Seriously?! Can You Not Do That? Chapter IV - Insecure Use of Public Wi-Fi

Seriously_! Can you not do that_ Chapter IV.jpg

By Sean Martin, CISSP

Chapter IV | Insecure Use of Public Wi-Fi

We’ve all done it – accessed a public Wi-Fi hotspot, that is. Why do we do it? Because we want to download that large file or stream that new movie or series episode, but we don’t want to eat up our phone or tablet’s bandwidth. Sure, we may have an all-you-can-eat data plan, but sometimes that can slow to a crawl if we’re using a lot of data. Or maybe our tablet doesn’t have a data plan, so we must connect it to a wireless access point. Whatever the reason(s), the bottom line is that you’ve likely connected.

A question that comes to mind is this: Do we regard Wi-Fi differently based on where we are, what we are doing or the brand that’s offering the service? For example, do we think that AT&T Wi-Fi offered at a Starbucks is better than a unique, dedicated hotspot offered through an unnamed ISP at the local coffee shop? Do we think of the hotel Wi-Fi in a different light if it’s a large chain versus a standalone roadside motel? What about Wi-Fi offered by the city? Or the expensive connectivity we pay for in the plane on the way to Europe? How about the bus that offers Wi-Fi for the entire ride from the airport to our final destination?

According to Avast, public Wi-Fi is one of the biggest threats to personal security (and business security if employees send work e-mails on a personal device) because people are unaware of the risk involved. Wi-Fi networks are an easy entry point for hackers to attack and most users don't realize that all the personal information on their computer or mobile device becomes defenseless over public Wi-Fi without protection – as well as any corporate information they may be accessing.

To showcase this, Avast set up fake Wi-Fi networks around the Republican National Convention back in July 2016 to see how many individuals would connect to potentially risky hotspots. Over the course of a day, Avast saw over 1.6 GB transferred from more than 1,200 users. Moreover, 68.3 percent of users‘ identities were exposed when they connected and 44 percent of Wi-Fi users checked their e-mails or chatted via messenger apps.

Other experts agree: There’s risk across the board when using public Wi-Fi.

“With the rise of e-commuting and BYOD policies in the modern business world, public Wi-Fi risks pose a greater threat to businesses than ever before,” says Amit Bareket, Co-Founder and CEO of SaferVPN. “Unless a user is working on a personal home, cellular or office network, they should be cautious of any public Wi-Fi hotspot – whether it be at the local Starbucks, in their hotel room or on the flight to their next destination.”

“Anyone using a corporate laptop on a open Wi-Fi network – coffee shops, public transportation, and hotels, for example – is open to all sorts of potential foul play,” adds Pablo Garcia, CEO, FFRI North America. “The fact that malware can be spread via an open Wi-Fi network is always a consideration one should think about. Unfortunately, users don’t necessarily keep security top of mind.”

When asked if public Wi-Fi networks are inherently insecure, John Gunn, CMO, VASCO Data Security, replied: “It depends on the system – some are remarkably insecure and many are phantom networks set up by hackers. This is a playground for hackers to steal information and distribute malware.”

But are some public Wi-Fi networks safer than others? What about the commonly used public hotel Wi-Fi accessed by employees?

“Public Wi-Fi networks found in hotels are mostly safe if you know you are on a trusted network,” says Gunn. “However, many hackers present spoofed Wi-Fi networks with names that look similar to the hotel in which the guest is staying – HILTON GUEST WIFI, for example. If this spoofed network has a stronger signal, it will appear as the preferred choice ahead of the hotel’s legitimate network, and a tired, frustrated traveler doesn’t always check.”

OK. So, hotel Wi-Fi networks seem to be safe, relatively speaking. But what about the in-flight Wi-Fi systems found on planes? Are they safe to use?

“These networks are not inherently insecure, but people are frequently victimized in-air,” says Gunn. “A hacker, for example, can go on a flight that has no Wi-Fi and present an open network with the name of the airline, and people will often connect to it thinking it is legit. The users will try to reach popular websites and the hacker can present the login screen to those sites in order to capture their username and password for those sites, present an error message to the user such that there is no foul play suspected, but now they have access to your account.”

It appears that it’s less about the network itself and more about the environment and the likelihood of the users of the networks – legitimate and spoofed – that introduce and increase the risk of compromise.

“Once employees have connected to a certain public Wi-Fi network, their devices will continue to automatically connect to networks with the same SSID name elsewhere,” adds Bareket. “This presents a considerable vulnerability, as hackers can simply set up a fake router with a common free Wi-Fi name, like ‘Free Wi-Fi,’ and use it as a trap to steal employees’ information. If they’ve connected to ‘Free Wi-Fi’ even once in the past, they’ll be connected again – without having to take any action.”

With this, the question becomes: What harm can be done on these public networks?

“Public networks are much more susceptible to Man-in-the-Middle, sniffing and malware threats due to the lack of both encryption and stringent password protection, enabling hackers to take advantage of this to spy on, intercept or alter outgoing data, steal passwords and credentials, install malicious software and more,” says Bareket. “If your organization’s employees browse on public Wi-Fi networks without the proper precautions, confidential work files can be read, business correspondences can be intercepted and sensitive platform logins can be stolen. And unfortunately, because these attacks take place outside of the secured office network, it can be very difficult to detect them until it’s too late.”

“A malicious person doesn’t even need to be technical to cause havoc,” suggests Garcia. “For example, take a look at the Firesheep plugin that is available for the Firefox browser. Using this tool, a malicious person could hijack an unsuspecting user’s social media profile on an open public network and start posting anything they wanted to, assuming that person's profile. This is scary stuff. And, while I am sure there are tools a log files to monitor if the employee has remotely accessed an open Wi-Fi network, that would be a hard policy to enforce, especially with the BYOD culture in place in today’s world.”

So what can we do to mitigate this risk? One option would be to avoid connecting to public Wi-Fi networks. But that isn’t always feasible.

“The fact of the matter is, our desire to always remain connected often overrides our concern for our cybersecurity, leading us to connect first and, only after, think of our safety,” says Bareket.

When the situation arises – which, being connected, seems to be pretty much 100% of the time – and a public Wi-Fi network is the only connection option, what safety precautions are available?

As with most situations involving people, education is a good place to start:

  1. Be aware: “Users should always treat open Wi-Fi networks as hostile adversaries,” advises Garcia.

  2. Use extra caution: “It’s like any threatening situation – say traveling into potentially dangerous parts of a city – use extra caution and things usually turn out OK,” says Gunn.

  3. Connect to a trusted network: “Make sure you are connecting to a trusted network,” adds Gunn. “Not sure? Then ask the hotel or airline for the exact name of the network.”

  4. Double-check the connection: “Once connected to the network, carefully check the URLs of where you are being directed to make sure you land at the website for which you intended to arrive,” says Gunn.

While it’s an important piece of the puzzle, risk mitigation can’t be limited to education alone.

“Forcing the decision-making process down to the user requires that the user bear the burden of evaluating the safety of Wi-Fi networks and remaining self-educated,” warns Bareket. “Furthermore, the methods hackers use to steal data are continuously evolving and changing. Even with the proper education and the right intentions, employees might very well put your organization’s data at risk.”

This point is worth digging into more. The ever-changing threat landscape makes it difficult for companies to stay current – and therefore it’s even more challenging for the users to keep abreast of all the dangers they face.

With this in mind, what additional technology-based actions can we take to mitigate this risk?

  1. Bring your own network: “When possible I use my own private Wi-Fi hotspot,” says Garcia. “Organizations should consider providing an employee with a personal cell phone/hotspot. There is no need for a user to access an open Wi-Fi network if they have their own. This mitigates risk tremendously.”

  2. Use a proxy: “Another scenario would be to have cloud-based proxy like ZScaler and filter malicious content,” suggests Garcia. “Cloud proxies have improved greatly over the years and can help mitigate the risk associated with data exposure via public Wi-Fi networks.”

  3. Use a Virtual Private Network (VPN): All contributors to this article agree that a VPN is a valuable tool in our quest to remain safe online when connecting to risky networks such as those found in public Wi-Fi. Use of a VPN will allow the user to connect to websites and other web-facing services through a private tunnel that encrypts the connection and protects it from prying eyes.

In the end, Gunn provided what was probably the most salient piece of advice when considering the use of a public Wi-Fi network: “Wait. Sensitive transactions can wait for a safer connection.”

If you absolutely must connect, use caution, verify the correct name of the network, and double check the URLs you’re visiting. In addition, connect via your smartphone’s hotspot or a cloud-based proxy, and always use a VPN.

Think before you connect and consider the consequences before you transact your personal, business, or otherwise sensitive or confidential information.

Regardless of the Wi-Fi network being accessed, one of the most-used applications out there can put your data at risk of loss and theft. What is it? Return to the series overview to get notified of the next installment in this series…via—you guessed it—e-mail.

Interested in more topics from this series?