BBC BLOGS - dot.Rory
« Previous | Main | Next »

Hacking smartphones with ease

Rory Cellan-Jones | 08:40 UK time, Tuesday, 23 November 2010

Many of us carry almost every detail of our lives on our phones - so how secure are we from those who might want to know what we're saying and doing on the move? We know how insecure the voicemail of some famous folk turned out to be a few years back; surely today's sophisticated smartphones are much less vulnerable?

I've been conducting an experiment with a company which offers to protect the phones and e-mail accounts of high-profile individuals - not, I hasten to add, because I fit either category but to find out how vulnerable all of us with modern mobiles might be.

So I challenged Tom Beale of Vigilante Bespoke to do his worst with my iPhone 4. First, I asked him to get through the initial layer of security, the passcode on the front screen. There's a well-known method for this, which Apple keeps trying to patch, but it proved a matter of moments for Tom, who was soon looking at my contacts.

In order to see this content you need to have both Javascript enabled and Flash installed. Visit BBC Webwise for full instructions. If you're reading via RSS, you'll need to visit the blog to access this content.

This is obviously worrying if you lose your phone; in that case, there is a way to remove everything on it remotely. And Apple points out that its latest software update for the iPhone, released on Monday, has now fixed this problem once more.

Of greater concern was what Tom showed me about the danger of connecting to wireless networks on the move.

He and a colleague used a netbook computer to set up a wireless access point. They called it "BTOpenzone", a network my phone and many others look out for and join. I watched as they showed me a range of devices in their office in London's Soho looking at the network - including my phone.

Tom explained to me that any mobile, when not connected to wi-fi, transmits what he called probe requests looking for networks which it has used previously. "Probe requests are essentially a loud shout - is there any wi-fi access point near me with the name 'BTOpenzone'?"

My phone then connected to the access point - it was dumb enough just to check the name, rather than comparing the address with others it had previously used.

"Once the device is connected to our access point," Tom explains, "its user is able to browse the web as normal. Unbeknown to them, the web traffic is being transmitted through our computer. The program examines the traffic between users and websites, looking for data containing cookies."

Among my cookies - the small pieces of code which smooth our path to frequently-visited sites - was at least one for Facebook. Within seconds, Tom had access to my account on the social network: he didn't have my password, but the cookie allowed him to masquerade as me.

My attackers could do whatever they liked: change my status, read through my contacts and so on.

They then moved on to the final stage of the demo, using a program they'd written to send me a spoof text message. Having spotted my wife's phone number on Facebook, they sent a message which popped up on my phone appearing to come from her. In the wrong hands, of course, such a program could provide scope for all sorts of mischief.

I should stress that while we used an iPhone for this experiment, other smartphones are equally vulnerable to these kinds of attacks.

So what should we learn? Obviously, it's not a good idea to leave your valuable phone lying around, or to respond to texts from friends which seem out of character.

The main lesson must be how insecure you can be if you sit in a public place and go online using an open network. I'd heard about Firesheep, a tool demonstrated recently as a warning of the dangers of open networks and unencrypted cookies. But sitting and watching as your entire life - or rather your social-networking life - is laid bare is very sobering.

Facebook sent me this statement about the security issues this demonstration appears to raise:

"Facebook takes the security of people using the platform very seriously. We advise people to be very careful about the information they access or send from an unsecured public wireless network. We're working hard to make Facebook the safest platform online, and are currently investigating how to best roll out more secure login processes, including SSL, that will enable people to use Facebook on unsecured wi-fi networks with total peace of mind."

But Facebook is just one of many services whose mobile users are vulnerable to the kind of attack we've demonstrated. So, better safe than sorry: from now on I will be switching off the wi-fi button on my phone whenever I leave the security of my home or office network.


  • Comment number 1.

    All public wifi spots are 'insecure' I'd never do anything on one I didn't want others to see, best thing is to use a VPN as soon as you connect.

  • Comment number 2.

    "...surely today's sophisticated smartphones are much less vulnerable?"

    This is unfortunately a typical view amongst the gadget loving fraternity. Why would they ever think this? Probably because they don't think anymore and use their devices to let others think for them.

    First rule of security is to assume nothing is what it purports to be. This goes for anything from snail mail, gossip, wiki(!) etc.

    The more gateways into your property the more security you need to guard them.

  • Comment number 3.

    While Twitters twit, and Tweeters tweet, and important people flash their Blackberries, there will always be crooks out to nail them. Get back to basic mobile phones, no -email, no wi-fi, just a device for talking. Simple, no security problems.

  • Comment number 4.

    I wonder when people will wake up that the iPhone is not the be-all and end-all.

    There are better, more secure and functional smartphones out there.

  • Comment number 5.

    Hence why I always have bluetooth and wifi turned off apart from when I'm on one of my secure networks or a trusted friends.

  • Comment number 6.

    What kind of loony goes around public places with the wifi on their smartphone switched on? Apart from anything else the battery will be flat in a few hours. Less if they have bluetooth permanently on as well.

  • Comment number 7.

    I loved my old Nokia mobile, built to last, never a problem, all I could do on it was txt and phone and a few very basic games to pass the time. Why would you want more from a phone? As post 2 says, people are losing the knack of thinking for themselves and let their 'smart this' and 'smart that' do their thinking for them.

  • Comment number 8.

    It is beyond baffling that with 500m and growing, Facebook has not implemented secure login as yet. They seem almost casual about it! Google took very swift measure when they had an incident of involving what was alleged to have been Chinese govt agents hacking into certain 'dissidents' accounts.

    Facebook should be rapped for it, if not prosecuted for negligence.

  • Comment number 9.

    I'm also aware of people falling victim to the recent phishing scam where someone rings you up pretending to be from Microsoft and asks for your user name and password.

    Always do private browsing, always clear your history and cookies and change your passwords.

    You wouldn't leave you credit card in a cash machine, so why stay logged in to internet banking???

  • Comment number 10.

    A useful article. I guess the lesson is not to let you phone connect to networks automatically. Unfortunately, the iPhone doesn't appear to ask your phone to "forget" networks that you've connected to (such as Openzone).

    Does anyone know a way around this? Not sure I'll remember to keep switching wi-fi off every time I leave the house!

  • Comment number 11.

    marmite_sandwich wrote:
    What kind of loony goes around public places with the wifi on their smartphone switched on? Apart from anything else the battery will be flat in a few hours. Less if they have bluetooth permanently on as well.

    Lots, apparently. a quick straw-poll at work tells me most iphone users have wifi turned on because they believe they will save money on their 3g contract. As to your last point, once again many iphone users don’t see the device as a phone anymore, its more like a PDA with a 'cool' interface. Perhaps if they took the mental leap and saw their Smartphone in the same light they see a computer they wouldn't be so free and easy where and when they us it?

  • Comment number 12.

    So, if my iPhone is set up only to connect to my own WiFi network at home, which is WPA2-secured - am I secure or aren't I?

  • Comment number 13.

    I think it is also fair to say that WiFi was never really intended to be used for public access. It only works well in a security sense in closed communities. It's been stretched too far by network operators desperate to cash in on people's perceived 'urgency to remain connected'. There are genuine reasons for people to want to connect to the Internet using a public WiFi, and updating their Facebook status isn't one of them.

    I guess one possible solution is to demand secure access, possibly by law, for any online system asking for a certain level of personal information. I know that would be very difficult to police, but doing nothing about it makes things worse. Technology changes very quickly, and not everyone can keep up with security awareness. Therefore, the onus should be on content and network providers to provide reasonably secure systems.

  • Comment number 14.

    "Fix this problem once more" Uh? Not possible. Clearly, they hadn't fixed the problem. Odds on, they still won't have. Stupid gadgets. World worked just fine without them.

  • Comment number 15.

    This goes much further, there is software available to listen for these "shouts" and reply with something along the lines of 'yes I'm the access point you are looking for'. Check Hak.5 episodes on the wifi pineapple.

    The only way to use wifi safely is to not use apps for sites with sensitive info on. Use the browser and make sure you enter the address with https rather than http, facebook does support a secure connection although they don't force it as they should.

    The expert in this article needs to brush-up a bit.

  • Comment number 16.

    Money drives everything..
    Unless customers demand better security it won't get provided, and while there are plenty of customers will pay for insecure serices there is no incentive to fix them.

    Customers are not going to demand greater security unless they feel at risk, and no company is going to risk putting its customers off by telling them about the risks they face.

    It's an age old and classic scenario that we are going to endlessly repeat with each new 'must have' innovation.

  • Comment number 17.

    Given that Iphones seem to turn everyone who has one into some Mindless moronic zombie, it was only ever a matter of time untill someone with more than one brain cell fixed on something other than the Iphone took advantage of it.

    Honestly, i think if you made some people choose between the Iphone and Oxygen, they would spend their last few moments stalking their friends on Facebook, perhaps the intelligent one's would google, "How to breathe without oxygen" before they died.

  • Comment number 18.

    Apple should add some sort of feature where the phone only turns on it's wi-fi when it's at certain "safe" locations, such as work, home etc. and not just connect to any old network... Or atleast turn off the wi-fi after it's been disconnected from any network for more than 10 minutes.

  • Comment number 19.

    This doesn't only apply to phones, of course; what Rory has not emphasised is that laptops/netbooks are equally vulnerable.

    Best rule is never to go to any site that requires you to register or log in, while roaming.

  • Comment number 20.

    This comment was removed because the moderators found it broke the house rules. Explain.

  • Comment number 21.

    @Notmehonest - yes that's secure enough. Someone could sit outside your house and set up a wireless network with the same name as yours and trick you into logging into their network instead of your home one. But if someone's going to go to all that trouble, they're going to find other ways to defraud you anyway.

    On the general point, it's not just smartphones which are vulnerable, there are millions of vulnerable PCs, laptops, netbooks and tablet devices out there. I work in computer security and I have a hard time keeping up with all the latest vulnerabilities and exploits out there - and I get paid to do it. How the average punter manages is beyond me. It's not surprising that 10-15% of PCs (conservative estimate) are compromised in one way or another.

    The time is coming when banks, governments and others will need to think about some type of continuously updated MOT certificate for computing devices - If you're PC doesn't have a valid current certificate when you try to connect, then you'll be booted out.

  • Comment number 22.

    @NotMeHonest: you're ok if your phone is only set to connect to known networks that are WPA2-encrypted, although you can increase the security by using a randomly generated passphrase rather than a dictionary word. Most decent phones will warn you the first time you try to connect to an unencrypted network. The only possible problem might arise if another network has the same name and password as yours, so pick a unique SSID and passphrase.

    @Rory: This post is a bit misleading IMHO. You seem to imply that the session-stealing hack is exclusive to smartphones when in actual fact all computers using wifi (or for that matter any non-switched wired network) are vulnerable. It's also unfair to pick on Facebook when Twitter, MSN and many other social networking services are just as vulnerable to the same attack. The 'emergency call' hack on the other hand is, I'm afraid, an iPhone exclusive, although other phones may have their own problems.

  • Comment number 23.

    (1) The chances of you losing your phone and it being found by someone with ability to do all this are astronomically low. It is more likely that this is intentioned someone steals your phone, in which case it doesn't matter what security you have on it. Consider it like losing your file-o-fax and please stop being alarmist.

    (2) All phones are NOT as vulnerable as the Iphone.

    (3) If browsing on an open network use HTTPS if you have top secret data on your phone or think that there might be someone lurking round a corner wanting to pinch random peoples wives phone numbers.

    (4)I'm really fed up with your Apple biased reporting. Everything to do with Apple gets on dot.Rory and I think it is tantamount to advertising on the BBC. The Iphone is for people who are gulable and want their data stolen.

  • Comment number 24.

    @20 'TheVOR'
    To be fair, Rory is no more behind or unknowledgeable than any of the other 'Tech Journalists' out there (Of which I follow many). Atleast he goes out and does some research as opposed to just reposting press releases.

  • Comment number 25.

    @20, TheVOR

    Agreed. Rory's blogs are an exercise in stating the obvious, and I only read them to affirm my intellectual superiority. In this case it doesn't take much.

    The Guardian tech blog is so much better. I've read about so many important tech issues which simply haven't crossed Rory's radar. The tech pages on the BBC revolve around three things: Apple, Facebook, and Twitter.

    Boring, boring , boring......

  • Comment number 26.

    When I saw the title of this blog post, I thought we were in for a useful piece about unlocking advanced features on your smartphone, aka hacking. Sadly, it's just another FUD article about cracking, aka black hats gaining unauthorised access. Internet connected device security, regardless of if it's wired or wireless, is just a case of common sense and gaining a little background knowledge of the device you want to secure. Unfortunately, most people seem to be unwilling to learn about the devices that they rely on so heavily and store their private data on...

  • Comment number 27.

    This comment was removed because the moderators found it broke the house rules. Explain.

  • Comment number 28.

    #11 "Does anyone know a way around this? Not sure I'll remember to keep switching wi-fi off every time I leave the house!"

    If you have an Android phone it's easy to do this using an app like Tasker. Using Tasker I've programmed my HTC Desire to switch wifi on and off automatically based on location - with 100 metres of my house, and within 100 metres of my work. I never have to worry about this issue.

  • Comment number 29.

    I have a smartphone (not an iPhone), and connect only to secure networks.

    Additionally, you can get free applications that allow you to switch WiFi on/off with a single tap on the screen. This was one of the first things I acquired for the phone. Why anyone would walk around with the WiFi on is beyond me, for battery life and security reasons. As many people have stated, treat it as you would any other computer and you should be OK.

  • Comment number 30.

    25. At 12:37pm on 23 Nov 2010, shambo wrote:
    The Guardian tech blog is so much better. I've read about so many important tech issues which simply haven't crossed Rory's radar. The tech pages on the BBC revolve around three things: Apple, Facebook, and Twitter.
    ------------------------------------------------------ is always worth a look. Tech means more than gadgets there.

  • Comment number 31.

    This is one of the more pointless articles I've read on here. I don't need a weatherman to tell me it's snowing outside. I have a window and a set of eyes for that. I have a PC for surfing the web. I have a camera for taking pictures and it goes with me everywhere. And I have a simple mobile for talking to people on the phone.

    I simply have not got the time to surf the web on the move when reading the metro or smiling at people and interacting with them instead saves me time for surfing at home on the secure(ish) PC. It also helps to keep a grip on reality and my sanity.

  • Comment number 32.

    This comment was removed because the moderators found it broke the house rules. Explain.

  • Comment number 33.

    I've just tested this with a HTC desire with the latest Android operating system. We set up a duplicate WIFI network as described in the article, this was a duplicate of a trusted exisitng WIFI connection on the phone. The phone located the network, but it correctly identified it as a differnt network and did not connect to it.

    So the sentence "should stress that while we used an iPhone for this experiment, other smartphones are equally vulnerable to these kinds of attacks." Is obviously just Apple bias again, trying to protect Apples market share by smearing ALL other smartphones with the same problem. If other smart phones have the same issues you should specifically say what they are!

    Apple aren't the standard barer, even if the media think they are. Just because Apple have a problem, doesnt automatically mean other smart phones do to.

  • Comment number 34.

    A simple but effective solution to WiFi blues is not to setup your device to connect to public WiFi networks. If you've setup your device to only connect to known and secure WiFi networks, then you don't have to worry about having to remember to switch off your WiFi every time you leave your secured network. Your device will NOT connect to anything you haven't allowed it to try and connect to. There are overzealous WiFi setup applications which try to make your device connect to any network it finds, but that is usually an optional setting, albeit the default in some cases.

    I only have to remember to switch off my WiFi on my Android device, because it drains the battery.

  • Comment number 35.

    Recent research by CPP found that most wi-fi users are unaware of the risks posed by Wi-jacking. The experiment tested public wi-fi networks in 6 UK cities. CPP recruited an ethical hacker who conducted a live experiment in London to show how easy it is to hack into a wireless network and access information from unsuspecting users. Jason Hart, ethical hacker simulated how it’s possible to get hold of login details and passwords with freely available software. CPP’s experiment highlighted the need to take care when using open wireless networks and ensure different passwords are used for different accounts. The risk of identity theft increases if this information falls into the wrong hands.

  • Comment number 36.

    Ah, finally it makes sense. I'm a Nokia user, but each to their own etc. But what has been irritating me is that the BBC reports new Apple products as news, even when there is little if any actual technical innovation. I recall the release of the newest iPhone - extensive coverage on television and online BBC News. Erm, multi tasking, front-facing cameras, high quality cameras and picture messaging had all been on other phones for well over five years before. It's baffled me why it gets reported as news when it has no technological merit. If McDonalds bring a new burger out it doesn't get a news story? Why should a new Apple product? (Unless it brings technological innovation.)
    But then - ah, it makes sense - the technology correspondent is taken in by the Apple machine too! Mystery solved.

  • Comment number 37.

    McDonalds have brought out a new burger, tell me more...

  • Comment number 38.

    @24 MyVoiceinYrHead
    Completely disagree, I do not call this research. Using just one type of phone isn't a valid and complete test of what you are trying to prove.

    @30 Kit Green
    Thank you for your recommended reading, it has been bookmarked!

    @36 Mr_Ian_123
    My point exactly. Rory+BBC = free advertising.

  • Comment number 39.

    MyVoiceinYrHead wrote:
    McDonalds have brought out a new burger

    Is there an App for this new burger?

  • Comment number 40.

    The 'man in the middle' attack is a well known one in the technology world. Sadly technologists tend to mock the ignorant masses rather than fix the problems.

    Some of the commentary however is Pythonesque; "All my phone needs to do is make calls.", "All my phone needs to do is make calls and send texts.". "All my phone needs to do is make calls, send texts, and play a few basic games.". Chapman, Clease, Idol, et al couldn't have updated it better.

  • Comment number 41.

    I think its an interesting piece - raises morequestions than it answers though. When you see how easily personal data can be extracted mind, it’s worth considering the impact that these smartphone devices have on corporate data; the fact is that employee owned devices are penetrating British businesses at pace, and you can bet that IT departments don’t know the half of it.

    Whether malicious or not, in a world of mixed personal and professional use and device ownership, the blunt security instruments of the past no longer apply. Instead of trying to forcefit desktop security onto mobile, which either doesn’t work technically across devices or isn’t accepted behaviourally by users, I guess we all have to start thinking a little differently. There are vendors out there making a play for fixing this – this blog suggests/ or points to one, and MobieIron’s another that springs to mind. These guys and others like them aren’t coming at smartphone security and management from legacy PC/network perspectives, it’s refreshing in that sense…

  • Comment number 42.

    39. At 2:12pm on 23 Nov 2010, f32mark wrote:
    Is there an App for this new burger?

    I believe there are plenty of apps out there to satisfy the worst sufferers of OCD.
    Most of them are as useful as bubblegum cards (do you have a full set).

  • Comment number 43.

    The article makes the false assertion that public wi-fi is bad because it can be intercepted. Isn't the whole internet beyond the public access point? What makes your Facebook request secure when it gets beyond Dr Evil's wireless access point? The access point is just one link in probably dozens to reach Facebook (or any URL), anyone of which could be part of Dr Evil's empire. If you care about not being eves-dropped then use SSL/https, otherwise assume anyone can view what your doing. Sending requests across the internet is like sending postcards - anyone involved in their delivery can read them unless you write them using a secret code. Facebook does not use SSL, that's rubbish. The banks do, that's good.

    Also: "Any modern smartphone is vulnerable to the same attacks". Really? Isn't the iPhone the only device that can have its initial PIN by-passed in the way demonstrated?

    Rory, repeat after me:

    "It's okay to criticise Apple just a little - Steve will still love me and pet me and treat me as his very own"..

    this is what objective, impartial reporting is all about. You should read about some day. Maybe there's an App for it perhaps.

  • Comment number 44.

    People remain the weakest links in any security system and so long as there are people, so-called "hacking" will continue.

  • Comment number 45.

    Predictably enough, the mention of Apple brings out the usual ill-informed criticism, much of it not related to the subject of the blog. And Rory even gets criticised for being an Apple apologist in a blog that exposes security weaknesses in the iPhone! But seriously, it is a matter of concern that the iPhone can still be broken into so easily. In practice, the access granted is quite limited, so I do still lock my phone with a passcode. But Apple should have fixed this long ago. (I think they did provide a fix, but it only partially fixed the problem.)

    As for wifi networks "spoofing" other networks, I actually found this "feature" useful in the context of my (secured) home network. I installed a new wireless router, set up the new network with the same SSID and password as the old network, and all the PCs, laptops, phones, PS3s, Blu-ray players and Apple TVs connected seamlessly to the new network. But this is clearly not a desirable feature for unsecured networks.

    I must admit I almost never switch my phone's wifi connection off, because it can be useful to be able to connect wirelessly. Of course, I'm careful what I access when I'm on an unsecured network, even if I'm sure it's the genuine BT Openzone. I even leave bluetooth on all the time now, since I recently got a car with bluetooth, and I'm really not going to switch it on and off every time I get in and out of the car. I don't seem to get noticeably shorter battery life, though I do charge it every night anyway.

  • Comment number 46.

    "It was dumb enough just to check the name, rather than comparing the address with others it had previously used."

    Well, this isn't actually as dumb as it sounds. Any of the rest can be spoofed by anyone deliberately trying to fool the device, while it may well just get in the way and cause problems for legitimate connections. Going any further than the name, is the sort of Security Circus that lulls people into a false sense of safety.

    The dumb is in the social design, that lies behind this; in that the user is assumed to actually know and care what services their device is connecting to, and who is running that service - when in fact, they usually don't.

    Think about it: running a wireless router and a land line costs money. If the owner does not appear to be a pub, or a train station, or what-have-you, then they must have another revenue stream to keep it going. To some, theft is a revenue stream.


  • Comment number 47.

    I have the wifi turned off on my Blackberry. It just saves the battery from running down so fast (on a Blackberry, that's REALLY fast!) and turning it off seems to save so much power. I can still FB etc - no real difference as far as I can see.

  • Comment number 48.

    It's pretty funny there are so many Apple haters. I guess Android has never suffered a chronic security problem in the past ( or suffered the MITM problem (

    Oh, wait...

    But I digress, being a Symbian user. It's nice to read up on these issues other smartphones have, and to learn of what the industry does to address such problems. To be perfectly frank, common sense makes this a total non-issue for anyone. Want to check Facebook? Use a browser with HTTPS and VPN, as someone else stated. OH NOES, looks like this killer problem is nipped in the bud. It's kind've like these fancy screenlock applications being entirely redundant when, in reality, you shouldn't be stupid enough to leave such a supposedly valuable device left unattended. Front trouser pocked, touch check now and then and you're fine.

  • Comment number 49.


    Thanks for the tip about the Guardian's tech blog. I just went there for the first time. Looks interesting, but a good many of the entries seem to mention Facebook, Twitter, or Apple. And just like here, the very mention of Apple seems to upset some people, with the usual ridiculous suggestions that the Guardian (or the BBC, or their journalists) are somehow paid by Apple (or Twitter or Facebook) for mentioning them.

  • Comment number 50.

    Who on earth designed the iPhone to connect by name only? Phones should check for IP addresses and warn the user if the access point is not the original.

    Currently running an HTC Wildfire (Android). I think I'll run some experiments to check if Android 2.1 suffers the same flaw. It's fairly easily remedied in future software editions, but Apple should know better. Nokia and Google too if they've made the same shortcut.

    The fact of the matter is that telling people to never enter passwords and so on when you're on a public wireless access point is both unreasonable and unhelpful. Security should be automatic and always there, even if you have your wifi and bluetooth always turned on. Some people don't have common sense, and a lot of people would rather not trust their fallible and inconsistent habits. I certainly don't.

  • Comment number 51.

    What can i say, its common sense really. You wouldnt walk away from your car and leave it open with your wallet on dashboard would you? So why leave you Wifi on scanning for the first open network to connect to so that all of person unsecured details can be intercepted/removed from your phone?

    I'm amazed at how many people still do not know about networking technologies, in this case, packet sniffing. This is increadibly easy to do in this day and age and its completely tranparent to the victim/s. When you have a fake AP setup (Access Point) all pass-through traffic can be intercepted, highjacked, reverse engineered, whatever. A few hours on google will give you a good starting block to launch from, for testing and educational purposes you understand...

    And i would like to to point out that its not just as simple as capturing a recent cookie from the host system and transplanting this into a dummy host and then going to This kind of thing just promotes mass hysteria to the point where people dont feel secure or safe.

    Again anonymous sms applications have been available pretty much since Mobile Phone companies realised that they could charge you for a built in service which allowed technicans to broadcast and test cell coverage or nodes. These are a dime a dozen, if you know where to look.

    Best advised that i can give to everyone reading is to be more diligent with security in their lives in general. Dont hide your front door key under the mat or plant pot, dont save your passwords on devices which automatically pick up and attempt to use the first open, unsecured network available to them.

    If its public its completely open and unsecure... authanticate as much as you possibly can i.e. make sure you enter a password for every site where applicable and dont save or store these locally. I would even go as far to say never do anything banking wise or transaction related related etc on these types of connections and keep it to a minimum or 'light surf'.

    If its at home, private, and your are all WPA'd up, 25 fire walls and bear traps at your front door, then your have a lesser chance of being targeted and done over but please keep in mind that not everyone is 100% safe all of the time, if you get targeted by a professional hacker it wont take them long to compromise the system and do whatever they want and chances are you wouldn’t know anything about it until its too late but that doesn’t mean you should just leave the door open.

    Congratulations, you have just read your first latex wrap lesson on Internet Safety 101.

  • Comment number 52.

    I just simply cannot understand how anybody with a single sense of technology could ever put their contacts details, or information of a personal nature on any social networking website in the first place. This article should have been about the stupidity of doing THAT, and the penalties people will be paying in the future for being so blind.

    Warning - Conspiracy theories inbound.

    Big brother doesn't need cameras everywhere any more, just a facebook account or access to yours. In fact the same applies to ANYBODY who wants to get access to your information. Mobile phones & devices are not the enemy YOU ARE!

    If I was evil every one of my friends and their friends friends friends would have very little secrets on-line that I didn't know about. Their on-line lives would be putty in my hands (evil laugh track playing). This is not an exaggeration but a fact.

    Think about it and become street smart. Don't be a victim of sensationalism, advertising, ignorance & eventual-ism.

    Use technology to free you, not to free your information.

    Lecture over.

  • Comment number 53.

    I dont use a smart phone (I have yet to find a use for one that isn't far more complicated and slower to use than the back of a fag packet*)

    However, on my PC I use an encrypted, protected system called Keepass to store vulnerable data that I may want to cut and paste. (Note: there is no reason to keep any details electronically that you can either easily remember or will never need to use electronically)

    Is there not an equivalent app for your over priced fag packet, sorry, smart phone, that will keep data secure, even if you physically lose the phone?

    * I actually gave up smoking a few years ago, but I refuse to pay out £500 simply because I have run out of fag packet backs!

  • Comment number 54.

    I think that the problem stems from calling them 'Smartphones' in the first place. You are effectively carrying around a Computer, not a phone. All of the above Security problems are also present when you discard your old Smartphone / Computer.. They should be renamed Mobile PC's!

  • Comment number 55.

    This isn't really news is it?

    As others have said, "smartphones" are just little computers. They all have their vulnerabilities no matter who makes them or what OS they run. The problem is that you have to be quite savvy about technology to protect yourself.

    The most surprising thing about this is that, as a technology journalist, Rory should already know how to safely use his computers on public WiFi and shouldn't need a hacker to tell him he's vulnerable.

    Being charitable, I suppose anything that heightens awareness of security threats is a good thing. Most consumers I know don't have a clue about the risks or how to mitigate them.

    I think the article would have been more useful if it either included information on how to use public WiFi safely or referenced articles on the subject.

  • Comment number 56.


    I agree that people need to be aware of what they are doing when they use Facebook, but not everyone is as paranoid as you about their "personal data". I may not want anyone else to have access to my bank account, or be able to impersonate me, but I may be perfectly happy for others to know my name, address, phone number, email address etc. That's how I interact with people! Back in the day, anyone could walk past my house and take a photo, or send me a letter, or look me up in the phone book. And everyone I've ever written a cheque to has my account name, sort code, and account number.

  • Comment number 57.


    To be fair to Rory, I see this as a blog for anyone with a general interest in technology, not really for specialists. So, highlighting issues that many people won't have thought about does provide a useful service.

  • Comment number 58.


    I'm inclined to agree hence the "Being charitable, ..." sentence in my comment.

  • Comment number 59.

    This really requires that the base technology has solid and agressive security standard build insuch as mini dongles programeable from a pc or other device.

    The manufacturers and software writers really have a great opportunity provide greater security. Perhaps the mobile wallet will offer the start to everyone taking this issue seriously.

  • Comment number 60.

    @Will Holmes
    There is absolutley no technological way that a phone could use IP addresses to make sure it is connecting to the correct WiFi access point. MAC addresses yes, but not IP addresses.

  • Comment number 61.

    Ok, the first bit of this article describes a software flaw on an IPhone, so cannot be indicative of the security on all smartphones.

    The second part of the article is not about the security of the phone. At no point is the phone hacked. The article is about care being taken on using facebook on an un-friendly wifi network masquerading as a friendly one. The same thing would have happened if the reporter had been using a laptop. The phone merely was a useful portable device that allowed the reporter to reach the malicious network.

    The article would have been better if it had targeted the lack of security on social network sites, as these hold a lot of personal data. If facebook was ssl secured or similar it wouldn't matter that the reporter had accessed the site via a malicious network, the attacker would not have been able to access his facebook account.

    Maybe we should ask the question as to whether the social network sites are in breach of ICO rules by allowing so much important personal data to be transmitted in the clear over unsecured public networks.

    It should be noted however that with the massive volumes of traffic transmitted on sites such as facebook, the cost of SSL securing the network maybe prohibitive due to the vastly greater processing load on their servers. A victim of their own success.

  • Comment number 62.

    My smartphone tells me if an insecure wireless network is available, but doesn't connect without my say so. It also has a "forget" function for the networks it has been connected to.

    But it isn't an iPhone. Diversity of technology is always a good thing so we don't all end up with the same problems.

  • Comment number 63.

    This article seems to imply the iPhone stands out as an insecure device on 2 counts:
    1) That the data can be accessed by someone else if you lose it;
    2) The your WiFi Internet traffic can be examined by a 3rd party.

    Both of these problems are true of every device:
    1) No electronic device is secure if a 3rd party has physical access to it. Strong encryption of all the data might do the trick, but even that can be broken. But - in case you hadn't noticed - iPhone users can wipe their phone remotely in the event of theft. The bottom line for every phone and computer/laptop user is that they need to plan ahead for the possibility of theft.

    2) The problem is not limited to the iPhone, any phone, or even any computer connected to the Internet (wired or otherwise). The fact is, all Internet traffic can be potentially intercepted. BT secretly intercepted the traffic of thousands of its customers for the purposes of profiling and targeted advertising. But worse, many sites do not use a secure connection (a secure connection encrypts all traffic, making it almost impossible to snoop). This is why Google was able to harvest login details from WiFi hotspots as its Street View vehicle travelled about. If you log in to an insecure service, it is possible for a 3rd party to intercept that traffic and steal your login name and password.

    This could have been a very instructive article about general Internet and mobile security, but instead comes off as saying that using an iPhone is a security risk. Very, very disappointing BBC!

  • Comment number 64.

    @WelshBluebird1: NO. MAC addresses *still* do not guarantee that you are connecting to the AP you think you are. While MAC addresses are supposed to be unique and tied to the hardware (unlike IP addresses), they can be changed (and therefore spoofed). For example, try using the ifconfig command as root on a linux box - this makes it as easy to change your MAC as it does to change your IP.

    I'm off to configure myself a VPN...

  • Comment number 65.

    #64 Completely agree, once you step outside the 'Windows' padded cell you can change, modify or spoof just about anything these days... Certain Linux distro's are cooked purely for penetration testing or security bypass... as you may know :)

    @General I for one would love to hear an informative dot.Rory outlining a problem and a solution that is aimed at the 'General Joe' instead of having more Apple products used as a point of reference on how the rest of the world works and why everything else outwith this is a fail.

    A good story for you Rory would be about the current threats for todays technological society, the many different types of net enabled devices one might find in todays modern household along with the perils and solutions that are available to keep families safe. Someone mentioned KeyPass earlier, encryption etc etc

    Think i'll go AES 256-bit my disks... be back in 5 days

  • Comment number 66.

    you have a smartphone with internet access and you turn off the wi-fi? that to me isn't very smart here i'll let you have my old nokia 6100 instead

  • Comment number 67.

    The only lesson here is to only log into sites which use SSL on a public WiFi network. Facebook, for some stupid reason, isn't such a site - they SSL logins, but as this demonstated, the cookies aren't encrypted and work just as well a password.

    Facebook does have an SSL site, I should note, but once you click any link - including internal Facebook ones - the SSL will be turned off. Pretty much useless unless you manually force SSL, which most people ain't gonna do.

    BTW, turn your WiFi off and when you aren't using it and turn off "Ask to join new networks" too.

  • Comment number 68.

    @66 - you can still access data through the phone networks. Turning off wifi doesn't mean you don't get data coverage anymore.

    I always have wifi turned off when I leave my house, mainly to save battery. I use an app to do it automatically for me now, which is actually the only thing I truly believe is 'smart' about my smartphone.

    I haven't seen anyone else here mention it. The app is called Tasker, available for Android phones. If I'm within 50 metres of my house it turns on wifi, if I leave that 50m zone it turns wifi off. It also automatically puts my phone onto silent when I get to work and takes it off silent when I leave work.

    It's not to be confused for the 'Tasker for iPhone' app which is completely different.

  • Comment number 69.

    multipack_can13 says iphone users become mindless moronic zombies and as a user I resent such a sweeping statement; especially coming from someone who cannot spell until.

  • Comment number 70.

    69. At 8:21pm on 25 Nov 2010, busyatwork wrote:
    multipack_can13 says iphone users become mindless moronic zombies and as a user I resent such a sweeping statement; especially coming from someone who cannot spell until.
    Perhaps multipack also missed out the adjective "pedantic".

  • Comment number 71.

    His smartphone was not completely hacked. firstly he gave his IPhone to the guy to get around the passcode screen, very easy to do.secondly only his traffic was hijacked. Completely different.

    Completley hacking the device would be to gain access over the IP address assigned by the BTOpenzone access point.

    As already addressed the article above higlights that it is all devices which connect to wifi. One thing to learn from this, use common sense when on public wifi. you wouldn't log in to you internet banking on a public computer would you??

  • Comment number 72.


    I feel your pain brother, no doubt you have succumbed to the charms of the facebook temptress that be the reason for my preaching. Perhaps the reality of attempting to return a freed genie into the bottle has you shivering in a cold sweat. Fear not as the damage can be limited.

    Open or secure Wifi access, non encrypted or encrypted that is the question. But no, not really, the question is who do you trust with your data forever?

    I love the internet (kissing my monitor), but one should learn when to love her and when to leave her, especially when it comes down to sharing not only your own information but that of your friends and families.

    Methods of hacking will increase as methods of security will increase, and there is no responsible major company that doesn't take a backup out of cycle regularly for prosperity, usually with information you deleted on it.Thats if it isn't really deleted anyway and you just need the old URL.

    Social networking is a fantastic product, but it is just that, a product with a saleable value, & all manner of greedy robbers planning a sting (from their bedrooms after playing Call of Duty). It is fine to play God with your own information, as long as you seek permission to do the same with other peoples, which we don't.


  • Comment number 73.

    Why am i not suprised Rory that you have an iphone 4. Use others that are less easy to hack - just my two cents ;)

  • Comment number 74.

    This says more about on line web sites and applications than it does about the security of networks.
    We all know (or at least most know) that networks can be insecure. But lazy application development leads
    to web site leaving little packets of information (Cookies) on your device. These can be used as has been shown to access more than just your Facebook account.

    Security plays second fiddle to a web sites requirement for easy developer access, until developers and their bosses realise that they must take more regard to site security then whatever the phone manufacturers do, this type of hacking will always be possible.

    In the meantime clear out your cache files and cookies on both your mobile and desktop web browsers.

  • Comment number 75.

    This comment was removed because the moderators found it broke the house rules. Explain.

  • Comment number 76.

    @3. Doug, you are absolutely right.

    Just because I would have to replace a battery on my old Nokia, which would cost me at least £10, I found a better option and bought a Samsung mobile for £14, in which £10 is a topup card. The phone has no camera, no FM radio, no MP3 player, etc. Just basics. For the past 10 or more years, ever since I had a mobile I never needed anything beyond a phone.

    I cannot seem to be tempted by Twitter or Facebook to have an account, on Facebook I have a fake account and actually never had to use it to contact my friends and family, while other services are available. It makes me laugh how people easily keep all their data that needs to be secure on such basically flawed systems like Facebook.

    The whole concept of having your phone with your personal data connected to the internet is one huge massive concept flaw, millions of people don't realize what the risks are and how to protect themselves. And phone companies aren't helping. Phones are money cash cows, so why bother with security risks and spend money on research, proper concept and system design? Better blame the users for lack of intelligence.

    If I was to comment on why those phones are so vulnerable, everything comes again the the basics. Systems have now a common flaw of design. In the past you could only access a computer if you were granted that access. But in today's world where you wish to share stuff with your friends and share your computer resources everything is fully open right from the start. Somewhere in between are your personal data.
    And that's the nature of Facebook and Windows, now everything has to be patched,patched,patched,patched so many times it doesn't seem to make sense any more, does it? So much resources wasted on patching and fixing and lecturing users there is a button that turns off your connection.

    Just recently I read that if you are logged in on Facebook and start searching the NHS web sites for certain information that gets stored somewhere on Facebook for other people to see. Laws should be applied to Facebook and somebody should start holding them accountable.
    The advice was - logoff from Facebook before you want to do something on the NHS websites - completely utterly ridiculous. Facebook should have not done that in the first place.

    It seems governments, that are supposed introduce laws to protect us are still fast asleep, like in the recent affair with Google.

    In the end security firms are making money on providing services to secure your system with the basic flaw of today, which is the wrong concept. Patching, patching, patching ...

    One big joke.

  • Comment number 77.

    The BBCs journalist (and a few of the respondents, to be fair) haven't fully understood here:

    Interestingly, I've not seen unsecured access points brought up for a while (there was a far amount of fuss 6-7 years ago about it, but I've not seem much mainstream comment about it since). As others have said, its just a man-in-the-middle attack, and the simplest way to work around it is to use end to end security (eg, VPNs) for any traffic you care about. One key thing the article omits is that you shouldn't even trust DNS services in such circumstances (even if you've setup known good servers, they are still subject to this attack).

    The same attack works on any means of public access, from any device - though setting up a poisoned access point is obviously a convenient way of going about it. In theory, you could do something similar with a hotels network access (I have no inside knowledge, but wouldn't assume they have uncrackable security). I'm hoping my ISP is secure enough (ignoring HMG for the moment)

    The iphone lock bug affects only that phone; to avoid it either keep the phone secure or switch to a more reputable brand.

    Facebook is already notorious for poor security, its hardly surprising to see that one come up again.

  • Comment number 78.

    I’m hardly surprised by this. The iPhone (and indeed other phones) have a habbit of connecting to “known to them” networks. Which, if it’s a generic name (the normal names that come with routers out the box, or open networks such as that BT open zone thing) the phone will automatically connect.

    I think I read a comment on there that someone had stated that only the iPhone does this (forgive me it has been 77 posts, and I have read it all) but this problem is not just with the iPhone, my Blackberry does it as well, and have now got into the habit of turning the WiFi off when I am not near a trusted network.

    Facebook’s security is a joke. There is no other word for it. This is why on my facebook account there is none, not one single identifying piece of information about me on there. All it has is my First name, and the dogs name as my surname, and I am very picky about the information I give to websites. When dealing online I take the total stranger approach. After all, you don’t know Mark Zeliotburg (or whatever his name is) from Adam, so why are you telling him the most intimate details of your life? It’s madness.

    You wouldn’t say to a stranger on the street “Oh, hey sir, guess what I done last night. Oh and by the way, here is my name, address, date of birth, email address, credit card number and mothers maiden name. Have fun!” it boggles the mind!

    And that facebook application nearly scared the seven bells out of me when it asked if I wanted to import my phone contacts to facebook. What come out of my mouth cannot be repeated.

  • Comment number 79.

    This has been a problem since the early days of wifi. The only secure use of public networks is through a VPN to your workplace. All data is then encrypted. A firewall on your laptop is also advisable when using public wifi.

  • Comment number 80.

    @Hexham_Dan most parrots i have seen are of a much higher class than yourself:)


BBC © 2014 The BBC is not responsible for the content of external sites. Read more.

This page is best viewed in an up-to-date web browser with style sheets (CSS) enabled. While you will be able to view the content of this page in your current browser, you will not be able to get the full visual experience. Please consider upgrading your browser software or enabling style sheets (CSS) if you are able to do so.