Free Wi-Fi spots are a very handy way to get online without using up your monthly 3G or 4G allowance, but are they genuine? Be careful of using unsecured hotspots, especially when conducting your private affairs. Here's how your data could be stolen and used against you.
Coffee shops seem to have become the open plan office of the 21st century. Visit any branch of Costa or Starbucks on the high street and the chances are you’ll be met with a sea of laptops, iPads, and smartphones, all bathing their users in a gentle glow of distraction. But while people might feel that their islands of tables, lattes and devices create a form of private space, the truth is they might not be the only ones looking at their personal information.
"Unfortunately", states Kaspersky Security blogger Stefan Tanase, "most people don’t realise how often and how easily that data, which you would never trust to most people around you, could be intercepted by a complete stranger seated ten meters away."
Free Wi-Fi can have a hidden cost, and that is security. While the idea of being able to roam around a city, connecting to several open Wi-Fi hotspots without incurring any fees is certainly a convenient one, you should always remember that cyber criminals use these very same connections to conduct their attacks.
"One of the easiest ways for hackers to capture information", reveals Sian John, Security Strategist for Symantec, "is to setup a friendly or 'safe' sounding Wi-Fi network, by using a hotel or restaurant name. It’s then amazing to see what people will do online without ensuring that their communication is protected or encrypted."
These 'spoof' networks will look real, allowing you to navigate the web as you would normally, but everything you do is being watched and logged. It won’t be long before you’re prompted to download something innocent looking (which of course will be malware), or to confirm your login details to a secure site (say your bank or PayPal account) and then the criminals have their prize.
In fact, it doesn’t even have to be a network that you’ve never connected to before. There are gadgets that make use of a simple, built-in vulnerability in mobile devices to turn your regular haunts against you. When you log on to any network your device will store those details so that it will be able to automatically repeat the process next time you're within range of the router. This is very useful as it means you don’t have to manually input any kind of information when you return; your smartphone or tablet will connect automatically.
For trusted sites like your home and office networks this is fine, but when you’re out and about this can become a serious weakness. The WiFi Pineapple is a small, lightweight unit that acts as a Wi-Fi hotspot which can masquerade as another network. Due to its powerful antennas it will push its way to the front of the queue, obscuring the authentic network, when your device tries to log onto a known connection.
It then redirects your traffic - and all sensitive data - through its rogue proxy, leaving you completely unaware that you’re on a compromised version of the network. The most surprising thing is that this isn’t some expensive, military-grade device. It fits neatly in a backpack, is virtually undetectable to passersby, and is available online, completely legally, for around £60.
The dangers of leaving yourself open to an attack aren’t limited to just personal information either. Enterprising hackers are also becoming alive to a potentially easy route to valuable corporate data.
"You go to a hotel network and there’s no security on them," says Sean Newman, Security Strategist at Cisco, "they just have a hotspot thing to sign you onto the network. But anyone can sign on to the network and there’s no encryption or protection of the traffic. You might think 'who’s going to follow me to a hotel?' Well, when I’m going to a hotel it’s usually because there’s an event on, some security conference, and every hotel has multiple conferences for multiple reasons going on at any period of time. So if you wanted to attack a particular target [industry]...you’d go to that conference and you could almost have your pick of who you want to compromise."
This problem is exacerbated by the rise of the Bring Your Own Device (BYOD) culture that has become the bane of IT professionals in recent years. Traditionally your work and personal devices were separate, making securing the data an easier task, but with many phones and tablets now acting as both work and leisure devices the risks are harder to negate. Probably the best way to prevent this loss of privacy is to use a Virtual Private Network (VPN), which creates an encrypted connection between your machine and a secure server. You can pay for a VPN through services such as Cyberghost or Hotspot Shield (in fact here are the best free VPN services), but for most people this will seem an overly complicated procedure that is too intimidating to pursue. A more accessible option might be to install the free Firefox and Chrome plug-in HTTPS Everywhere, which tries to ensure that, where possible, sites you visit use secure connections. It’s not a guarantee by any means, but it can certainly take away some of the risks involved.
Of course the ideal solution lies with the hotspot providers implementing encryption on their service, but this isn’t as simple as it sounds. As always, the biggest threat to security lies in the need for convenience. Most of these locations are casual-use spaces for customers, meaning that they want to log on and off quickly and without fuss. Having to enter a password (or worse, a username and password) to access an encrypted hotspot might prove just too much effort for many people, who’ll just walk on until they find the next open connection. Without a call from customers to improve the service you can expect things to carry on much as they are at the moment. Therefore the responsibility to protect personal data lies firmly in your own hands.
"I would advise people simply not to use unsecured access points altogether," states Jean Taggart, Senior Security Researcher at Malwarebytes, "but that isn’t always an option. If you have to connect to public Wi-Fi hotspots, you should consider using a VPN – because the tunnelling process encrypts the traffic. Another option is to use 3G, rather than free Wi-Fi, as this completely bypasses the problem, albeit at a greater cost. Finally, definitely avoid online banking when on an untrusted network. In fact, avoid using anything which you would deem sensitive."