Evan Robertson, age 10, took a science fair project and turned it into a valuable lesson in privacy earlier this month at rootz Asylum, a kids-only gathering at DEF CON where children can learn about security in a safe, encouraging environment.
Evan wanted to do something different for his school project. He just wasn't into volcanoes.
"I was thinking about a really cool project, I didn't want to do normal stuff," he explained in an interview with Salted Hash.
Instead, he asked his dad for ideas. Several options were discussed, but eventually (at Evan's insistence) the two decided to see if people cared about their privacy and security when connecting to public Wi-Fi.
Evan's project required a Raspberry Pi, and the base kit ($75) included almost everything needed to prove his hypothesis. He created a hotspot that would offer free internet access to anyone using the SSID of FREE PUBLIC WIFI, provided the user agrees to a horrendous Terms of Service (TOS).
"...You agree to allow your connecting device to be accessed and/or modified in any way by us, including but not limited to harvesting of personal information and authentication data, reading and responding to your emails, monitoring of your input and/or output, and "bricking" of your device..."
Evan did most of the work himself, proud of the fact that he used CLI to program the device, but noted that the experience was "really hard work."
The test was simple. Evan's hypothesis during his project was that at least 50-percent of those who connected would ignore the TOS and just accept it blindly.
He tested the hotspot at Lakeline Mall in Austin, Texas during Black Friday and Mother's Day weekend. A second test took place during the Christmas season and Mother's Day weekend at Round Rock Premium Outlet Mall. The third and final test happened at a local Target around Christmas time.
In all, 76 people connected to his hotspot, and 40 of them (52%) accepted the TOS to gain access.
Later, during BSides San Antonio, Evan placed a single hotspot in each of the three tracks. His expectation was, since BSides is a gathering of security professionals, he'd have little success.
Instead, he learned that just because someone works in security, this doesn't mean said individual will read the TOS or refuse free wireless. During BSides San Antonio, 41 people connected, and 20 of them accepted the TOS. According to sources who were at the event, there were more than 300 people in attendance.
"They thought it was a really unique and cool idea," Evan said, explaining the reaction of the staff at his school. Coincidentally, he took first place in the science fair for his efforts.
The situation wasn't any different at DEF CON. While speaking with Evan and his parents, they turned the access point on so we could get a photo. Within seconds, four people had connected, and one of them blindly accepted the terms and conditions.
During the interview, it was clear that Ian and Stephanie Robertson (Evan's parents) were extremely proud of their son's efforts, culminating in his trip to the stage at rootz Asylum.
"I think one of the most interesting things that I found though this process was, while he [Evan] enjoyed doing the project, what really made him excited was sharing it with people and presenting it," Evan's father observed.
For most security professionals, the notion that users would ignore TOS conditions and gladly trade security and privacy for a stable internet connection is nothing new. But that's not the point.
The point is, a generation of kids – kids who are being encouraged to think, challenge ideas, and explore options – are coming into their own. This is why events such as Hak4Kidz and rootz Asylum are so important. We need more kids like Evan, and more parents like Ian and Stephanie. This is how we’ll improve the future of security.
At the end of the interview, we asked Evan if he had any advice or final thoughts. Before he ran off to play more video games, offered some simple advice: "Read the terms and conditions."