        Maybe some kind of fraud, copyright theft on the captive portal page maybe, and a beach of terms presumably as they were probably funneling victim traffic through the actual WiFi.

        But I don't see the unauthorised access in these particular cases until the credentials are tested on something else.

        I'd argue all the people above using fake emails to access a WiFi provider are closer to breaching that particular law

        1. Chet Mannly

          "Unless they used those credentials I can't see how unauthorised access to a computer system occurred."

          I assume they found evidence of that when they searched his home. HIghly unlikely he was doing it for educational purposes...

        2. Our Lord and Savior Rahl

          I guess when it actually goes to court we'll find out won't we? At the moment all that's happened is that the Magistrate agreed that there's enough evidence to send him before the courts - if there's enough evidence to prove beyond reasonable doubt that he was planning on using it for nefarious ends, then he'll be found guilty.

          Charged + Released on Bail =/= Found Guilty and Convicted.

  7. xanadu42
    Facepalm

    Connecting to "free" WiFi...

    Surely before connecting to "free" WiFi you ensure you are using a VPN?

    1. Graham Cobb Silver badge

      Re: Connecting to "free" WiFi...

      There seem to be two different attacks talked about here - not sure if both were actually used in this case:

      The first is to ask for an email address on the Welcome page for the WiFi - which most public/free WiFi do - and then ask them for the password as well, which unsophisticated users will provide without thinking because they are so used to providing both together to access their email. Simple attack, works with about 2/3 of people I would guess, VPN makes no difference.

      The second attack is to intercept traffic through your fake AP. This is where a VPN can make a difference. Although it is also enough to be sure you are using SSL connections and are not connecting to a spoofed domain - but, again, unsophisticated users are unlikely to notice. This attack could expose all passwords, not just the email account. It is rendered ineffective by 2FA.

    2. Yet Another Anonymous coward Silver badge

      Re: Connecting to "free" WiFi...

      >Surely before connecting to "free" WiFi you ensure you are using a VPN?

      You should connect to the VPN before enabling WiFi

      1. Anonymous Coward
        Anonymous Coward

        Re: Connecting to "free" WiFi...

        You only think you're a comedian.

      2. david 12 Silver badge

        Re: Connecting to "free" WiFi...

        You should connect to the VPN before enabling WiFi

        Good idea, but, as pointed out above, most free WiFi requires local authentication.

        1. katrinab Silver badge
          Boffin

          Re: Connecting to "free" WiFi...

          Also, you need a network connection to connect to the VPN

  8. Andy The Hat Silver badge

    how?

    "users of public Wi-Fi should 'install a reputable virtual private network (VPN) on your devices to encrypt and secure your data when using the internet.'”

    I see this sort of comment all the time - who is reputable? How is the average Joe supposed to assess the security of a web company? Perhaps Margaret on social media can recommend a good one, or a google review by greatVPNs recommending greatVPN.com will be a safe bet?

    Hell, I was nearly scammed by a web site that looked and felt like a big UK store ... the web address didn't feel right. In the end I phoned them and they suggested that people had lost their money on such sites and I should only use the *correct* company address ... What is the correct address, .com, .co.uk, .shop, .peanuts? They refused to understand the fundamental problem that a web site that looked and smelled correct actually had the wrong tld and refused to quote the correct one to me! If you don't know, how can you find out?

    1. Anonymous Coward
      Anonymous Coward

      Re: how?

      Another person in the public eye sponsored by N***VPN? Pointless if people have to connect to the WiFi first, and are conned into giving away their Office365 or Facebook credentials at the stage of logging into the WiFi. Also unnecessary if you don't accept man-in-the-middle certificates like *.airportwifi.net when you open Outlook.

    2. Badgerfruit

      Re: how?

      Plus most governments around the world that are issuing this advice, also seem to think encryption is a tool only used by bad guys and want to ban it.

  9. Zibob Silver badge

    So no phones on planes then?

    I mean almost all phones can run a WiFi hotspot, which is renamable and can be made open to anyone if you like.

    If the crime is using a certain name for your hotspot then that is an infinite list of potential letters and numbers. Boi g to be very hard to police that.

    Similar to XKCDs Little Johnny Tables, at a certain point the onus falls on the people willing accepting what they see with no thought what so ever.

    Not saying the guy is innocent, but it is certainly a horrific mess they are opening with this and will likely be seen by many as arbitrary rules on what they can do with their own devices.

    1. jdiebdhidbsusbvwbsidnsoskebid Silver badge

      Re: So no phones on planes then?

      "If the crime is using a certain name for your hotspot..."

      It's not that, or at least, not just that, but his intentions when creating the hotspot. The article says the man was charged with "dishonest dealings" so it's about his motivations for providing the hotspot being different from what it would appear to someone connecting to it. Also, the article says the police searched his home and found some stuff. So again, there is more to this story than just using a certain hotspot name.

      There are lots of offences that could individually cover a huge range of severities, that wouldn't be clear from just a simple reporting of the fact. For example, In the UK(other nations probably have their equivalent), the Computer Misuse Act makes it illegal to access data you are not authorised to. That could cover something as trivial as your other half's laptop to get the booking reference for a hotel you are both going to, or large scale accessing of a corporate system for espionage. Both the same technical offence but on very different scales and likely very different outcomes if you were caught.

      1. Zibob Silver badge

        Re: So no phones on planes then?

        It also said he did nothing with any of the information. So no malice committed and no evidence there was any ever intended.

        Its getting silly, like saying because you have a car, you definitely intend to drive it into a crowd of people. You can twist any set of random happenings to be "malicious"

        1. Our Lord and Savior Rahl

          Re: So no phones on planes then?

          It also says he was charged following a search of his home under a warrant - which means that there may well have been enough corroborating evidence to support that theory.

          At the end of the day, the burden of suspicion to make a charging decision is lower than the burden of a conviction - to charge someone needs sufficient level of suspicion to think that it's a strong possibility an offence was likely and that it needs to be proved out in court. To convict someone requires the prosecution to prove beyond reasonable doubt to the court that an offence took place by that person.

  10. Alan Brown Silver badge

    Not exactly new

    At least a decade ago we found several employee phones broadcasting SSIDs of "Free Internet Access"

    The common thread was they'd all been on international flights recently and connected to that SSID thinking the obvious - and yes, they all had malware installed

    Another staffer said he saw this (and realised it was fake) on a flight between USA and Australia - starting out with one phone broadcasting the SSID and several dozen doing it by the end of the flight

  11. sitta_europea Silver badge

    On my mobile, the wireless connections are turned off.

    1. A.P. Veening Silver badge

      On my mobile, the wireless connections are turned off.

      In that case you have a nice camera with a lot of unused functions.

  12. stevefoerster

    He sounds like the kind of guy who would download a car.

    1. Yet Another Anonymous coward Silver badge

      On the contrary, he was just allowing other people to download cars.

    2. Hubert Cumberdale Silver badge

      Whenever I hear that "You wouldn't steal a handbag..." thing, I think, "Don't tell me what I wouldn't do. You don't know me! Maybe I would steal a handbag!". It makes me want to commit acquisitive crime just to prove them wrong.

      1. Anonymous Coward
        Anonymous Coward

        Also, it is not said that someone in the handbagging business would feel similarly inclined with DVDs. DVD cases are crap for volume storage, and handbags don't play very well in DVD players :)

  13. Scott 1

    Right guy?

    I'm curious how they determined who was the suspect. Did they just grab the first person they saw with a Flipper Zero or something like that?

  14. Tron Silver badge

    Not new.

    Criminals have been setting up lookalike connections to free WiFi for years for harvesting data. When found they should be put away, fined, and banned from using the net on their release, with exponentially increasing sentences for repeat offences. Usually it is cafe chains. It's only recently that most planes got WiFi. They should display the name visibly and ask people to report lookalikes over the PA. This is not something folk do by accident.

    1. Anonymous Coward
      Anonymous Coward

      Re: Not new.

      Reminds me of a time >20 years ago when I was staying in student digs out of term time for an academic conference (along with dozens of other academics). No WiFi, just plug-in internet in each room, but it was all very basic when it came to security. Out of sheer boredom (forgive me, I was young and naive, and I wouldn't do anything of the sort these days), I poisoned the DNS to route all the building's traffic via my laptop. A brief inspection of the (in those days largely non-encrypted) HTTP traffic told me that about a third of the requests were for exactly what you might think they were for. I quietly disconnected and let the DNS recover, and from that day forward I learned never to assume anything about an unknown network, other than that I shouldn't trust it to be free from eavesdropping. (AC for obvious reasons).

  15. dwyermic

    Airline revenge

    Hopefully, the airline will put his name on its banned list, and pass the name to all other airlines. They should be able to match his name to the booking and payment details.

    1. Snapper

      Re: Airline revenge

      Yup, a LOT easier than trying to do it in cafés.

  16. Anonymous Coward
    Anonymous Coward

    CISCO Certified Too

    The guy's day job is advanced networking with a specialty in penetration testing of networks.

    He knew what he was doing so I'm surprised he was so easily tracked down.

    He was arrested by the Federal Police rather than State Police so there may be more to this story than is being reported

    1. veti Silver badge

      Re: CISCO Certified Too

      Offences committed on aircraft in flight in Australia are always treated as "Commonwealth" offences, prosecuted by the central government. State law doesn't apply in the air. Source.

  17. Erik Beall

    Trivial weak point

    The AP hardware should be scanning for lookalikes but this requires more configuration and reconfiguration whenever an AP needs to be swapped so it doesn't trigger. Secondly, the standard should require host keys on connection, similar to ssh, although again this would likely lead to more headaches than most users are willing to put up with.

    1. Alan Brown Silver badge

      Re: Trivial weak point

      managed APs will have this happen at the management controller. Aircraft WAPs aren't standalone

      My managed networks are set to issue forcible disconnects if spoofing WAPs are spotted.

  18. Ambivalous Crowboard

    "Should not require logging in through ... a social media account"

    "AFP Western Command Cybercrime detective inspector Andrea Coleman pointed out that free Wi-Fi services should not require logging in through an email or social media account."

    But they frequently do, even for the big players they want you to pass through a Facebook window to authenticate yourself against. And for good reason (so they can identify who's been slurping down the things they shouldn't) but this advice is just bonkers..

    Or, maybe just don't use free wifi?

  19. sfjuocekr

    This reminds me that I still have WPA handshakes and other interesting packets to go through from my last visit to the airport :D

    I always bring a Flipper, hackRF and ProxMark with me on vacations!

    The guy was probably running a honeypot with "evilportal", you can easily find ready made captive portals but making a quick and dirty copy isn't all that difficult either.

    I do tend to contact people when I've obtained credentials, to let them know to never trust open networks when they ask for credentials... Too many people fall for this simple trick!

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like