Public Wi-Fi: Convenience trumps risks

It’s often one of the first questions that now comes to mind when eating out, boarding a train or checking into a hotel: “Do you have Wi-Fi and is it free?” Nine times out 10, the answer to both parts of the question will be a very welcome “yes”.

While we wouldn’t necessarily be lost without it in public and non-domestic settings – we can use our own, paid for data – we nevertheless expect Wi-Fi to be available in most places. It’s a sign of how times have changed in the 21st century.

However, in the rush for convenience, we seem to have overlooked security when it comes to public Wi-Fi. And, as this feature investigates, there are plenty of dangers to be wary of.

The importance of the internet to how we live

Hotel Wi-Fi

Not many people will disagree with the idea that the internet in growing in importance in our everyday lives. From communicating with one another to organizing busy schedules or doing business, a lot of activity is now done via the world wide web.

In fact, the availability of wireless connectivity is changing the way we behave and the decisions we make, with studies showing that people are more likely to spend time and money at venues that offer Wi Fi. For example, one study from UK hotel chain Amba Hotels revealed that most customers believe free Wi-Fi is the most important factor when choosing a hotel, more so than price or bed comfort.

Not knowing the risks that come with public Wi-Fi

For all its benefits, there are certain shortfalls with free and public Wi-Fi. This is especially the case when it comes to online privacy and security. Experts have long since warned of connecting to hotspots which could be spoofed, while researchers have shown countless proof-of-concept (POC) hacks on how they can steal data from unsuspecting victims sipping on their cappuccinos. Earlier this year, even a seven-year-old managed to hack public Wi-Fi in just ten minutes.

“95% of public Wi-Fi hotspots are not encrypted … ideal for cybercriminals.”

And yet, as AARP’s recent Fraud Watch Network report found, most adults who surf online are largely unaware of the potential risks of using public Wi-Fi. A quarter of the 800 respondents surveyed, who access free public Wi-Fi at least weekly, were found to be “clueless about the potential risks”, with nearly half “flunking” a simple seven-question quiz on online and wireless security.

This security naivety is important considering the same study found that up to 95 percent of public Wi-Fi hotspots are not encrypted, meaning an attacker could potentially eavesdrop and steal data. This is particularly worrying for the 27 percent of respondents who said they use public Wi-Fi for online banking and shopping, with most also admitting to not monitoring their bank accounts for fraudulent activity.

The dangers of public Wi-Fi are not to be underestimated

Dangers of public Wi-Fi

The security dangers around free Wi-Fi are very real, with concerns typically around how unsecure hotspots could allow attackers to harvest personal details or provide them with the opportunity to infect users with malware in so-called man-in-the-middle (MiTM) attacks. Last year, for example, even the European Parliament was forced to shut down its public Wi-Fi network for a short time after it found it was being used to launch similar attacks.

One of the biggest threats to users of public Wi-Fi are cybercriminals positioning themselves between the user and the connection point. This means that all your personal details are accessed first via the attacker – like credit card details, emails and even security credentials – before the service provider picks them up or the website receives the information.

A common attack like this sees hackers create a fake Wi-Fi hotspot through the use of easily purchasable kits like the Wi-Fi Pineapple. Through hacking such a device, attackers can change the hotspot name to ‘Free Wi-Fi’ and wait for people to connect to it to get online. However, by doing this, cybercriminals can also monitor and steal their web traffic.

Malware

Attackers can also use an unsecure Wi-Fi connection to distribute malware. For example, if you allow file-sharing on your computer – and it is recommended that you turn this off when on public Wi-Fi – an attacker may find an opening to plant malware on your system. A good recent example of this is the Chameleon malware, which attempts to infect access points, like wireless routers, and then uses wireless connectivity to spread further damage.

Some cybercriminals can even hack the connection point itself, causing a pop-up window to appear during the connection process. This will typically offer an upgrade to a popular software, but it is a trick – clicking the window installs the malware. Needless to say, this highlights the importance of doing software updates in a secure environment that is protected by passwords, antivirus and a firewall.

Attitudes need to change to get the most out of public Wi-Fi

This feature has demonstrated that public Wi-Fi, while certainly useful and increasingly available, has numerous pitfalls. On its own, it poses significant security and privacy concerns for users, but in combination with a lack of understanding about the risks, the threats are markedly amplified.

It is clear that more needs to be done to make users of public Wi-Fi aware of the dangers involved and to encourage best practice among those who use it to ensure that the advantages of accessing the service are not outweighed by the negatives. As a start, check out these top 10 tips – you’ll certainly be a lot more secure after reading this than simply logging in without a second thought about how safe the connection is.

Author , ESET

  • Marc Verschaeren

    Applying a little bit of common sense can mitigate many of the risks associated with public WiFi. What was the first thing our parents taught us when we started walking to school on our own? “Don’t talk to strangers!” The first rule to stay safe is not to deal with people you cannot trust. It makes perfect sense and everyone understands why.
    In the WiFi world the equivalent would be “Don’t connect to strange WiFi access points (aka: Hotspots)”. Even a VPN connection does not guarantee safety if you are connected to a fake access point.
    So the trick is to distinguish trusted- from strange- or fake access points.

    My question or proposed topic for discussion: Do you think a crowdsourced system which the reputation of WiFi access points, could make public WiFi safer?

    • Paweł Sosnowski

      One problem I’d have with such a solution: How can a user tell whether they use (and possibly recommend) a trusted Access Point? I mean, someone can use a criminal’s AP and because this one time at least there were no problems whatsoever, he decides to recommend this AP to others. Personally I would concentrate on implementing some sort of certificates given only to trusted APs owners. A user’s software would have to check whether the certificate is valid and trustworthy. If not a pop-up appears which warns the user about potential risks. It’s basically what we already have in the browsers world.

      • Marc Verschaeren

        Hi Pawel,
        Very good questions and suggestion about certification.
        We have built such a system – check out
        A mobile app is used to crowdsource the WiFi fingerprints and send these to a server for analysis. Then the server gives the user feedback about the reputation of the access points in range (on Android only) and warns the user if connected to a suspected fake WiFi (Android & iOS). WiFi owners can certify their WiFi access points by submitting verified fingerprints which is a multistep process.

    • Paweł Sosnowski

      One more idea (based on your idea actually): There’s a website which categorizes public Access Points into trusted, not listed and untrusted. A user has an application on their device which connects to this website, downloads its list of APs (over a secure channel obviously) and checks whether the list has or has not been tempered with. Then the application connects to the AP to verify if its public IP address is listed in the app’s list of APs. If it’s not then it doesn’t disconnect but warns the user that the AP is not listed, therefore they have to decide whether to stay connected or not. If it’s trusted then the user stays connected. If it’s untrusted the app disconnects and warns that this AP cannot be trusted. The main problem is that you have to trust the person who maintains this website. And they have to trust that they properly verified that a particular AP can indeed be trusted. I think its doable under certain conditions but that’s another story. ;)

      • Marc Verschaeren

        Can you send me the link of that website you refer to?

  • Paweł Sosnowski

    No matter how advanced and, at the same time, user-friendly security-enforcing software is, if users are unaware of possible dangers or they don’t know to secure themselves (or worst yet, they just don’t care), it will not help. Obviously, it’s not a reason to stop developing such software but I think it’s more about users’ awareness than it is about the software/hardware solution itself.

Follow us

Copyright © 2018 ESET, All Rights Reserved.