Millions of smartphone users and BT customers who use Wi-Fi wireless internet "hotspot" connections in public are vulnerable to fraud and identity theft, a Guardian investigation has established.

In tests conducted with volunteers – to avoid breaching telecommunications and computer misuse laws – security experts were able to gather usernames, passwords and messages from phones using Wi-Fi in public places.

In the case of the best-selling Apple iPhone 4 and other smartphone handsets, the information could be harvested without the users' knowledge and even when they were not actively surfing the web if the phone was turned on.

BT, the UK's biggest provider of such hotspots with five million of its "Openzone" connections in the UK in train stations, hotels and airports, admitted that it has known of the weakness for "years" and that it is working on a permanent fix. But it has no timetable for when it might be implemented.

Using a £49 piece of communications equipment and software freely available for download from the internet, the investigation established that crooks could set up bogus Wi-Fi "gateways" to which the latest generation of mobile phones would automatically connect. Once a connection is established, all the information passing through the gateway can be either be read directly or decrypted using software that will run on a laptop.

In another test, a fake Wi-Fi hotspot invited people to "pay" for internet access with their credit card – but required them to click a box to accept terms and conditions which clearly stated "you agree we can do anything we like with your credit card details and personal logins".

A number of people entered their details. The Guardian did not retain any users' details in the experiment.

Not only could the information be used to steal identities, hijack email accounts and commit fraud but also to gather information about individuals and company employees. With the information gained in our investigation, fraudsters could have bought goods online or sent multiple e-gift vouchers worth as much as £1,000 each to pre-set email addresses. It is believed that such vouchers are already being traded by crooks over the internet.

The attack works because public Wi-Fi hotspots have no form of identification except their name, which an off-the-shelf device can mimic. Many smartphones are sold with automatic connectivity to BT's Openzone Wi-Fi hotspots to enhance the contract and reduce the load on the mobile carrier's data network from the phones, while offering faster connectivity.

Jason Hart, chief executive of the security company Cryptocard in Europe, said: "An O2 iPhone will automatically connect, because BT Openzone connectivity is usually part of the package for free internet access. It will pass over its credentials and because it can see the internet through the hotspot, it will start sending and receiving data."

BT, which boasts of having 2.5 million Wi-Fi hotspots available to its 5 million broadband customers said: "This hack is known as 'Evil Twin' and has been known to the industry and others for some years."

The company is working with the Wireless Broadband Alliance, an industry group which aims to help hotspot providers deliver a "reliable and trustworthy" service, to introduce a security system known as 802.1x, which forces detailed authorisation when devices connect. But it is not clear whether the devices themselves will be able to detect fake hotspots.

Apple, manufacturer of the top-selling iPhone series, declined to comment. O2 did not respond to requests for comment.

BT broadband customers who agree to allow a part of their Wi-Fi bandwidth to be used publicly are, in turn, allowed to use the Wi-Fi of other subscribers. The resultant Wi-Fi community is called BT Fon and utilises wireless routers – boxes which broadcast the Wi-Fi signals – in people's homes. BT Openzone users have to provide usernames and passwords. Subscribers may use both services through their smartphones. On the first use anywhere, they must give a username and password – but after that, their phones forever hunt out hotspots with the names "BT Fon" and "BT Openzone" hotspots automatically, and will join them.

Stuart Hyde, the Association of Chief Police Officers' lead on e-crime prevention, said: "We became aware of the potential for criminals to use Wi-Fi in this way last year and have become increasingly concerned. All they need is to set themselves up in a public place with a laptop and a mobile router called 'BTOpenzone' or 'Free Wifi' and unsuspecting members of the public come along and connect to them.

"Once that happens, there is software out there that enables them to gather usernames and passwords for each site a user signs in to while surfing the net. And once criminals have access to your email accounts, Facebook account, Amazon history and so on, the potential for fraud and identity theft is very serious indeed.

"Until there are improvements in security, I would advise people to be very wary indeed when using insecure Wi-Fi in public places."

Professor Peter Sommer, a cyber-security expert at the London School of Economics, said: "This is all very alarming. It means that literally millions of people who use Wi-Fi in public could be at risk. If criminals are able to harvest the usernames and passwords of all the websites you visit, they could do significant damage in terms of identity theft and fraud.

"The safest route for existing users of mobile phones, particularly if they use BT Fon or Openzone, is to switch off their Wi-Fi when they leave home and only use it on systems they know to be secure – such as at home or at work. Everywhere else you use Wi-Fi – whether in a coffee shop, an airport, a railway station and especially out in the street – you are taking a calculated risk."

The experiment: how we set up 'evil twin'



Experts commissioned by the Guardian conducted two exploits to demonstrate how crooks could cash in on bogus Wi-Fi gateways. In the first, Jason Hart set up his mobile Wi-Fi router, the size of a cigar packet, at St Pancras International station in London and soon saw half a dozen smartphones try to connect to it.

Only the phones of our volunteers were allowed to connect. Because modern smartphones regularly "push" email and other updates automatically, they sent the owners' usernames, passwords and messages through the bogus BT Wi-Fi gateway, in one case while the phone was in a volunteer's pocket. Free software downloaded from the internet was then used to decrypt and display the information on a computer attached to the router.

The Guardian is withholding details of this software, but was shown details of its workings, which uses the power of modern graphics chips to decode encrypted data.

For the second exploit, Adam Laurie, director of Aperture Labs Ltd, demonstrated how bogus Wi-Fi gateways can be used to harvest credit card numbers. He established a fake paid-for gateway with its own website at Waterloo station. Users are allowed on to a gateway web page but must pay to use it to access the internet.

First they must provide their name and credit card details – including the CCV security code on the back and the expiry date – and agree to a terms and conditions policy. Our usage policy warned potential subscribers that it provided no protection for their private information. Incredibly, during a 30-minute period in the station, three people agreed to the terms and conditions and tried to log on and provide credit card details. To avoid breaching the law, Laurie rejected all these approaches.