Police allege ‘evil twin’ of in-flight Wi-Fi used to steal passenger’s credentials

Australia’s Federal Police (AFP) has charged a man with running a fake Wi-Fi networks on at least one commercial flight and using it to harvest fliers’ credentials for email and social media services.

The man was investigated after an airline “reported concerns about a suspicious Wi-Fi network identified by its employees during a domestic flight.”

The AFP subsequently arrested a man who was found with “a portable wireless access device, a laptop and a mobile phone” in his hand luggage.

That haul led the force to also search the man’s home – after securing a warrant – and then to his arrest and charging.

It’s alleged the accused’s collection of kit was used to create Wi-Fi hotspots with SSIDs confusingly similar to those airlines operate for in-flight access to the internet or streamed entertainment. Airport Wi-Fi was also targeted, and the AFP also found evidence of similar activities “at locations linked to the man’s previous employment.”

Wherever the accused’s rig ran, when users logged in to the network, they were asked to provide credentials.

The AFP alleges that details such as email addresses and passwords were saved to the suspect’s devices.

The charges laid against the man concern unauthorized access to devices and dishonest dealings. None of the charges laid suggest the accused used the data he allegedly accessed.

However three charges of “possession or control of data with the intent to commit a serious offence” suggest the alleged perp was alive to the possibilities of using the data for nefarious purposes.

AFP Western Command Cybercrime detective inspector Andrea Coleman pointed out that free Wi-Fi services should not require logging in through an email or social media account.

Perhaps curiously, she advocated users of public Wi-Fi should “install a reputable virtual private network (VPN) on your devices to encrypt and secure your data when using the internet.” He also recommended disabling file sharing, avoiding sensitive apps like banking while using public networks, and manually forgetting connections after use so that devices don’t automatically reconnect to naughty networks.

The accused appeared before a magistrate last week and was released on bail, and on condition he restrict his use of the internet in certain ways. ®

READ MORE HERE