How Safe Are You on Public WiFi? Not Very

At the U.S. Republican National Convention in Cleveland last year, more than 1,200 people connected to free WiFi networks with names like “I Vote Trump! Free Internet,” “I Vote Hillary! Free Internet,” and “Xfinitywifi.” They transferred gigabytes of data, doing things like checking e-mails and chatting. Some even shopped on Amazon or logged into their bank accounts. Those networks were fake, set up by network security vendor Avast to make a point about the insecurity of most public WiFi spots. The company said that over 68 percent of those using these fake sites exposed their identities in some way. The Republican delegates are no different than the rest of us in their trust of public WiFi networks. In a recent survey, over half of respondents said they had logged into their personal email or social media accounts from a public network. Some 61 percent believed their information was safe on a public WiFi network. Only 42 percent knew how to tell whether a WiFi network was secure. Millennials were the most trusting group, the survey found. Nearly 95 percent of them had shared information while on public Wi-Fi, the largest percentage of any generation. WiFi hackers like to hit where crowds gather. For example, one published report claimed that hackers took advantage of the crowds attending the Olympic games in Rio de Janeiro in 2016 by launching fake WiFi spots across the city and thereby vacuuming up a lot of data from unsuspecting users. How much and what types of data? No one seems to know, but it likely included passwords, credit card numbers and other info that thieves later used to commit identity theft or other types of fraud.

WiFi hacks fly under the radar

While theft of data from unsuspecting consumers using public WiFi spots is presumed to be fairly pervasive, it doesn’t get the attention that major hacks of corporate or financial systems do. These thefts happen in dribbles – with bad guys stealing bits of information from many users and accounts – rather than a tsunami. One contributing factor is that WiFi is so pervasive. A 2015 report by WiFi network provider iPass estimated that there were more than 50 million public hotspots worldwide – one for every 150 people, a number which is expected to grow to 340 million by 2018, or one for every 20 people on earth. Another factor is that so many public WiFi networks are inherently insecure. Kaspersky Security Network recently analyzed some 32 million public hotspots and found that 25 percent do not use any encryption at all, meaning that anyone with an antenna can pick up the communications. Another three percent use an old form of encryption that is essentially ineffective. Third, hacking WiFi networks doesn’t require sophisticated technical knowledge. Some of the tools are widely available and easy to use. That’s not to say that large international crime rings aren’t involved. In December 2014, Australian police caught members of a criminal syndicate opening a bank account in Sydney using a stolen identity they got by hacking people’s phones through a free WiFi network. The operation stole more than $6 million, and police arrested almost 50 people in connection with the crime. Hackers are not only setting up their own fake WiFi spots but in some cases may hack into existing, legit networks. In Israel last fall, for example, a white-hat hacker showed how he could take advantage of vulnerabilities in network routers to take over the free Wi-Fi network of Tel Aviv.

How hackers do it: common techniques

Experts say there are several common ways that hackers compromise public WiFi networks.

• Fake hotspots: Hackers set up a fake network with an innocuous name that fools consumers into thinking it’s legitimate, such as “Starbucks WiFi” in a coffee shop. They can then record all the keystrokes of people who use that network, including user names and passwords to various accounts.

• Man-in-the-middle attacks: Cybercriminals take over a public network and use the established connection to the victim’s machine to redirect their communications, often to a fake website that looks like your bank, for example, and tricks you into giving up log-in credentials.

• Malware: Once on the network, they can send you fake notices saying you need to install an update. But rather than updating your system, they install malware that then gives them complete access to your system, including files and photos. They might even be able to turn on the web camera or microphone and eavesdrop.

• Sniffing: Using a WiFi sniffer, anyone can locate insecure WiFi networks and monitor their traffic. They can record that traffic and analyze it to discover useful details.

WiFi operates on public airwaves, so sniffing may not even be illegal, technically. When David Maimon, an assistant professor in the department of criminology and criminal justice at the University of Maryland who is studying the problem, checked on whether it was legal in Maryland, “we couldn’t find any law preventing you from sniffing,” he said in an article on DigitalTrends.com. “Banners before you log in to public WiFi, where you agree to terms of use, sometimes specifically mention you’re not allowed to sniff and that makes it illegal, but if there’s no banner then it’s not illegal at all.” Maimon’s observation in 2014-15 of 33 public around the District of Columbia metro area found that conducting e-commerce and visiting social networks were the most common online behaviors over public WIFI networks. In 40 percent of the networks he monitored, online banking was common. He found evidence of malware packets in 30 percent of the networks.

How to be protect your info on public WiFi

• Use a virtual private network (VPN): There are many VPN services that you can use with smartphones and computers. A VPN lets you connect to the provider’s servers via an encrypted connection, which protects prying eyes from seeing any information. However, the quality and business models of these services vary, so research them carefully. Free or very low-cost services sometimes collect data from your activity.
• Change the settings on your device so it does not automatically connect when it senses a WiFi network. In public spaces, before connecting try to ask someone (like the hotel manager) for the name of the WiFi hotspot to make sure you’re not connecting to a fake one.

• Use 2-factor authentication, which requires you to provide two things to prove your identity. When logging onto your Dropbox account, for example, it asks for your password and then texts a code to your smart phone. You must enter the code before you are granted access.

• When using a public WiFi network, limit activity to web browsing. Avoid using any accounts that require log-in information (such as e-mail and bank accounts), avoid sending any private data across the network, don’t download any apps, and don’t install any updates.

• Keep your operating system and apps patched and up to date.

• Use a cellular connection instead of the free WiFi service.

• Enable the “always use https” option on websites you visit often or that require passwords and log-ins. When you log in to the website, make sure the URL address starts with “https,” which means it’s encrypted.

• Make sure the WiFi network uses the latest encryption technique, known as WPA (WiFi Protected Access)-2 protocol.

Public WiFi networks are likely to remain a rich vein for hackers, with plenty of potential victims unaware of all the information they expose. By following a few precautions, you’ll reduce your chances of becoming one of them.  

Image

About the Author: John Mason is a Cyber Security/Privacy enthusiast working as an analyst for TheBestVPN.com. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.