Just about every frequent traveller and mobile user has heard the warnings, but the prospect of free Wi-Fi is often too tempting to resist. “Just a little status update”, we tell ourselves. “Then maybe I’ll quickly check my email.”
We rationalise that it can’t be that bad. After all, isn’t my connection to Facebook or my online banking already encrypted anyway? As for email, who knows… but surely a few minutes can’t hurt, right?
In truth, it’s far more damaging than you think. Within an open network, snooping is commonplace. Before we get into the dangers of open Wi-Fi, let’s take a look behind the scenes of logging into your favourite sites.
The Mechanics of Logging In
Logging into a website will most often begin by submitting your username and password. The website will check those credentials against its list of users, to see if a matching account exists. If it does, the server will send your browser something called a ‘cookie’ and let you inside.
This cookie is stored on your computer and used for all subsequent requests, and may even permit you to return to the website later without having to log back in.
Over a wireless network protected by a password, your cookies and other data are encrypted between your laptop, phone or tablet and the wireless access point. The password you enter to gain access to your network is used to create a unique key, which is then used to encrypt all the data you send over it.
However, when connecting to an open Wi-Fi hotspot, for example at an airport lounge, some websites will send you a cookie without encryption, allowing anybody within range of the network to see it. Others can easily intercept such a cookie in transmission and use it to gain access to your account, all without your knowledge.
Over an open Wi-Fi network, eavesdroppers can detect which websites you’re visiting, and on sites without the all-important “security padlock” icon displayed in the browser, they can also see exactly which pages you’re viewing, and even what you’re typing in web forms on sites!
Back in 2010, a utility called Firesheep demonstrated the dangers of open Wi-Fi quite disturbingly. It allowed you to see, at a glance, all the unencrypted cookies being sent over any open wireless network you connected to. Even more alarmingly, a simple double-click would allow you to log in to a site as somebody else, plucking their cookie from the air to impersonate them.
In response to the Firesheep thread, major sites like Facebook and Google stepped up their game, ensuring that their cookies were never again transferred without encryption. Still, there are plenty of sites that have yet to learn this lesson.
What’s In A Name?
While you might not remember which open networks you’ve connected to in the past, your devices certainly can.
Once you’ve connected to an unprotected network with a given name, your device will keep scanning for a network with the same name, even as you move about. Easily-available hacking tools can allow prospective data thieves to ‘see’ these scans, and quickly create a network to fool your device into automatically joining.
In this way, even trustworthy open networks can be a security threat. By teaching your device to connect to an open Wi-Fi network with a given name, you can create quite a substantial security hole.
Another type of threat is also rife in the wild: spoofed Wi-Fi. These networks are created by hackers, who often set up in public places with legitimate free Wi-Fi on offer.
Hackers may cunningly create an official-sounding access point, or simply copy the name of the legitimate network and add ‘2’, or a special character to fool the eye. Public Wi-Fi networks with lots of users can often be slow, causing people to try other networks within range. It’s a highly effective strategy for cyber criminals, and more common than you’d think.
Aside from rifling through your data, hackers can use an open Wi-Fi network to distribute malware. Your browser (and your eyes) can easily be trumped into viewing fake versions of trustworthy download sites.
Hidden keyloggers and other nasties can come packaged within these downloads, which will be particularly difficult to detect on mobile devices. Better still, if you have file sharing enabled, a hacker can plant malicious software on your device without even needing to trick you!
So, by now I’m sure we can all agree that free Wi-Fi can be bad news. But what can you do to sidestep disaster?
1. Opt only for secure networks.
If you’ve got any choice in the matter, simply opt for the secure network on offer – whether at your hotel or another public space. Sure, it may cost you a little, but the security is well worth it.
If you’re caught somewhere without a secure option and you absolutely have to connect, a free VPN (short for Virtual Private Network) can mask your location and encrypt your internet traffic.
Utilities such as CyberGhost for Windows and OS X make using a VPN as easy as clicking a button. Don’t forget your mobile, either – there are many great options available for Android and iOS. Simply search ‘VPN’ in Google Play or the App Store.
Of course, when you use a VPN, you’re entrusting all of your Internet traffic to the provider of that VPN, so make sure it’s trustworthy (and that usually means paying for it)!
3. Try not to check anything personal
Unless you really need to, try to refrain from doing anything too personal over an open network. Check the news and do a few Google searches, but leave the work emails for a better time and place. It could mean the difference between a company data breach or an uneventful browse to pass the time.
4. Look for the padlock.
When browsing the Internet on open networks, pay close attention to whether your connection to a website is secure. On most major browsers, this fact is represented by a small padlock icon, on or near your address bar.
5. Go off the grid (or use your data plan).
While this isn’t always the most convenient option, staying offline while you’re going through airports might be the most fool-proof way to stay secure.
If you’re on a mobile device, you can also make use of your data plan rather than Wi-Fi in public places. While it might be a little extra expense, I’d be willing to bet that it’s well worth avoiding the traps we’ve covered here.