We’ve all been tempted to use public Wi-Fi: it’s free, saves on your data allowance, and is always helpful in speeding up loading times.
You might love public Wi-Fi — but so do hackers.
Here are just a few ways cybercriminals can get access to your private data and potentially steal your identity and what you can do to protect yourself.
1. Man-in-the-Middle Attacks
The technological term, man-in-the-middle (MITM) is an attack whereby a third party intercepts communications between two participants. Instead of data being shared directly between server and client, that link is broken by another element. The uninvited hijacker then presents their own version of a site to display to you, adding in their own messages.
please enter a password that has 8 characters or less pic.twitter.com/ICtuHwR1uw
— Zach Leatherman (@zachleat) September 20, 2016
Anyone using public Wi-Fi is especially vulnerable to a MITM attack. Because the information transmitted is generally unencrypted, it’s not just the hotspot that’s public — it’s your data too. You might as well shout out your details. A compromised router can vacuum up a lot of personal material relatively simply: just getting into your emails, for instance, gives hackers access to your usernames, passwords, and private messages, and plenty more besides!
The most worrying thing is if you’re using online banking or exchanging payment details over emails or instant messaging.
What can you do? Don’t input any data if you see a notification that a site might not be genuine. Even if you’re desperate. A website’s credentials are checked using SSL/TSL certificates, so take warning messages about authenticity seriously.
Public Wi-Fi might not be encrypted, but e-commerce companies like PayPal, eBay, and Amazon employ their own encryption techniques. (In fact, most major sites that request a password use encryption.) You can check for this by looking at the URL. If it’s an HTTPS address — that additional “S” meaning “Secure” — there’s some level of encryption. A plugin like HTTPS Everywhere will force your browser into defaulting to encrypted transmissions where available.
2. Fake Wi-Fi Connections
This variation of an MITM attack is also known as the “Evil Twin”. The technique intercepts your data in transit, but bypasses any security systems a public Wi-Fi hotspot might have.
A few years ago, Doctor Who showed the perils of technology, in particular the trouble caused by connecting to a malicious router. In that case, users were integrated into an alien intelligence — admittedly unlikely. But in reality, victims could be handing over all their private information, merely because they were tricked into joining the wrong network.
It’s fairly easy to set up a fake access point (AP), and is well worth the effort for cybercriminals. They can use any device with internet capabilities, including a smartphone, to set up an AP with the same name as a genuine hotspot. Any transmitted data sent after joining a fake network goes via a hacker.
What can you do? Be suspicious if you see two similarly-named network connections. If they’re to an associated shop or eatery, talk to the staff there. Similarly, alert management if you’re at work and spot a fake AP.
— F-Secure Freedome (@FreedomeVPN) September 21, 2016
We always recommend using a virtual private network (VPN). This establishes a level of encryption between the end-user and a website, so potential intercepted data is unreadable by a hacker without the correct decryption key. You’ve plenty of reasons to use a VPN, and one definitely is to combat MITM attacks in their myriad forms.
3. Packet Sniffing
It’s an amusing name, but the actual practice of “packet sniffing” is far from a laughing matter. This method enables a hacker to acquire airborne information then analyze it at their own speed.
This is relatively simple, and not even illegal in some cases. Seriously. David Maimon, Assistant Professor at the University of Maryland, investigated the dangers of using public Wi-Fi and said:
A device transmits a data packet across an unencrypted network, which can then be read by free software like Wireshark. That’s right: it’s free. Look online and you’ll even see “how to” guides, teaching you how to use Wireshark. Why? Because it’s a handy tool for analyzing web traffic, including, ironically enough, finding cybercriminals and vulnerabilities that need patching.
Nonetheless, hackers can obtain an abundance of data then scan through it at their leisure for important information like passwords.
What can you do? Again, you need to rely on strong encryption, so we recommend a VPN. If you’re not sure about that, make sure sites requiring private information use SSL/TSL certificates (so look for HTTPS).
4. Sidejacking (Session Hijacking)
Sidejacking relies on obtaining information via packet sniffing. Instead of using that data retroactively, however, a hacker uses it on-location. Even worse, it bypasses some degrees of encryption!
Warning about free wifi 'sidejacking,' from BBB:some fake networks use generic names like coffee_shop1 to trick you, steal info #liveonk2
— Kerry Tomlinson (@KerryTNews) June 25, 2014
Log-in details are typically sent through an encrypted network (hopefully) and verified using the account information held by the website. This then responds using cookies sent to your device. But the latter isn’t always encrypted — a hacker can hijack your session and can gain access to any private accounts you’re logged into.
While cybercriminals can’t read your password through sidejacking, they could download malware that would obtain such data, even including Skype. Furthermore, they can get plenty of information to steal your identity. Just look at the wealth of data can be inferred from Facebook alone!
Public hotspots are especially appealing for this hack because there’s typically a high percentage of users with open sessions. The Firefox extension, Firesheep demonstrated how easily sidejacking can be accomplished, forcing Facebook and Twitter to require HTTPS when signing in.
Saw that "IsThisTheKrustyKrab?" Was a wifi name…
Password guess "NoThisIsPatrick"
Current status: pic.twitter.com/QSWxmZjdsb
— Jack Peterman (@JackPetermann) September 24, 2016
What can you do? Again, HTTPS offers a good level of encryption, so if you really must go on sites requiring personal information, do it through this secure connection. Similarly, a VPN should combat sidejacking.
As an added security measure, make sure you always log out when you’re leaving a hotspot, or risk letting a hacker continue to use your session. With Facebook, you can at least check the locations where you’re logged in and sign out remotely.
This might seem obvious, but we often forget these sort of simple security measures.
Whenever using an ATM, you should check those around you, making sure no one’s peeking as you enter your PIN. It’s also a danger when it comes to public Wi-Fi. If one or more individuals are hovering around when you’re visiting private sites, stay suspicious. Don’t submit anything personal like a password. It’s a very basic scam, but one that certainly still works for hustlers and hackers.
A “shoulder surfer” might not even need to be behind you: just watching what you type can give criminals something to work with.
What can you do? Be vigilant. Know who’s around you. Sometimes, a little bit of paranoia can help. If you’re not sure of those around you, don’t go on anything private.
Don’t underestimate the importance of what you’re filling out or reading either: medical information can be useful to identity thieves, for example. If it’s a document or webpage you wouldn’t want anybody else seeing, take precautions to stop that very thing from happening.
Another option is to purchase a privacy screen — which limits the amount of people who can see what’s on your screen — or indeed make one yourself!
Tell Me More About VPNs!
The core concern with public Wi-Fi is the lack of encryption. The aforementioned VPNs scramble your personal information so without the correct decryption key, it can’t be read (in most cases, anyway). If you regularly use hotspots, using a VPN is essential.
Fortunately, there’s a you can use a wealth of VPNs, most completely free, both for laptops and devices like smartphones. Opera has extended its VPN service from Windows and Mac to Android phones, for instance, or you could use plug-ins on Chrome. If you do most of your private business on a smartphone, check out these apps for Android or these for your iPhone or iPad.
The vast majority of us use public Wi-Fi, but we need to be more careful about it, and VPNs are central to the arsenal of the security-conscious.
What other methods do you use to stay safe when using public Wi-Fi?