Police allege 'evil twin' of in-flight Wi-Fi used to steal passenger's credentials
Fasten your seat belts, secure your tray table, and try not to give away your passwords
Australia's Federal Police (AFP) has charged a man with running a fake Wi-Fi network on at least one commercial flight and using it to harvest flier credentials for email and social media services.
The man was investigated after an airline "reported concerns about a suspicious Wi-Fi network identified by its employees during a domestic flight."
The AFP subsequently arrested a man who was found with "a portable wireless access device, a laptop and a mobile phone" in his hand luggage.
That haul led the force to also search the 42-year-old's home – after securing a warrant – and then to his arrest and charging.
It's alleged the accused's collection of kit was used to create Wi-Fi hotspots with SSIDs confusingly similar to those airlines operate for in-flight access to the internet or streamed entertainment. Airport Wi-Fi was also targeted, and the AFP also found evidence of similar activities "at locations linked to the man's previous employment."
Wherever the accused's rig ran, when users logged in to the network, they were asked to provide credentials.
The AFP alleges that details such as email addresses and passwords were saved to the suspect's devices.
- How Wi-Fi spy drones snooped on financial firm
- UK politicos easily pwned on insecure Wi-Fi networks
- How Apple Wi-Fi Positioning System can be abused to track people around the globe
- Let's kick off our summer with a pwn-me-by-Wi-Fi bug in Microsoft Windows
The charges laid against the man concern unauthorized access to devices and dishonest dealings. None of the charges suggest the accused used the data he allegedly accessed.
However, three charges of "possession or control of data with the intent to commit a serious offence" suggest the alleged perp was alive to the possibilities of using the data for nefarious purposes.
AFP Western Command Cybercrime detective inspector Andrea Coleman pointed out that free Wi-Fi services should not require logging in through an email or social media account.
Perhaps curiously, she advocated users of public Wi-Fi should "install a reputable virtual private network (VPN) on your devices to encrypt and secure your data when using the internet." She also recommended disabling file sharing, avoiding sensitive apps like banking while using public networks, and manually forgetting connections after use so that devices don't automatically reconnect to naughty networks.
The accused appeared before a magistrate last week and was released on bail on condition he restrict his use of the internet in certain ways. ®