Researchers' public wi-fi trap catches hundreds of unsecure Hong Kong smartphone users

PUBLISHED : Monday, 03 August, 2015, 10:55am
UPDATED : Monday, 03 August, 2015, 8:24pm

Smartphone users in Hong Kong are largely unaware of the security risks posed by public wireless networks, putting their personal data and privacy at risk, an experiment has found.

Last week, researchers for cybersecurity firm F-Secure set up free public wi-fi hotspots in six places throughout the city. In 60 minutes, more than 1,200 devices, mainly smartphones, were detected by the networks. Over 50 per cent of those devices connected to a hotspot, either deliberately or without their owner's knowledge through an "auto-join" feature.

"While connected to the wi-fi, all unencrypted network activities including instant messaging, internet browsing and email sending could be under surveillance," the researchers said in a statement.

Business and banking district Admiralty was the most unsecure, with 71 per cent of the 122 devices detected by the hotspot set up there automatically joining it.

Many smartphone users are unaware of what their network settings are, and whether their devices are automatically joining public wi-fi networks and potentially putting them at risk, said Goh Su Gim, F-Secure APAC security advisor.

The findings of the Hong Kong experiment echo those of previous studies. A March 2014 report by virtual private network (VPN) provider Private wi-fi found that 66 per cent of US adults used public wi-fi networks, with 39 per cent of respondents reporting using such networks for accessing or transmitting sensitive data, including 26 per cent who used the wi-fi to check their bank accounts.

Smartphone users who don't use public wi-fi may still be exposing their personal information in other ways however, warned F-Secure founder Mikko Hypponen.

Many free smartphone apps gather data on users which they then sell to marketers and research firms.

"How can all these apps be free? They're free because they profile you," he said.

He gave the example of a flashlight app which asked for permission to access user location data.

"It has no reason to know where you are but asks for it anyway, because they're selling the data they collect from you."