“Know your enemy”, said Sun Tzu in around 500 B.C, although probably not referencing risk management in wireless data transfer. This well-known piece of wisdom does however apply perfectly to avoiding cyber-attacks on public Wi-Fi: the threats you face are invisible to the naked eye, and can be best avoided with awareness of their existence. With that in mind, here are the three most common ways public Wi-Fi can be used maliciously to hijack passwords, drain bank accounts or make someone’s life miserable in any number of ways. Thankfully, it only takes a few easy precautions to avoid them and ensure your surfing is private, secure & carefree.
Man-in-the-Middle Attack (MitM)
Imagine there is a tube connecting your house to a friend’s house, and you send each other messages through that tube. Now imagine someone cutting a hole in it without your knowledge. What could that person in the middle do? At the very least, they could read the messages you send to your friend. This alone might be bad, but it gets worse: they could also start impersonating your friend, making you reveal personal information, the kind you only tell someone you completely trust.
The man in the middle takes advantage of your false sense of security. Say you go to your local coffee shop, get your usual double shot latte, sit in your usual spot by the window and connect to your usual hotspot “CupofJava”. A hacker can set up a network with the same SSID (network name) of “CupofJava”, and act as a signal transmitter between your device and the legitimate hotspot. This allows them to potentially intercept all unencrypted traffic you send (traffic is encrypted when a website URL begins with https, not http). If you ever connect to a secure site like your online bank and the URL is unencrypted, it is almost certainly someone guiding you to a fake login page with the aim of snooping your account details. Vigilance or using some kind of browsing protection are the only ways to protect against these kinds of scams.
The Evil Twin
Despite sounding like a cliché soap opera story line, setting up an evil twin is a frighteningly easy way for hackers to intercept private data. It’s similar to MitM, but doesn’t require the hacker to be in range of the hotspot they impersonate. Instead of placing themselves between you and the hotspot, they actually become the hotspot and trick you into making a connection, automatically or manually.
If you have ever connected to a network called “Free Wi-Fi”, your device will remember the name and connect to it automatically when in range. But your device doesn’t care if it actually is the same network; it will by default connect automatically to any network called “Free Wi-Fi”. A hacker just needs to go to a public place, set up a hotspot with a very popular name, and wait for someone to automatically connect. In this case, you don’t even need to fall into the trap because your device does it for you. For this reason, you should always check that Wi-Fi is turned off on your device when you are not using it.
Packet sniffers are tools that hackers can passively leave running to intercept unencrypted data that travels over a Wi-Fi network they are in. It’s quite simple, really. When you log onto a website, that information is extremely vulnerable until it reaches the router and exits the hotspot. There is software readily available which allows a hacker to easily capture every bit of unencrypted data that is sent over the network. Thankfully, services such as Facebook and Gmail have started encrypting their traffic, but a lot of websites still don’t.
Besides, even if a website uses an encrypted HTTPS connection for logging in, it may still send unencrypted cookies. Cookies are little files that contain things like tracking information, website settings and crucially, whether a user is already logged in. This means that when intercepted, an unencrypted cookie can be used to impersonate you. The website will think it remembers you being logged in when in fact it is someone pretending to be you. Unlike the other methods, packet sniffing simply requires the hacker to be in the same network as you, without need to set up a hotspot of their own.
What can I do?
Knowing the risks is already half the battle, as you can learn to treat to public Wi-Fi networks with healthy suspicion. It doesn’t mean not using them, just taking steps like paying special attention that the sites you visit are what they say they are, and doing your best to make sure the hotspot you connect to is legitimate. It is also very important to have Wi-Fi turned off when you are not using it.
The golden rule though, is to never transmit any sensitive information unencrypted. To do this, a personal VPN such as F-Secure Freedome is the easiest, securest and most versatile solution. Freedome uses VPN technology to make your traffic encrypted and impossible to intercept, while other features such as browsing protection block malicious websites from loading at all. Protecting yourself allows you to be more connected with less risk: it’s a win-win!
This is a guest post from an F-Secure fellow. Hi, my name is Matti Aksela…
May 22, 2017
Last week’s WannaCry outbreak caused havoc in many parts of the world before subsiding thanks…
May 18, 2017