Public Wi-Fi – Sacrificing Security for Convenience

By: Krista M. Cyber Threat Intelligence Analyst, NJCCIC

In my previous CyberLog post, I shared some of the information I learned while attending DefCon 23, an annual hacker conference held in Las Vegas. What I didn’t mention, though, were the things I had to take into consideration prior to my arrival. As this was my first time attending, I wasn’t sure what to expect so I did some research and talked to a few former DefCon attendees. The stories I heard were eye-opening to say the least – from hackers wirelessly siphoning personal data from RFID-enabled credit cards and passports of unsuspecting victims, to pranksters remotely gaining control of a DefCon presenter’s cell phone and causing it to overheat in his pants pocket. I also heard about the infamous “Wall of Sheep,” a giant scrolling display of login credentials captured from people who mistakenly decide to use the available open Wi-Fi to sign into their personal online accounts.

Some of these stories I heard sounded a bit far-fetched, but one thing I do know is that anything that can connect to a network and is capable of storing, transmitting, and receiving data is vulnerable. With that in mind, I attempted to protect myself and my data the best I could. I only brought one credit card for emergencies and stored it in an RFID-blocking card sleeve within an RFID-blocking wallet. (Overkill? Probably not.) The laptop I packed was designated specifically for cybersecurity research and, therefore, has never been used to sign onto any personal email, social media, or banking accounts. (Data that’s not there, can’t be stolen.) I even left my very vulnerable smartphone at home and brought my old-school, clamshell-style cell phone instead. Some of my friends laughed about the precautions I took, but when entering a confined space with 20,000 hackers, I wasn’t taking any chances.

Obviously, this represents an extreme situation where I had to be extra mindful about where my data was and who could possibly access it. I would never expect anyone to go to those lengths under ordinary circumstances – to do so would be extremely inconvenient. However, there are chances that many people take every day, in normal and seemingly benign situations, that put their data and identities at risk. One of the biggest security oversights involves connecting to open public Wi-Fi signals, or “hotspots.”

Just last month, the AARP Fraud Watch Network released a report titled Convenience Versus Security that highlights the shocking prevalence of risky online behavior that puts people’s personal information in jeopardy. Their survey found that:

  • 45% of American internet users failed the seven question cybersecurity quiz, highlighting an overall lack of important cybersecurity knowledge.
     
  • Only 24% of users surveyed said that free public Wi-Fi hotspots were not safe at all.
     
  • 37% reported using free Wi-Fi at least once a month, with 25% using it at least once a week.
     
  • 27% reported using free Wi-Fi to do their banking and to make online purchases.
     
  • 41% checked their work email accounts while connected to free Wi-Fi.
     
  • 75% checked their personal email accounts while connected to a free Wi-Fi.

From a cybersecurity perspective, these statistics are concerning but it stems from the fact that most people lack an understanding of how attacks occur over unsecure public Wi-Fi, especially when the average user may not notice anything different or unusual after they connect.

So, how do attacks occur over public Wi-Fi hotspots?

  • Evil Twin Access Points (APs): Hackers create Wi-Fi hotspots that have names similar or identical to that of legitimate and trusted hotspots, causing victims to unknowingly connect to the hacker’s device and allowing the hacker to capture all of the victims’ network traffic. This is also known as a “honeypot” network.
     
  • Data Interception/Snooping: Wi-Fi network traffic that is unencrypted is susceptible to eavesdropping by hackers. Most public Wi-Fi networks, especially those that do not require any form of passphrase at login, are unencrypted and leave users’ data wide open to interception and exfiltration.
     
  • Compromised Devices: Hackers join the open Wi-Fi network with a device containing malicious code and look for victims with file-sharing enabled on their computers to connect with other devices within the local network. The hacker can then infect the victim’s machine remotely with malware designed to steal login credentials, financial information, and other sensitive data.

During my time at DefCon, I saw plenty of opportunities for these types of attacks to occur. A brief glance at the available Wi-Fi hotspots within the conference area revealed a plethora of unsecured wireless options, just waiting for someone to connect and expose their data. Some hackers even named their hotspots “honeypot,” either in jest or to serve as a warning.

How can you protect yourself while using public Wi-Fi?

First and foremost, do not conduct any online banking or shopping that requires entering your payment card information while on a public network, it is not worth the risk. It also best to avoid logging into any accounts that require entering your username and password or any personal information. Otherwise, using public networks to catch up on news or stream video can be done safely by following these recommendations:

  • Turn off sharing.
    • Windows: open your Control Panel, navigate to the Network and Sharing Center, then click Change Advanced Sharing Settings. Choose Advanced Settings from the Advanced drop-down menu and uncheck File and Printer Sharing for Microsoft Networks. Turn off Network Discovery and Public Folder Sharing. This is done automatically if you specify the Wi-Fi network as Public.
    • Mac OS X: go to System Preferences, Sharing and uncheck all the boxes and disable network discovery.  
       
  • Make sure your firewall is on and your anti-virus software is up to date and running.
     
  • Confirm the name of the network to avoid malicious honeypots.
     
  • Only visit websites that have HTTPS enabled or install the HTTPS Everywhere browser extension which encrypts communications with many unsecure websites.
     
  • Consider using a virtual private network (VPN) that encrypts your network traffic and routes it through a separate and secure connection.
     
  • Disable the Wi-Fi on your computers, tablets, and phones when not in use. This will prevent automatic and accidental connection to open Wi-Fi hotspots.

Be sure to keep these tips in mind and think twice before sacrificing your security for the convenience of a free and open Wi-Fi signal.