(Image via Reddit)
It’s the holiday season and that means more people are traveling and spending time in airports, bus/train stations, and generally wondering if the next stop, coffee shop or store has free Wi-Fi. The habitual curiosity is understandable – why use your cell data when you can hook up to a free connection to the web, right? In fact, there’s always a couple of questions I seem to get on this subject when people find out I’m a security professional. They are: What do you think about public Wi-Fi? Is free Wi-Fi safe to use? Is it ok to use the Wi-Fi at the airport?
My answer, depending on my mood and willingness to try my impersonation skills, ranges from, " You've gotta ask yourself one question: ‘Do I feel lucky?’ Well, do ya?” (which may or may not include the “punk” at the end) to a poor attempt at the lyrics of “Ridin’” by Chamillionaire, "They see me rollin’, they hatin’, patrolling they tryin to catch me ridin' dirty."
To clarify, and bring the conversation back to a serious one, the "they" are the malicious would-be actors that want to snoop into your data streams, whether that be web traffic or other, and what you’re “ridin’ dirty” are the unprotected waves of the public Wi-Fi you just connected to. If you don’t want your data visible to potential unwanted viewers, then you need to encrypt it through a VPN connection. Otherwise, if you’re using public/free Wi-Fi, you should assume that anyone who owns that Wi-Fi, or someone spoofing the free Wi-Fi and running a “Man in the Middle” attack, can see anything and everything you do.
What’s a Man in the Middle Attack?
There are a few ways a "Man in the Middle" attack can happen. One is, you see an open Wi-Fi connection you think is public, so you connect. In reality, the Wi-Fi network has actually been duplicated by a would-be attacker, providing a stronger signal, and your data stream is now going through their device before exiting to the internet. This means any information, such as web links and potentially every photo from every website you visit, can be duplicated on the would-be attacker's own screen. Simply put, they see what you see. Another way would be to present a false social media login or web authorization screen for you to unknowingly enter your credentials, which will be fully recorded and from there not put to good use. They’ll likely use your recorded credentials to login to the authentic site they spoofed, and I bet you can guess where this goes. They’ll then proceed to send everyone in your contact/friend list a SPAM message with a malicious link so they can try to get even more information, and the cycle continues.
These attacks aren’t reserved for desktop computers, laptops, or tablets, which we easily think of as mini computers. Your phone is also a mini computer and inherits all the security vulnerabilities associated with one. You may say, "Well, I have an iPhone, there’s are no hacks or vulnerabilities for an iPhone." Not true. Bluetooth, Wi-Fi, and apps are all doors into your phone, which contains sensitive and sometimes valuable data.
So What Can You Do?
There’s always going to be inherent risks in everything we do, but we can reduce those risks by using common sense. Just because there’s free Wi-Fi, doesn’t mean you should use it. Let me put it this way, would you use a toothbrush you found on the floor of the airport while walking to your gate? It’s free. The answer is still probably no, and you’d likely be appalled and grossed-out to even think of doing such a thing. It wouldn’t be hygienic, right? You should think of public/free Wi-Fi the same way. You need to practice good digital hygiene.
If you have a major need, or are experiencing Wi-Fi withdraw, and you must join an unknown (a.k.a free) network, here’s how to use free Wi-Fi safely, and what you can do to reduce your risk and exposure:
- Verify the sites you visit uses encryption "HTTPS versus HTTP". All you have to do is look at the beginning of the site address.
While this will keep you safer, a "Man in the Middle" attack would still mean the person on the other end is able to see the destination links of each site you visit.
- Use a Virtual Personal Network (VPN). By using a personal or company VPN, you create an encrypted tunnel for all traffic. If you aren’t sure your company provides a VPN, as your IT team. If you aren’t sure how to get a personal VPN for your phone, laptop, or other device, we have some tips for you here.
- Don't fill out webforms while using public Wi-Fi. Sometimes this can be hard because you really want what’s on the other side of that form whether it be an eBook, concert tickets, or the latest internet fad you have to try. Instead, bookmark the page and wait until you get to a trusted, private network.
- Don't use recycled passwords. The temptation is understandable but get into the practice of not recycling passwords and it will become much easier. (And please, do not store your passwords on a sticky note next to your computer or in a notepad labeled “passwords”.)
- Don't use the "real and correct" answers to security questions. An example may be, "What is your favorite football team?" This question would not be hard to answer if you have posted anything on social media that shows you at a game, professing your love of said football team, or is a shared post directly from one of the team’s social media accounts, etc. The same could be said of any other security question that may be asked. It's ok and highly encouraged to make up answers to any of these type of questions because it’s all about protecting your credentials and data.
Do you remember the first time someone told you that if something seems too good to be true, it likely is? You might not remember the exact instance, but you probably never forgot that tried and true phrase. Internet access is no different. It may seem like a good deal to use free data, but that often can come at a cost that isn’t realized until it’s too late. Use good digital hygiene by practicing the steps above to keep your data safe while you travel this holiday season and beyond. For those of you who still have some shopping left to do, here are some ways you can stay safe while online shopping.
If you have any other questions about using free Wi-Fi while you travel, or any other security-related question, please reach out to the IE Security Team. We’d be happy to help you find ways to keep you, your family and your business safe.
About the Author
Derrick Whisel has worked in IT for over 20 years, with extensive experience in project engineering, management, scoping, budgeting and design. He began his career in the military, and after being honorably discharged as an IT2 Second Class Petty Officer, moved into the private sector where he now works as a Security Solutions Specialist for Internetwork Engineering. Connect with Derrick on LinkedIn.