Unless you protect yourself (and we’ll tell you how)
We take for granted we have internet access anywhere, anytime. Between mobile data and wifi hotspots, you can get online virtually anywhere, virtually anytime. And while most people don’t think twice about connecting to wifi at a coffee shop, store, airport, or hotel, connecting to public wifi comes with a host of real risks to your privacy and security. While the bad news is connecting to any old wifi hotspot is a terrible idea, the good news is it’s easy to protect yourself. In this post, we’ll give you some easy tips how to protect yourself, but first the five reasons why connecting to public wifi is a really horrible, terrible, very bad idea.
5 bad things about free wifi
1) What you’re browsing, doing, and working on is out in the open
About eight years ago we woke up to how much information was leaking out from our browsers while connected to wifi. Back then most websites, with the exception of banks and online stores, used unencrypted http to connect. We didn’t think about http versus encrypted https unless we were shopping or banking, because back then a lot of us were just starting to use free wifi and we didn’t know how laughably easy it was to connect to wifi and snoop on everyone else who was also connected to that hotspot. We didn’t know how much information we were sharing out in the open because most websites used plain, old http. These two very dangerous blind spots made for one very big problem.
The first problem isn’t with http vs https (unencrypted vs encrypted connection to a website ), but with how we were connecting to wifi. Most of the time when you connect to public wifi you don’t have to enter a password to initially connect. While insecure, it’s also easier for customers and employees at the store or cafe. Endless “What’s the wifi password?” questions throughout the day would drive anyone crazy. Wifi access points without passwords make it easy for people to sit down, connect, and do whatever they wanted to do in the first place. What does a secure wifi connection look like? Your first hint is when you choose the network. If there is a little padlock next to the name, it’s secure.
No padlock, no connection password, not secure. “But wait,” you say, “I have to enter a password on a website to connect to the internet. Isn’t that the same?” Sorry, but, nope. That password is only there to:
- Limit access to people using the wifi (e.g. customers only)
- Get you to agree to terms and conditions (e.g. I won’t hack people while connected)
- Get you to opt into advertising and other tracking (which we’re going to talk about later)
That’s not real security, it’s an admissions gate. So unless you see that padlock when you pick the name, no matter how many other passwords you have to enter, the connection isn’t protected. And this is the big problem. When the connections between you and the wifi router aren’t encrypted anyone also connected can tap into the connections between everyone and the router. You can see everything. Usernames, passwords, the sites being visited, the text of the sites being visited, even the contents of emails being sent.
Unless you see a screen like this pop up went you connect to the wifi network:
The connection isn’t encrypted. On an unencrypted connection everything you do is out in the open. When the network is encrypted, the other people on the wireless network can’t see what you’re browsing. What about http versus https? How does that come into play?
Before websites switched to https, everything you saw, read, or typed while you were surfing was visible and out in the open. Unencrypted connections over http are the electronic equivalent of mailing postcards—anyone between the sender and receiver can read and see what’s being sent—just like a postcard. There’s a catch though, while https encrypts the data between you and the website, it doesn’t encrypt all of the data. The part of the connection that tells the routers where you want to go (the IP address or domain name) is still sent unencrypted. This isn’t a flaw, it has to work like this so you can get to where you want to go online. When you use https, only the website you’re visiting can decrypt the information, so you need the address to remain unencrypted so all the routers along the way know where you want to go.
This means that even if you only use websites over https (the HTTPS Everywhere plugin from the Electronic Frontier Foundation is a great tool to help you make sure you are connecting over https), there is still a lot of information leaking out over the wifi network.
Reason one—and maybe the biggest reason—most public wifi isn’t secure and not everything you do online is secure either (though that is changing thanks to Google). If that wasn’t bad enough, one of the things that makes wifi so convenient can be used against us to trick us into connecting to the wrong network and not even know it.
2) It’s really easy to fake
One of the handy ways wifi works is if you’ve connected to a wifi spot before, it will automatically connect to a wifi spot with the same name again. This is important so a company can set up wifi access points around a large building, name them all the same, set the same password, and you will stay connected as long as you’re in range of one of the wifi access points. But there is a real danger here. Hackers, and other malicious folks, can setup “Evil Twin” wifi points with the same names and passwords as access points for hotels, conferences, or coffee shops and use those access points to steal information, infect computers with malware, or other bad things.
Let’s say you go to Dave’s Cafe for your morning coffee and a little emailing before you head into the office. Dave’s a smart guy, so he’s secured his wifi with a password and encryption. While you’re waiting for your coffee your laptop connects to “Dave’s Place” wifi network and everything is set. Now a hacker has decided to target people who go to Dave’s Cafe so he sets up a wifi access point nearby and also calls it “Dave’s Place” and even uses the same “coffeeislife” password. If the rogue point is close enough to the cafe, people might connect to it by chance, or if the hacker makes his network signal stronger than the real Dave’s Place more people will connect to the Evil Twin because devices pick the strongest signal to connect to when given a choice. Even more clever, the hacker could set up the wifi just out of range of the real Dave’s Place wifi and as people are coming by, their smartphones and other devices will automatically connect to it thinking it’s the real one. Now you’re thinking “What’s the problem? My wifi connection is secure, I had to put in my password just like you said.” The problem is that a wifi password only encrypts the data between you and the router, once the data gets to the router it’s decrypted. Anyone who is directly connected to the router with an ethernet cable, can see, and monitor, all the information going through it on its way to the internet. There is a lot of information to be gleaned that way and because the hacker controls the router—therefore the connection to the internet—he can also redirect you to whatever website he wishes. This is called a “man in the middle” attack. A hacker could do something like create a fake Gmail site and when you are connected to the Evil Twin and type “gmail.com” you don’t go to the real gmail.com, but a fake one designed to capture your username and password. Man in the middle attacks can be even more subtle than an entire fake website, it can send you to the real website, but use an encryption certificate the hacker controls so he can decrypt anything you do and see on the website.
Evil twin and rogue hotspots are dangerous because they are hard to detect (as a user) and once you’re connected to one, anyone with physical access to the router (which a hacker would have), can do a lot to any device connected to it.
3) Security isn’t a priority
In the example above, Dave’s Cafe has done a some basic wifi security. He’s done what you do at home or office to keep people you don’t want connecting to your network from connecting to the network. Using WPA2 security on your wifi is a good thing. It’s good, basic protection, but it’s just the starting point. At most companies IT spends time making sure they go beyond the basics. Beyond keeping the routers updated (which everyone should do—even at home), they monitor for suspicious traffic and watch for unknown devices connecting. IT admins set up rules to prevent hackers from spreading malware and protect essential systems with additional layers of security. IT’s job is to keep the network secure, but what if your job is making lattes or checking guests into their rooms? Security is not in your job description. Security probably isn’t even something you know much about. You might do some of the basics and maybe hire someone to set the network up the first time. That’s about it. Network security isn’t high on your list of things to manage with your business.
Coffee shops, malls, restaurants, and hotels often don’t do much, if anything, around security. Hotels are notoriously bad for security on guest wifi. One security researcher was able to hack into a hotel’s systems and copy sensitive data without much effort or anyone noticing. This might be the most recent case of hotel network hacking, but it isn’t the first nor will it be the last. Many places offering free wifi have other things to do—make coffee for example—than worry about wifi security. Even when something as big as the VPNfilter malware hit routers around the world, many people might not have noticed or done anything. Security might not be their main job, but if you’re connecting to other people’s wifi, you need to make your own security a priority.
4) Who else is connected
Even if you’re not connected to an Evil Twin hotspot that is certainly compromised, when you’re connected to public wifi, especially unsecured wifi, your device is visible to every other device on the network. If a hacker is on the network targeting people, well, you can figure out the rest. Want to see how risky it is? If you have a Mac or iOS device, open AirDrop and see how many other devices pop up. While AirDrop doesn’t require devices to all be on the same network to be found, it is a good example of how exposed our devices can be in public. The whole idea of putting devices on networks is to make connecting and sharing information with each other easier. It’s awesome and convenient if you need to connect to a shared printer in the office, but not so awesome if a hacker wants to drop some malware on your machine or send out a ping of death. Shared wifi networks are great and convenient, but don’t forget the shared part. You’re on the network with a lot of strangers and one of them might not be connecting just to update Facebook.
5) Location trackers
This is a new threat to public wifi users—and one I’m sorry to say our solutions below won’t be able to entirely prevent—malls and restaurants tracking your devices even when you’re not connected to wifi and are just in the area. Remember in the first point about accepting terms of service when connecting to free wifi? And remember the adages “there’s no such thing as a free lunch” and “if the product is free, you’re probably the product being sold”? Under the guise of helping stores offer discounts and other marketing bits, these wifi hotspots gather information about your device and once you’ve connected, they keep that information and use your device’s unique identifiers to track your location around a mall and between malls if the same company offers wifi in other locations. These data help stores understand foot traffic to their stores and the mall know where people go. Great in theory, but bad because your data is kept for a long time (possibly forever), even if you only went to the mall once and only connected for a minute to check something online.
From the ZDNet article above, you can ask to have your information removed from their databases, but if you don’t, not matter how you try to protect yourself—those wifi hotspots have you in their sights.
The 3 ways to protect yourself
Now that you’re thoroughly alarmed about all the risks of public wifi, let’s give you three easy ways to protect yourself. These really are easy things you can do without needing to know anything geeky.
1) Disconnect and forget
One of the easiest of these three tips is remembering to disconnect from the free wifi when you are done so that your devices forget the network and it doesn’t try to automatically connect again. This will help protect you from Evil Twin hotspots. It’s not perfect of course, because when you want to connect to somewhere the twin could still be there, but it will keep you from automatically connecting to hotspots which could be malicious. You don’t need to do this for your home or office networks, but it’s a good idea to clear out these free wifi networks from your list every now and then.
2) Tether to your mobile device
If you have a lot of data on your mobile device plan and need to connect your laptop or tablet, using your smartphone as a hotspot is a good way to keep your laptop secure. While 4G/LTE networks aren’t impossible to hack, they are secure by default and really hard for people without special equipment to hack into. This isn’t an option for your smartphone, of course, but when the wifi looks dodgy at best, this will get you online securely.
3) Use a VPN
A VPN—Virtual Private Network—is a secured connection that encrypts your entire connection, not just what is protected by https or even secured wifi. When you’re connected to the internet through a VPN, even if someone has access to the router and is watching the information go through it, everything you’re doing is encrypted so there is nothing to glean from your data. Nothing to see here. Move along, go hack someone else. VPNs protect against all kinds of snooping and hacking attempts and best of all using a VPN is pretty easy—especially if you use SKY WORK.
If your company uses a Mobile Device Management (MDM) service, then a VPN is usually turned on automatically and all of your connections on your mobile device are encrypted. For example all SKY WORK customers are connected through our secure and managed VPN. Making sure connections are secure is one of the most important parts of device management. For your laptop and other devices, you can ask if you can use the MDM VPN on those as well. What if you aren’t a SKY WORK customer, don’t have an MDM at work, or want to secure personal devices? Here are some free and low-cost VPN solutions we recommend:
- Windscribe (free and paid, iOS, MacOS, Android, Windows, Linux)
- TorGuard (paid only, iOS, MacOS, Android, Windows, & Linux)
- Private Internet Access (paid only, iOS, MacOS, Android, Windows, & Linux)
- TunnelBear (free and paid, iOS, MacOS, Android, Windows)
A free VPN is a good choice if you need to connect for a short time at a hotel or coffee shop and aren’t going to need it very often. However, if you connect to free wifi regularly, you should think about spending a few dollars a month for a VPN to protect you and your devices. Today’s VPN solutions are very simple to use and many of them automatically turn on when you connect to untrusted networks and disconnect when you are connected to a trusted network like at home, your office, or on mobile data. For our work devices we use our SKY WORK MDM to protect our work devices and many of us subscribe to VPN solutions for our personal devices. We know the risks from public wifi and we don’t want to take any chances with our devices or data.
Public wifi is convenient, but not always a safe choice
Being able to get online anywhere and everywhere is very convenient. You can work from just about anywhere or watch a show or play a game online. The internet and wifi is one of the great things about technology today, but that convenience can come at a cost. Public wifi lets you get online, but at best you’re being tracked for marketing and at worst at risk of being hacked or your data stolen. Take our advice and use a VPN whenever you connect to strange wifi, or better try SKY WORK MDM for free and get all the benefits of a VPN with secure mobile productivity tools for your business as well.