It’s time to protect yourself (and I’ll tell you how)
We take for granted that between mobile data and WiFi hotspots, you can get online virtually anywhere, virtually anytime. While most people don’t think twice about connecting to WiFi at a coffee shop, store, airport, or hotel, there are WiFi security risks that come with a host of real risks to your privacy and security. Click these links to see what we’ll be looking at:
- Lack of basic WiFi security
- It’s easy to fake WiFi access points
- Security is a low priority for businesses
- Hackers can connect to free WiFi
- Location trackers risk your privacy
- The 3 ways to protect yourself
While the bad news is connecting to any old WiFi hotspot is a terrible idea, the good news is it’s easy to protect yourself. In this post, we’ll give you some easy tips how to protect yourself, but first the five reasons why connecting to public WiFi is a really horrible, terrible, very bad idea.
5 free WiFi security risks to know
1) Lack of basic WiFi security
About eight years ago we woke up to how much information was leaking out from our browsers while connected to free WiFi. Back then most websites, with the exception of banks and online stores, used unencrypted http to connect.
We didn’t think about http versus encrypted https unless we were shopping or banking, because back then a lot of us were just starting to use free WiFi and we didn’t know how laughably easy it was to connect to WiFi and snoop on everyone else who was also connected to that hotspot. We didn’t know how much information we were sharing out in the open because most websites used plain, old http. These two very dangerous blind spots made for one very big problem.
The first problem isn’t with http vs https (unencrypted vs encrypted connection to a website ), but with how we were connecting to WiFi:
- Most of the time when you connect to public WiFi you don’t have to enter a password to initially connect.
- While insecure, it’s easier for customers and employees at the store or cafe. Endless “What’s the WiFi password?” questions throughout the day would drive anyone crazy.
- WiFi access points without passwords make it easy for people to sit down, connect, and do whatever they wanted to do in the first place.
What does a secure WiFi connection look like? Your first hint is when you choose the network. If there is a little padlock next to the name, it’s secure. No padlock, no connection password=not secure.
“But wait,” you say, “I have to enter a password on a website to connect to the internet. Isn’t that the same?” Sorry, but nope. That password is only there to:
- Limit access to people using the WiFi (customers only)
- Get you to agree to terms and conditions (I won’t hack people while connected)
- Get you to opt into advertising and other tracking (which I’ll talk about later)
That’s not real security, it’s an admissions gate. Unless you see a screen like this pop up when you connect to the WiFi network:
The connection isn’t encrypted. On an unencrypted connection everything you do is out in the open. When the network is encrypted, the other people on the wireless network can’t see what you’re browsing.
What about http versus https? How does that come into play?
Before websites switched to https, everything you saw, read, or typed while you were surfing was in the open. Unencrypted connections over http are the electronic equivalent of mailing postcards—anyone between the sender and receiver can read what’s being sent.
While https encrypts the data between you and the website, it doesn’t encrypt all of the data. The part of the connection that tells the routers where you want to go (the IP address or domain name) is still sent unencrypted. This isn’t a flaw, it has to work like this so you can get to where you want to go online. When you use https, only the website you’re visiting can decrypt the information, so you need the address to remain unencrypted so all the routers along the way know where you want to go.
This means that even if you only use websites over https (the HTTPS Everywhere plugin from the Electronic Frontier Foundation is a great tool to help you make sure you are connecting over https), there is still a lot of information leaking out over the WiFi network.
Maybe the biggest free WiFi security risk is that everything you do online isn’t secure either. If that wasn’t bad enough, one of the things that makes WiFi so convenient can be used against us to trick us into connecting to the wrong network and not even know it.
2) It’s easy to fake WiFi access points
One of the handy ways WiFi works is autoconnect where you’ll automatically connect to a network with the same name again. There is a real danger here as hackers can setup “Evil Twin” WiFi points with the same names and passwords as access points for hotels, conferences, or coffee shops and use those access points to steal information, infect computers with malware, or other bad things.
Here’s a typical scenario:
- You go to Dave’s Cafe for your morning coffee and a little emailing before you head into the office.
- Dave’s a smart guy, so he’s secured his WiFi with a password and encryption.
- While you’re waiting for your coffee your laptop connects to “Dave’s Place” WiFi network and everything is set.
- A hacker has decided to target people who go to Dave’s Cafe so he sets up a WiFi access point nearby and also calls it “Dave’s Place” and even uses the same “coffeeislife” password.
- If the Evil Twin is close enough to the cafe, people might connect to it by chance. The hacker can also exploit how devices autoconnect to the strongest signal and make their signal stronger.
- Even more clever, the hacker could set up the WiFi just out of range of the real Dave’s Place WiFi and as people are coming by, their smartphones and other devices will automatically connect to it thinking it’s the real one.
Now you’re thinking “What’s the problem? My WiFi connection is secure, I had to put in my password just like you said.” The problem is that a WiFi password only encrypts the data between you and the router, once the data gets to the router it’s decrypted. Anyone connected to the router with an ethernet cable can monitor all the information going through it. There is a lot of information to be gleaned that way, and because the hacker controls the router—therefore the connection to the internet—they can also redirect you to whatever website they want.
This is called a man-in-the-middle attack. A hacker could do something like create a fake Gmail site and when you are connected to the Evil Twin and type “gmail.com” you don’t go to the real gmail.com, but a fake one designed to capture your username and password. Man-in-the-middle attacks can be even more subtle than an entire fake website as it can send you to the real website, but use an encryption certificate the hacker controls so they can decrypt anything you do and see on the website.
Evil twin and rogue hotspots are dangerous because they are hard to detect (as a user) and once you’re connected to one, anyone with physical access to the router (which a hacker would have), can do a lot to any device connected to it.
3) Security is a low priority for businesses
In the example above, Dave’s Cafe has done some basic WiFi security. He’s done what you do at home or office to keep people you don’t want connecting to your network from connecting to the network. Using WPA2 security on your WiFi is a good thing. It’s good, basic protection, but it’s just the starting point.
At most companies IT spends time making sure they go beyond the basics. Beyond keeping the routers updated (which everyone should do), they also:
- Monitor for suspicious traffic
- Watch for unknown devices connecting
- Set up rules to prevent hackers from spreading malware
- Protect essential systems with additional layers of security.
IT’s job is to keep the network secure, but what if your job is making lattes or checking guests into their rooms? Security is not in your job description. Security probably isn’t even something you know much about. You might do some of the basics and maybe hire someone to set the network up the first time. That’s about it. Network security isn’t high on your list of things to manage with your business. One security researcher was able to hack into a hotel’s systems and copy sensitive data without much effort or anyone noticing.
4) Hackers can connect to free WiFi
Even if you’re not connected to a compromised Evil Twin hotspot, your device is visible to every other device on the network. If a hacker is on the network targeting people, well, you can figure out the rest.
Want to see how risky it is?
If you have a Mac or iOS device, open AirDrop and see how many other devices pop up. While AirDrop doesn’t require devices to all be on the same network to be found, it is a good example of how exposed our devices can be in public.
The whole idea of putting devices on networks is to make connecting and sharing information with each other easier. It’s awesome and convenient if you need to connect to a shared printer in the office, but not so awesome if a hacker wants to drop some malware on your machine or send out a ping of death. Shared WiFi networks are convenient, but don’t forget the shared part. You’re on the network with a lot of strangers and one of them might not be connecting just to update Facebook.
5) Location trackers risk your privacy
This is a new threat to public WiFi users—and one I’m sorry to say our solutions below won’t be able to entirely prevent—malls and restaurants tracking your devices even when you’re not connected to WiFi and are just in the area.
Under the guise of helping stores offer marketing tips, these WiFi hotspots gather information about your device. They keep that information and use your device’s unique identifiers to track your location around a mall and between malls if a company offers WiFi in other locations. These data points help malls and stores understand foot traffic. Great for them, but bad for you because your data is kept for a long time (possibly forever), even if you only went to the mall once and connected for a minute to check something online.
The 3 ways to protect yourself
Now that you’re thoroughly alarmed about all the public WiFi security risks, let’s look at three easy ways to protect yourself without any tech knowledge.
1) Disconnect and forget
Always remember to disconnect from the free WiFi when you are done so that your devices forget the network and don’t auto-connect. This will help protect you from Evil Twin hotspots. It’s not perfect because the twin could still be there, but it will keep you from automatically connecting to malicious hotspots. You don’t need to do this for your home or office networks, but it’s a good idea to clear out these free WiFi networks from your list regularly.
2) Tether to your mobile device
If you have a lot of data on your mobile device plan and need to connect your laptop or tablet, using your smartphone as a hotspot is a good way to keep your laptop secure. While 4G/LTE networks aren’t impossible to hack, they are secure by default and really hard for people without special equipment to hack into.
This isn’t an option for your smartphone, of course, but when the WiFi looks dodgy, this will help you avoid free WiFi security risks.
3) Use a VPN
A VPN—Virtual Private Network—is a tool that encrypts your entire connection, not just what is protected by https or even secured WiFi. When using a VPN, even if someone has access to the router and is watching the information go through it, everything you’re doing is encrypted so there is nothing to glean from your data. VPNs protect against all kinds of snooping and hacking attempts and best of all using a VPN is pretty easy—especially if you use Sky Work with BlackBerry Dynamics.
If your company uses a Mobile Device Management (MDM) service, then a VPN is usually turned on automatically and all of your connections on your mobile device are encrypted.
Making sure connections are secure is one of the most important parts of device management. For your laptop and other devices, you can ask if you can use the MDM VPN on those as well. What if you aren’t using Sky Work’s BlackBerry Dynamics, don’t have an MDM at work, or want to secure personal devices? Here are some low-cost VPN solutions we recommend:
- Windscribe (free and paid, iOS, MacOS, Android, Windows, Linux)
- TorGuard (paid only, iOS, MacOS, Android, Windows, & Linux)
- Private Internet Access (paid only, iOS, MacOS, Android, Windows, & Linux)
- TunnelBear (free and paid, iOS, MacOS, Android, Windows)
A free VPN is a good choice if you need to connect for a short time at a hotel or coffee shop, but if you connect to free WiFi regularly it’s time to spend a few dollars a month for a VPN. If you do it for work, it’s time to push your job to use an MDM.
Public WiFi is convenient, but not a safe choice
Being able to get online anywhere and everywhere is very convenient. You can work from just about anywhere or watch a show or play a game online. The internet and free WiFi is one of the great things about technology today, but that convenience can come at a cost.
Public wifi lets you get online, but at best you’re being tracked for marketing and at worst at risk of being hacked or your data stolen. Take our advice and use a VPN whenever you connect to strange WiFi, or push your workplace to sign up for Sky Work’s free MDM to get all the benefits of a VPN with secure mobile productivity tools for your work as well.
Review points above: