So what is the most dangerous word or phrase when it comes to Wi-Fi? Could it be jamming or sidejacking? Password Theft? How about rogue access points? While those are all certainly scary words, there's another that should instantly sound alarm bells in your head whenever you see it. You may have seen it yesterday or perhaps you will run into it later today at your local coffee shop.
Here it is – “Free Wi-Fi”. Or maybe even just “free.”
In fact, the FBI and the Federal Trade Commission all caution U.S. citizens when using free Wi-Fi and be mindful of the security risks. Other organizations such as the AARP caution its members that “Free public wireless networks may come at a steep price — the theft of your finances and identity.” In the UK, the public awareness site for online safety, GetSafeOnline.org, lists numerous recommendations in dealing with a “free” but threatening environment that is characteristic of public Wi-Fi.
Free WiFi is everywhere these days, giving us the ability to work remotely in coffee shops and restaurants. It’s very convenient but potentially unsafe. Connecting to a public Wi-Fi network requires little authentication — at best you’ll be greeted by a captive portal and have to check a box agreeing to the terms of service. Anyone can connect to these networks, including cybercriminals.
As most learn at some point in life, “free” always has a cost. In the case of free Wi-Fi, that cost is the risk involved in signing on to free public Wi-Fi. When something is free, there is little incentive to invest much money into it in order to improve the quality of it. In the case of the free Wi-Fi offered by many businesses, this may mean any one or all of the following:
The presence of any of these factors can contribute to an insecure environment, which hackers can easily target unsuspecting users who are oblivious to their potential jeopardy. Some of the most common threats include the following:
Free doesn’t sound as enticing now does it?
This does not mean that you should never utilize public Wi-Fi. It simply implies that there are certain precautions you should always take when utilizing it. Of course, you would never verbally give out your passwords or personal identification numbers within a crowded coffee shop. Well, a wireless hotspot is full of prying ears as well as everyone shares the same wireless access point. In a sense, it is one big conversation.
Public Wi-Fi networks are mainstream today. Restaurants, hotels, stores, transportation hubs, libraries all provide guest Wi-Fi free or for a nominal fee. It’s a service an establishment can offer for minimal cost and effort, allowing for a tidy profit stream, useful user information and better customer satisfaction. Few users give a second thought to accessing these networks, from their tablet, laptop or smartphone – but should they?
Most companies imagine that things such as public Wi-Fi are a background consideration. However, with the internet playing an increasing role in the success or failure of businesses, it is important to ensure public Wi-Fi is secure.
Next we’ll examine the various threats posed by public Wi-Fi as well as some common tools used by attackers. When it comes to public Wi-Fi, the most likely threat is a common hacker or scammer attempting to steal a user’s information for profit.
Attackers are often after personal details such as your name, address, financial information or social security numbers.
There is also the potential for blackmail if an attacker finds compromising documents or images on your device.
If you have file-sharing options turned on it can be easy for an attacker to load ransomware onto your device, encrypting your data and demanding a ransom to unlock it.
On public Wi-Fi, there are many ways scammers can use to get to you. Here are some of the most common:
The ‘Man IN The Middle’ attacks are a common form of attacks on people on public Wi-Fi. A hacker captures the data you are sending. Most hackers who use this method exploit flaws in apps or websites that allow them view the information being passed. The information can include bank details, passwords, personal identification information, and other data that could be used for identity theft. The most common type of MITM attacks are those that occur over unencrypted unsecured Wi-Fi networks.
The easiest way for an attacker to exploit public WiFi is to position himself between clients and the router. A man-in-the-middle attack (MITM) is like eavesdropping where an attacker can get in-between point A and B and intercept data. Sometimes this data can be modified in the process of transmission to trick the victim into disclosing sensitive information, such as log in credentials. The victim will likely never notice anything is amiss.
Once the user falls for the deception, the data is collected.
For users using weak passwords, even if that password is encrypted it will not take long before the attacker cracks your password. Learn how to create a strong password this will make them harder to crack. Security depends on the trust between devices on a network and when a user accidentally trusts a malicious party the network becomes compromised.
Not all public hotspots are legitimate. Attackers create “free” WiFi networks (often called evil twin hotspots) in an attempt to lure in unsuspecting users. When you connect to such a network, you give criminals an opportunity to monitor all your data.
All an attacker has to do is find a high-traffic location and set up a fake network with a legitimate sounding name like ‘Hotel Wi-Fi.” By the time the attack is uncovered or authorities have isolated the source of the signal, the attacker is has moved on - with the stolen user credentials.
The whole experience is transparent to the victim. Most of the time the hacker allows the victims to reach their intended Internet destinations while they secretly eavesdrop on the network traffic so that they can steal the information from the victims as the victims attempt to login to their e-mail, provide credit card numbers while shopping online, etc.
Avoid using open Wi-Fi hotspot – always ensure they’re secured and that a password is required to access.
This is a practice where your data is observed, intercepted, and interpreted. It helps experts to diagnose any problems on the network. In the wrong hands, it can be used to monitor and collect data from unsuspecting victims.
Common Tools used by Wi-Fi attackers
While many sites are switching to Secure Socket Layer (SSL) which provides end-to-end encryption, there are various ways an attacker can circumvent this. One example is an SSLstrip, a tool that transparently hijacks HTTP traffic on a network. There are various pen testing tools for mobile devices, like zANTI. This lets security managers assess the risk level of a network with the push of a button but it can also make it easy for attackers to scan public WiFi networks and find vulnerable devices — including yours. There is no shortage of tools and guides to help aspiring hackers learn how to infiltrate a public Wi-Fi network. Most of these tools are so easy to use, a ten-year old could do it.
1. Check the Terms and Conditions.
In your desire to get some free internet, it can be quite tempting to click through any terms and conditions that pop up on your screen. However, you should be careful about what you sign up for in public. A huge amount of free public Wi-Fi also takes something from you. These firms will give you some bandwidth as long as you agree to give them your email address and a phone number for instance.
The terms and conditions include details on how the company will make use of the data they collect from you. If you can bear to wait for just a few minutes, it can be quite beneficial to read what you are giving up. It is one of those times when having an alternative email can prove useful.
2. Stick to Advertised Wi-Fi Networks.
Just because you see free Wi-Fi pop up on your screen does not mean you must connect to it. Hackers are known to set up free Wi-Fi that they use to mine data from unsuspecting individuals. If you see open Wi-Fi that is not advertised publicly, you will have to think twice about using it.
3. Only Visit Secure Sites on Wi-Fi.
The green padlock at the top left corner of your browser shows you that you are connecting to a secure site. This sign is even more important when you are relying on free Wi-Fi. Think hard before doing anything important when on free Wi-Fi. For instance, avoid making any credit card transactions on public Wi-Fi. Additionally, it is best to use a mobile browser rather than an app when on public Wi-Fi. Mobile browsers are better at checking the security of sites than apps. Some apps could be accepting fake security credentials without you knowing about it.
For apps, you are at the mercy of developers when it comes to app security. You should only use apps from trusted companies when using public Wi-Fi. Such companies spend millions every year to ensure that their apps are secure. However, even then you are not guaranteed of being secure.
4. Switch Off Sharing.
When your device is connected to the Internet in a public area, you will not want to share anything. You can turn off sharing in the Control Panel depending on the OS you use. You may also opt to have your OS do it for you by choosing “Public” the first time you connect to a public network.
5. Switch Off Wi-Fi Capabilities in Public.
Even when you are not actively connected to any Wi-Fi network, your computer hardware can still transmit data to any network that is in range. There are measures in place to keep such networks from getting in touch with you. However, hackers can be quite smart, and they can get into your laptop. Besides that, switching off Wi-Fi settings allows you to extend the battery life of your device.
Other Useful Tips.
Avoid downloading anything when using public Wi-Fi. Additionally, always ensure that the OS and all other software are always up to date. Although your device automatically manages your connection when you are on public Wi-Fi, it is always best to double check. When you are done with a Wi-Fi, always forget the network. That way, you can reduce the security risk to your device. Additionally, make simple choices like using different passwords for each app.
Most are unaware of the risks of using public Wi-Fi. Results of a survey conducted in May of 2016, by Symantec, revealed a lack of awareness, among public Wi-Fi users, as to the risks and personal responsibilities associated with Public Wi-Fi.
The short answer as to who is responsible for public Wi-Fi security is all parties involved – the user, the business offering the service, the websites visited, the equipment manufacturer and the provider of security software. All have a vested interest in maintaining security, whether it is the protection of data, public image or discouraging further attacks.
As to who will be held accountable varies by jurisdiction and on a case-by-case basis, predicated on negligence/behavior determined in court. A likely precedent as to how courts will view responsibility can be found in the September 2016 ruling by the Court of Justice of the European Union (CJEU). Sony had sued a business owner in Munich, Germany for copyright infringement because someone had downloaded music illegally on his public Wi-Fi. A lower court had found that the shop owner was liable, for having an unprotected network. However, the CJEU overturned the ruling, but did stipulate providers of public Wi-Fi should require users to present identification and to password protect their networks, or they could be liable for nefarious behavior in some cases.
The CJEU decision is not the only stipulation as to how a business must protect Wi-Fi networks. PCI DSS regulations require isolating point-of-sale (PoS) operations from public Wi-Fi, using either a firewall or a second DSL line. Gramm-Leach-Bliley Act (GLBA) and Health Insurance Portability and Accountability Act (HIPPA) both require reasonable measures for protection of data with substantial fines for violations and even imprisonment for failure to do so under GLBA. Certainly, any business offering public Wi-Fi should take every reasonable precaution to secure the network, or there could be serious consequences.
So, while users, businesses, ISPs and manufacturers should all take appropriate steps to ensure a safe experience on public Wi-Fi, the business offering the service likely has the most risk of legal repercussions, if the network is not secure. Business need to ensure their ISPs are providing the most secure Wi-Fi possible to avoid legal fines.
WebTitan Cloud For Wi-Fi
WebTitan Cloud for Wi-Fi provides businesses with an user friendly, yet robust, mechanism for securing user and company information, tracking user activity and controlling content – all critical to a safe and compliant public Wi-Fi offering. To learn more about WebTitan Cloud for Wi-Fi, email us at firstname.lastname@example.org.
Public Wi-Fi is a massive boost to productivity. It’s super convenience for all of us, but it brings with it a myriad of risks to mitigate against. As we’ve shown earlier it’s easy for attackers to steal your login credentials, personal information and other data, with the ever-growing arsenal of tools and new techniques being used. As technology grows, so do the security flaws. Be prepared.