Free WiFi is convenient, but great for privacy and security
We take for granted that between mobile data and WiFi hotspots, you can get online virtually anywhere, virtually anytime. While most people don’t think twice about connecting to WiFi at a coffee shop, store, airport, or hotel, there are real risks to your security and privacy using free WiFi.
While the bad news is connecting to any old WiFi hotspot is a terrible idea, the good news is it’s easy to protect yourself. In this post, we’ll give you some easy tips how to protect yourself, but first the five reasons why connecting to public WiFi is a really horrible, terrible, very bad idea.
- Lack of basic WiFi security
- It’s easy to fake WiFi access points
- Security is a low priority for businesses
- Hackers can connect to free WiFi
- Location trackers risk your privacy
- The 3 ways to protect yourself
5 free WiFi security risks to know
1) Lack of basic WiFi security
About eight years ago we woke up to how much information was leaking out from our browsers while connected to free WiFi. Back then most websites, with the exception of banks and online stores, used unencrypted http to connect.
We didn’t think about http versus encrypted https unless we were shopping or banking, because back then a lot of us didn’t know how laughably easy it was to connect to WiFi and snoop on everyone else who was also connected to that hotspot. We didn’t know how much information we were sharing out in the open because most websites used plain, old http. These two very dangerous blind spots made for one very big problem.
The first problem isn’t with http vs https (unencrypted vs encrypted connection to a website ), but with how we were connecting to WiFi:
- Most of the time when you connect to public WiFi you don’t have to enter a password to initially connect.
- While insecure, it’s easier for customers and employees at the store or cafe. Endless “What’s the WiFi password?” questions throughout the day would drive anyone crazy.
- WiFi access points without passwords make it easy for people to sit down, connect, and do whatever they wanted to do in the first place.
What does a secure WiFi connection look like? Your first hint is when you choose the network. If there is a little padlock next to the name, it’s secure. No padlock, no connection password=not secure.
“But wait,” you say, “I have to enter a password on a website to connect to the internet. Isn’t that the same?” Sorry, but nope. That password is only there to:
- Limit access to people using the WiFi (customers only)
- Get you to agree to terms and conditions (I won’t hack people while connected)
- Get you to opt into advertising and other tracking (which I’ll talk about later)
That’s not real security, it’s an admissions gate. Unless you see a screen like this pop up when you connect to the WiFi network:
The connection isn’t encrypted. On an unencrypted connection everything you do is out in the open. When the network is encrypted, the other people on the wireless network can’t see what you’re browsing.
What about http versus https? How does that come into play?
Before websites switched to https, everything you saw, read, or typed while you were surfing was in the open. Unencrypted connections over http are the electronic equivalent of mailing postcards—anyone between the sender and receiver can read what’s being sent. This means even if the wireless connection is encrypted, that’s only between you and the router (the gateway between you and the internet). Unencrypted http traffic can be monitored by anyone physically connected to the router with an ethernet cable. Someone could connect their laptop to the router and snoop on whatever people are sending over the network. When websites use https, only the website you’re visiting can decrypt the information you’re sending back and forth.
You’re probably thinking you go to the same places all the time. They have passwords on their WiFi. And I know the people, they aren’t going to snoop on my connection.
Okay, maybe you’re right, but one of the things that makes WiFi so convenient can be used against us to trick us into connecting to the wrong network and not even know it. And this is where unencrypted traffic and who controls the router becomes a very big deal.
2) It’s easy to fake WiFi access points
One of the handy ways WiFi works is most devices autoconnect to a network with the same name again. Great for visiting the same places—and at home and work—open your device and it automatically reconnects to the network.
Awesome! Cool! But, maybe that network isn’t really the one you think it is. Hackers can setup “Evil Twin” WiFi points with the same names and passwords as access points for hotels, conferences, or coffee shops and use those access points to steal information, infect computers with malware, or other bad things.
Here’s a typical scenario:
- You go to Dave’s Cafe for your morning coffee and a little emailing before you head into the office.
- Dave’s a smart guy, so he’s secured his WiFi with a password and encryption.
- While you’re waiting for your coffee your laptop connects to “Dave’s Place” WiFi network and everything is set.
- A hacker has decided to target people who go to Dave’s Cafe so he sets up a WiFi access point nearby and also calls it “Dave’s Place” and even uses the same “coffeeislife” password.
- If the Evil Twin is close enough to the cafe, people might connect to it by chance. The hacker can even exploit that autoconnect to the strongest signal and make their signal stronger than Dave’s.
- Even more clever, the hacker could set up the WiFi just out of range of the real Dave’s Place WiFi and as people are coming by, their smartphones and other devices will automatically connect to it thinking it’s the real one. Even if you switch to the real Dave when you’re sitting having your coffee, the evil twin has intercepted at least some of your information.
Remember that part above about if someone connects their computer directly to a router they can snoop on all the traffic that goes through it? Sure Dave is a good guy and wouldn’t snoop on what you’re doing online, but his evil twin…is evil. Even more dangerous than merely snooping and capturing your information, evil Dave can even control which sites you visit without you even noticing.
This is called a man-in-the-middle attack. A hacker could do something like create a fake Gmail site and when you are connected to the Evil Twin and type “gmail.com” you don’t go to the real gmail.com, but a fake one designed to capture your username and password. Even sneakier, you first go to fake gmail, enter your password, and evil Dave redirects you to the real gmail. You might see the gmail login again, but you’ll think it was just a glitch.
Man-in-the-middle attacks can be even more subtle than an entire fake website. Hackers can send you to the real website, but use an encryption certificate the hacker controls so they can decrypt anything you do and see on the website. Very sneaky indeed.
Evil twin and rogue hotspots are dangerous because they are hard to detect and once you’re connected to one, anyone with physical access to the router (which a hacker would have), can do a lot to any device connected to it.
3) Security is a low priority for businesses
In the example above, Dave’s Cafe has done some basic WiFi security. He’s done what you do at home or office to keep people you don’t want connecting to your network from connecting to the network. Using WPA2 security on your WiFi is a good thing. It’s good, basic protection, but it’s just the starting point.
At most companies, IT spends time making sure they go beyond the basics. Beyond keeping the routers updated (which everyone should do), they also:
- Monitor for suspicious traffic
- Watch for unknown devices connecting
- Set up rules to prevent hackers from spreading malware
- Protect essential systems with additional layers of security.
IT’s job is to keep the network secure, but if your job is making lattes or checking guests into their rooms, security is not in your job description. Security probably isn’t even something you know much about. You might do some of the basics and maybe hire someone to set the network up the first time. That’s about it. Network security isn’t high on your list of things to manage with your business. One security researcher was able to hack into a hotel’s systems and copy sensitive data without much effort or anyone noticing. Keep in mind, the people who offer free WiFi aren’t in the business of keeping their WiFi secure, they’re in another business entirely.
4) Hackers can connect to free WiFi
Even if you’re not connected to a compromised Evil Twin hotspot, your device is visible to every other device on the network. If a hacker is on the network targeting people, well, you can figure out the rest.
The whole idea of putting devices on networks is to make connecting and sharing information with each other easier. It’s awesome and convenient if you need to connect to a shared printer in the office, but not so awesome if a hacker wants to drop some malware on your machine or send out a ping of death. Shared WiFi networks are convenient, but don’t forget the shared part. You’re on the network with a lot of strangers and one of them might not be connecting just to update Facebook.
5) Location trackers risk your privacy
This is a new threat to public WiFi users—and one I’m sorry to say our solutions below won’t be able to entirely prevent—malls and restaurants tracking your devices even when you’re not connected to WiFi and are just in the area.
Under the guise of helping stores offer marketing tips, these WiFi hotspots gather information about your device. They keep that information and use your device’s unique identifiers to track your location around a mall and between malls if the same company offers WiFi in other locations. These data points help malls and stores understand foot traffic. Great for them, but bad for you because your data is kept for a long time (possibly forever), even if you only went to the mall once and connected for a minute to check something online.
The 3 ways to protect yourself
Now that you’re thoroughly alarmed about all the public WiFi security risks, let’s look at three easy ways to protect yourself without any tech knowledge.
1) Disconnect and forget
Always remember to disconnect from the free WiFi when you are done so that your devices forget the network and don’t auto-connect. This will help protect you from Evil Twin hotspots. It’s not perfect because the twin could still be there, but it will keep you from automatically connecting to malicious hotspots. You don’t need to do this for your home or office networks, but it’s a good idea to clear out these free WiFi networks from your list regularly.
2) Tether to your mobile device
If you have a lot of data on your mobile plan and need to connect your laptop or tablet to the internet, using your smartphone as a hotspot is a good way to keep your laptop secure. While 4G/LTE networks aren’t impossible to hack, they are secure by default and really hard for people without special equipment to hack into.
This isn’t an option for your smartphone, of course, but when the WiFi looks dodgy, this will help you avoid free WiFi security risks.
3) Use a VPN
A VPN—Virtual Private Network—is a tool that encrypts your entire connection, not just the portion that is protected by https or even secured WiFi. When you use a VPN, even if someone has access to the router and is watching the information go through it, everything you’re doing is encrypted so there is nothing to glean from your data. VPNs protect against all kinds of snooping and hacking attempts and best of all using a VPN is pretty easy.
Here are some low-cost VPN solutions we recommend:
- Windscribe (free and paid, iOS, MacOS, Android, Windows, Linux)
- TorGuard (paid only, iOS, MacOS, Android, Windows, & Linux)
- Private Internet Access (paid only, iOS, MacOS, Android, Windows, & Linux)
- TunnelBear (free and paid, iOS, MacOS, Android, Windows)
A free VPN is a good choice if you need to connect for a short time at a hotel or coffee shop, but if you connect to free WiFi regularly it’s time to spend a few dollars a month for a VPN.
Public WiFi is convenient, but not a safe choice
Being able to get online anywhere and everywhere is very convenient. You can work from just about anywhere or watch a show or play a game online. The internet and free WiFi is one of the great things about technology today, but that convenience can come at a cost.
Public wifi lets you get online, but at best you’re being tracked for marketing and at worst at risk of being hacked or your data stolen. Take our advice and use a VPN whenever you connect to WiFi away from home or work.