| Recurring |
one_organization, multiple_organization |
(a) The software failure incident related to vulnerabilities in public Wi-Fi hotspots affecting smartphone users has happened again at BT. The article mentions that BT, the UK's biggest provider of such hotspots with five million of its "Openzone" connections in the UK, admitted that it has known of the weakness for "years" and is working on a permanent fix but has no clear timetable for implementation [5171].
(b) The incident of vulnerabilities in public Wi-Fi hotspots affecting smartphone users has also been experienced by other organizations or in similar contexts. The article mentions that the hack known as 'Evil Twin' has been known to the industry and others for some years, indicating that this type of attack is not unique to a specific organization but is a known issue in the industry [5171]. |
| Phase (Design/Operation) |
design, operation |
(a) The software failure incident related to the design phase is evident in the vulnerability of Wi-Fi hotspots used by millions of smartphone users and BT customers. Security experts were able to gather usernames, passwords, and messages from phones using Wi-Fi in public places due to a weakness known to BT for "years" [5171].
(b) The software failure incident related to the operation phase is highlighted by the exploitation of public Wi-Fi hotspots by criminals. Criminals set up bogus Wi-Fi "gateways" to which the latest generation of mobile phones would automatically connect, allowing them to gather sensitive information passing through the gateway. Users were tricked into providing credit card details on a fake Wi-Fi hotspot, demonstrating the risks associated with the operation and misuse of public Wi-Fi networks [5171]. |
| Boundary (Internal/External) |
within_system, outside_system |
(a) within_system: The software failure incident described in the article is primarily within the system. The vulnerability exploited by security experts to gather usernames, passwords, and messages from smartphones using Wi-Fi in public places is a result of a weakness in the Wi-Fi hotspots provided by BT, such as the "Openzone" connections. BT admitted that they have known about this weakness for years but have not implemented a permanent fix yet [5171].
(b) outside_system: The software failure incident also involves factors originating from outside the system. Criminals were able to exploit the vulnerability in the Wi-Fi hotspots by setting up bogus Wi-Fi "gateways" to which smartphones would automatically connect. This external factor of criminals setting up fake hotspots outside the legitimate system contributed to the software failure incident [5171]. |
| Nature (Human/Non-human) |
non-human_actions, human_actions |
(a) The software failure incident in the article is primarily due to non-human actions. The vulnerability exploited by security experts to gather usernames, passwords, and messages from smartphones using Wi-Fi in public places was a result of weaknesses in the Wi-Fi hotspots themselves, allowing for the creation of fake Wi-Fi "gateways" that could intercept and collect sensitive information without the users' knowledge [5171].
(b) However, human actions also played a role in the incident. For example, in one test conducted by Adam Laurie, he demonstrated how users willingly provided their credit card details to a fake Wi-Fi hotspot in exchange for internet access, despite the terms and conditions clearly stating that their information could be misused. This highlights the role of human behavior in falling victim to such scams and inadvertently contributing to the exploitation of software vulnerabilities [5171]. |
| Dimension (Hardware/Software) |
hardware, software |
(a) The software failure incident occurring due to hardware:
- The incident involved the use of a £49 piece of communications equipment and software to set up bogus Wi-Fi "gateways" for harvesting information from smartphones using public Wi-Fi hotspots [5171].
- Experts demonstrated how a mobile Wi-Fi router, the size of a cigar packet, was set up at St Pancras International station in London to intercept information from smartphones trying to connect to it [5171].
(b) The software failure incident occurring due to software:
- The incident involved the exploitation of a weakness in public Wi-Fi hotspots, allowing for the interception of usernames, passwords, and messages from smartphones using Wi-Fi in public places [5171].
- Free software downloaded from the internet was used to decrypt and display the intercepted information on a computer attached to the bogus Wi-Fi gateway [5171]. |
| Objective (Malicious/Non-malicious) |
malicious |
(a) The objective of the software failure incident was malicious, as it involved security experts conducting tests to demonstrate how crooks could exploit vulnerabilities in public Wi-Fi hotspots to gather sensitive information such as usernames, passwords, and credit card details from unsuspecting users [5171]. The incident highlighted the potential for fraud, identity theft, and other malicious activities that could be carried out by exploiting the weaknesses in the Wi-Fi connections used by millions of smartphone users and BT customers. The tests conducted by the experts aimed to show how easily individuals could fall victim to such attacks, emphasizing the need for improved security measures to protect users from malicious actors. |
| Intent (Poor/Accidental Decisions) |
poor_decisions, accidental_decisions |
(a) The intent of the software failure incident:
- The software failure incident described in the article was primarily due to poor decisions made by companies and individuals involved in providing and using public Wi-Fi hotspots.
- BT, the UK's biggest provider of such hotspots, admitted to knowing about the weakness for "years" but had not implemented a permanent fix [5171].
- The experiment conducted by security experts demonstrated how easily crooks could set up bogus Wi-Fi gateways to harvest sensitive information from unsuspecting users, highlighting the poor decision-making in terms of security measures [5171].
- Stuart Hyde, the Association of Chief Police Officers' lead on e-crime prevention, expressed concerns about the potential for criminals to exploit insecure Wi-Fi in public places due to the lack of security measures, indicating the consequences of poor decisions in ensuring public Wi-Fi security [5171].
(b) The intent of the software failure incident:
- The software failure incident can also be attributed to accidental decisions made by users who unknowingly connected to fake Wi-Fi hotspots set up by criminals.
- The experiment conducted at St Pancras International station in London showed how smartphones automatically connected to the fake Wi-Fi gateway, sending usernames, passwords, and messages without the users' knowledge, indicating the unintended consequences of connecting to unsecured networks [5171].
- Adam Laurie demonstrated how users at Waterloo station were willing to provide their credit card details to a fake paid-for gateway, despite the warning that it provided no protection for their private information, highlighting the accidental decisions made by individuals in compromising their sensitive data [5171]. |
| Capability (Incompetence/Accidental) |
development_incompetence |
(a) The software failure incident reported in Article 5171 can be attributed to development incompetence. The vulnerability in the Wi-Fi hotspots used by millions of smartphone users and BT customers was known to BT for "years" without a permanent fix being implemented [5171]. Additionally, the article mentions that the attack works because public Wi-Fi hotspots have no form of identification except their name, which an off-the-shelf device can mimic, indicating a lack of robust security measures in place [5171].
(b) The software failure incident can also be categorized as accidental. The incident of gathering usernames, passwords, and messages from phones using Wi-Fi in public places was conducted by security experts in tests with volunteers to avoid breaching telecommunications and computer misuse laws [5171]. The experiment involved setting up fake Wi-Fi gateways to demonstrate how crooks could exploit the vulnerabilities, indicating that the incident was not intentional but rather a demonstration of the existing weaknesses in the system [5171]. |
| Duration |
permanent |
(a) The software failure incident described in the article is more of a permanent nature. The vulnerability in the Wi-Fi hotspots used by millions of smartphone users and BT customers has been known for "years" [5171]. BT, the provider of these hotspots, admitted to knowing about the weakness for years and is working on a permanent fix but has no clear timetable for implementation [5171]. The security flaw allows for the gathering of usernames, passwords, and messages from phones using Wi-Fi in public places, posing a significant risk of fraud and identity theft [5171]. The incident highlights a long-standing issue in the security of public Wi-Fi networks, indicating a more enduring problem rather than a temporary glitch. |
| Behaviour |
omission, value, other |
(a) crash: The software failure incident described in the articles does not specifically mention a crash where the system loses state and does not perform any of its intended functions.
(b) omission: The incident involves a form of omission where the system omits to perform its intended functions at an instance(s). In this case, the system fails to provide secure Wi-Fi connections, allowing for vulnerabilities that can lead to fraud and identity theft [5171].
(c) timing: The incident does not relate to a timing failure where the system performs its intended functions correctly but too late or too early.
(d) value: The software failure incident does involve a failure related to the system performing its intended functions incorrectly. Specifically, the system fails to provide secure Wi-Fi connections, leading to the exposure of sensitive information and potential fraud [5171].
(e) byzantine: The incident does not exhibit a byzantine failure where the system behaves erroneously with inconsistent responses and interactions.
(f) other: The other behavior exhibited in this software failure incident is a security vulnerability that allows for unauthorized access to users' information and the potential for fraudulent activities due to the lack of proper authentication and encryption in public Wi-Fi connections [5171]. |