Using free wireless networks can leave your personal information — such as where you live, where you work and your banking particulars — open to anyone with rudimentary computer skills, people attending the 15th annual Privacy and Security Conference heard Wednesday.
The theatre at Victoria Conference Centre was packed to hear Derrick Webber of CGI, Canada’s largest IT services provider, give his presentation entitled Gone in 60 Milliseconds: Mobile devices, free Wi-Fi and your data.
Cellphones are always “looking” to connect with a wireless network, Webber said following his presentation.
“As part of that, they’re broadcasting the name of the broadcast point they’re looking for, such as the name of your home wireless access point,” he said.
The locations of all wireless access points are mapped through Google Street View and other Internet sources, he added.
“They’re collecting the names of all the wireless access points they drive past and the GPS co-ordinates,” he said.
Microsoft, Google, Apple and others have databases that list access points around the world, Webber said.
“The more unique the name, the easier it is to find the right access point,” he said.
At the conference, Webber set up a Wi-Fi receiver to capture the passive emissions from cellphones in the theatre. He was able to identify local access points being sought by some of those phones.
A phone is spewing out information that cannot, by itself, be used to identify the user, Webber said.
“But if I see your device is asking for five different access points and all of them are in downtown Victoria — and I happen to pick this up in Toronto — I can probably figure out that you’re visiting Toronto from Victoria,” Webber said.
The phones tend to look for access points based on the site of the most recent connection.
“So from just that information, I can probably figure out where you live and where you work without your name,” Webber said.
“Just from what your phone is giving out, I can’t tell who you are. All I have to do is trick you into revealing that.”
Some malls use commercial products that track the movements of shoppers. If there’s a display that encourages shoppers to use their phone to, for instance, get a discount on an item, your name is matched to the collected data.
“Now they can track you personally,” Webber said.
Most people are aware that they are being tracked through their cellphones, through programs such as Google Maps, but they’re not aware of their phone’s passive emissions, Webber said.
“Do you really want people to know where you are at certain times of day? If someone was stalking you and they had that information, it’s like a homing beacon.”
Webber demonstrated how he could interfere with audience members’ electronic devices by setting up a fake access point. Everyone who connected to the Internet through Webber’s access point found whatever website they visited had photos that were upside down.
“I was intercepting their request for websites, taking the pictures and flipping them upside down,” Webber said. “I could have done a lot worse than that, but this was just a silly demonstration.”
His goal is not to scare people but make them aware of their security blind spots.
The best way to protect yourself is to turn off the wireless connectivity on your phone when you’re not using it, he said.
“That’s the best thing you can do.”