We’ve all been there before.
You arrive at a coffee shop and you notice a sign that says “Free WiFi”. Of course you know that you shouldn’t really trust free wifi, but what’s the worst that could happen? So you open up your laptop, connect to it and start working. Simply connecting to an open network is already potentially dangerous.
The WiFi protocol cannot verify that you are actually connected to the WiFi access point from the coffeeshop. Someone else can create a WiFi network with the same name and then your devices will connect to it instead.
That is because devices automatically connect to the strongest, known network available and a known network is only identified by its name. With a device like a WiFi Pineapple an attacker can do just that: Set up a fake WiFi network to capture and analyze your internet traffic. But let’s ignore that risk and connect to the WiFi anyway. At this point your device becomes a part of the coffee shop’s network. This means your device can see and talk to all the other devices that are connected to the same WiFi network, but they can also connect to you. If you’re running outdated software you could be hacked by someone sitting a few tables away. And it’s not as difficult as it sounds. There are penetration testing tools available like Metasploit that can scan any device on the network and identify vulnerabilities. Once complete, the tool returns a list of security holes that can be abused to get access to the device in question.
So keeping your devices up to date and having the firewall enabled is a must! Updates to fix newly discovered vulnerabilities and the firewall to block people from accessing your device through the network unwantedly. So with the latest updates installed, you continue working. But right now all of your unencrypted traffic can be intercepted by anyone who’s on the same network. That includes things like unencrypted email, ftp connections and every website without HTTPS.
So you decide to keep it safe and instead login to your bank account, your favorite social media website or the intranet from work. You know that these are safe because your browser shows a green lock next to the website’s address. But as it turns out, that’s a common misconception. The lock means that the connection between the website’s server and your computer is encrypted with the TLS or SSL protocol. So nobody on the network can see your username and password for instance.
You can see this because the URL starts with HTTPS instead of HTTP. But the lock doesn’t guarantee that you’re connected to a legitimate website. A fake or malicious website can also get a green lock next to its name without any trouble. One way attackers can take advantage of this is by trying to redirect your bank traffic for instance to another domain name that is very similar.
Like going from generalbank.com to generаlbank.com. Did you spot the difference? The “A” in general was replaced by a Cyrillic character. This is called the “IDN homograph attack” and browsers now have special protection on board that will warn you when a domain name has a mix of regular and Cyrillic characters.
However, the technique can still be used with misspellings. Like generaIbank.com where the L was replaced with a capital I. To make matters even worse, the fake website can be made to look almost identical to the real one AND it can have a green lock. So in a way, the lock gives a false sense of security.
That’s one of the reasons why Chrome and Safari are putting a smaller emphasis on the lock. They want HTTPS to be enabled by default and only draw attention when a website isn’t using it. In fact, that move is also making another type of attack harder: SSL Stripping.
In a nutshell, an attacker can try to downgrade your secure HTTPS connections to an unsecure HTTP one. When successful, the data you send or receive over that connection won’t be encrypted, allowing the attacker to see what sites you visit along with your username and password. However, modern browsers are now warning you when you’re about to login to a website with an unsecure connection. That makes SSL stripping harder because people are very likely to spot the warning that most browsers will put up. Right now it’s still a small warning, but eventually it will be a bold red one. But SSL stripping can also be prevented if a website owners implement HSTS or HTTP Strict Transport Security.
This allows them to say that their website should only be loaded through a secure connection. If someone tricks you into loading an insecure version of a website, your browser will outright refuse to load it. The only downside is that website owners have to explicitly enable this feature. If one fails to do so, you could be vulnerable. A solution to this problem would be to use a browser extension like HTTPS everywhere that automatically switches to HTTPS if a given website supports it.
That all sounds pretty bad. But then again, open WiFi is completely open. What if the owner of the coffeeshop puts a password on his network and then writes the password somewhere on a wall? Would that make a difference? Well, not really. It’s almost like locking your front door but leaving the key on the outside. The password only prevents people from joining the network if they haven’t been inside to see it written on the wall. If you know the password however, you can join the network, become a part of it and perform all the attacks we just discussed. Protect yourself Okay, enough with all the possible ways you could be hacked on public WiFi. How can you protect yourself? The most obvious answer is to avoid public WiFi networks at all costs. But that is pretty difficult with us all depending more and more on having an internet connection. A better, but potentially expensive solution would be to invest in a good mobile data plan and use a mobile hotspot whenever you don’t have a trusted WiFi network. The connection between your computer and the hotspot is encrypted and, in theory, can’t be intercepted. And finally you could use the free WiFi anyway and use a VPN to secure your traffic.
VPN is short for Virtual Private Network and it creates a secure connection, also called “tunnel” between you and the VPN server. All your internet traffic is then sent through this tunnel and encrypted in the process. That way nobody on the public WiFi can see your traffic or mess with it. However there is a catch. If you can’t setup your own VPN server, you have to use a third party service, which will cost a bit of money. And secondly, the VPN provider can see all your unencrypted traffic, so it’s best that you pick a service from a vendor or brand that you trust or has a good reputation when it comes to privacy.
But don’t have to feel bad if you use free WiFi without thinking about the security risks. According to a 2017 study from Symantec, 75% of the 15,000 participants don’t use a VPN when connecting to an open WiFi network. It also revealed that 60% of participants felt safe using public WiFi, even though it’s anything but safe and 87% even admitted to accessing their personal emails or even bank accounts using free WiFi. So time for a conclusion then:
Free WiFi hotspot are potentially very dangerous and few people really understand the risks. As discussed above, there are a bunch of security features on the web and on our computers that protect us. But unfortunately the bad guys are pretty clever in finding ways around those!
So, here is a Simply Explained top tip: Keep your devices up-to-date and if you must, use a VPN when connecting to an open WiFi network. Whether you want to use an existing service for this or set one up yourself is up to you.