Monthly Archives: March 2019

Home / 2019 / March

How Safe Are You on Public WiFi? Not Very


At the U.S. Republican National Convention in Cleveland last year, more than 1,200 people connected to free WiFi networks with names like “I Vote Trump! Free Internet,” “I Vote Hillary! Free Internet,” and “Xfinitywifi.” They transferred gigabytes of data, doing things like checking e-mails and chatting. Some even shopped on Amazon or logged into their bank accounts.

Those networks were fake, set up by network security vendor Avast to make a point about the insecurity of most public WiFi spots. The company said that over 68 percent of those using these fake sites exposed their identities in some way.

The Republican delegates are no different than the rest of us in their trust of public WiFi networks. In a recent survey, over half of respondents said they had logged into their personal email or social media accounts from a public network. Some 61 percent believed their information was safe on a public WiFi network. Only 42 percent knew how to tell whether a WiFi network was secure. Millennials were the most trusting group, the survey found. Nearly 95 percent of them had shared information while on public Wi-Fi, the largest percentage of any generation.

WiFi hackers like to hit where crowds gather. For example, one published report claimed that hackers took advantage of the crowds attending the Olympic games in Rio de Janeiro in 2016 by launching fake WiFi spots across the city and thereby vacuuming up a lot of data from unsuspecting users.

How much and what types of data? No one seems to know, but it likely included passwords, credit card numbers and other info that thieves later used to commit identity theft or other types of fraud.

While theft of data from unsuspecting consumers using public WiFi spots is presumed to be fairly pervasive, it doesn’t get the attention that major hacks of corporate or financial systems do. These thefts happen in dribbles – with bad guys stealing bits of information from many users and accounts – rather than a tsunami.

One contributing factor is that WiFi is so pervasive. A 2015 report by WiFi network provider iPass estimated that there were more than 50 million public hotspots worldwide – one for every 150 people, a number which is expected to grow to 340 million by 2018, or one for every 20 people on earth.

Another factor is that so many public WiFi networks are inherently insecure. Kaspersky Security Network recently analyzed some 32 million public hotspots and found that 25 percent do not use any encryption at all, meaning that anyone with an antenna can pick up the communications. Another three percent use an old form of encryption that is essentially ineffective.

Third, hacking WiFi networks doesn’t require sophisticated technical knowledge. Some of the tools are widely available and easy to use. That’s not to say that large international crime rings aren’t involved. In December 2014, Australian police caught members of a criminal syndicate opening a bank account in Sydney using a stolen identity they got by hacking people’s phones through a free WiFi network. The operation stole more than $6 million, and police arrested almost 50 people in connection with the crime.

Hackers are not only setting up their own fake WiFi spots but in some cases may hack into existing, legit networks. In Israel last fall, for example, a white-hat hacker showed how he could take advantage of vulnerabilities in network routers to take over the free Wi-Fi network of Tel Aviv.

Experts say there are several common ways that hackers compromise public WiFi networks.

Fake hotspots: Hackers set up a fake network with an innocuous name that fools consumers into thinking it’s legitimate, such as “Starbucks WiFi” in a coffee shop. They can then record all the keystrokes of people who use that network, including user names and passwords to various accounts.
Man-in-the-middle attacks: Cybercriminals take over a public network and use the established connection to the victim’s machine to redirect their communications, often to a fake website that looks like your bank, for example, and tricks you into giving up log-in credentials.
Malware: Once on the network, they can send you fake notices saying you need to install an update. But rather than updating your system, they install malware that then gives them complete access to your system, including files and photos. They might even be able to turn on the web camera or microphone and eavesdrop.
Sniffing: Using a WiFi sniffer, anyone can locate insecure WiFi networks and monitor their traffic. They can record that traffic and analyze it to discover useful details.
WiFi operates on public airwaves, so sniffing may not even be illegal, technically. When David Maimon, an assistant professor in the department of criminology and criminal justice at the University of Maryland who is studying the problem, checked on whether it was legal in Maryland, “we couldn’t find any law preventing you from sniffing,” he said in an article on “Banners before you log in to public WiFi, where you agree to terms of use, sometimes specifically mention you’re not allowed to sniff and that makes it illegal, but if there’s no banner then it’s not illegal at all.”

Maimon’s observation in 2014-15 of 33 public around the District of Columbia metro area found that conducting e-commerce and visiting social networks were the most common online behaviors over public WIFI networks. In 40 percent of the networks he monitored, online banking was common. He found evidence of malware packets in 30 percent of the networks.

Use a virtual private network (VPN): There are many VPN services that you can use with smartphones and computers. A VPN lets you connect to the provider’s servers via an encrypted connection, which protects prying eyes from seeing any information. However, the quality and business models of these services vary, so research them carefully. Free or very low-cost services sometimes collect data from your activity.
Change the settings on your device so it does not automatically connect when it senses a WiFi network. In public spaces, before connecting try to ask someone (like the hotel manager) for the name of the WiFi hotspot to make sure you’re not connecting to a fake one.
Use 2-factor authentication, which requires you to provide two things to prove your identity. When logging onto your Dropbox account, for example, it asks for your password and then texts a code to your smart phone. You must enter the code before you are granted access.
When using a public WiFi network, limit activity to web browsing. Avoid using any accounts that require log-in information (such as e-mail and bank accounts), avoid sending any private data across the network, don’t download any apps, and don’t install any updates.
Keep your operating system and apps patched and up to date.
Use a cellular connection instead of the free WiFi service.
Enable the “always use https” option on websites you visit often or that require passwords and log-ins. When you log in to the website, make sure the URL address starts with “https,” which means it’s encrypted.
Make sure the WiFi network uses the latest encryption technique, known as WPA (WiFi Protected Access)-2 protocol.
Public WiFi networks are likely to remain a rich vein for hackers, with plenty of potential victims unaware of all the information they expose. By following a few precautions, you’ll reduce your chances of becoming one of them.

Many users don’t see difference between public Wi-Fi and private networks

Source: Trend Micro Blog

Public Wi-Fi is beset by increasingly complicated risk/reward calculus. The near-ubiquity of hotspots in airports, cafes and other buildings has given consumers more opportunity to use networked services wherever they go, without incurring cellular data charges. Certainly, free wireless will be important as mobile computing habits change – a recent Cisco report projected that by 2018, the average user would watch 20 hours of video, listen to 10 hours of audio, make 10 video calls and download 20 apps per month. Carrier data plans are limited, and moreover cellular infrastructure alone may not be able to accommodate this level of activity, necessitating distributed network architectures and Wi-Fi deployments to offload traffic.

However, increased reliance on Wi-Fi comes with its own set of risks. Since many users access sensitive accounts, such as banking services and e-commercial, from mobile endpoints and laptops connected hotspots, they may be in danger of having their identities stolen by attackers that exploit the lack of encryption on public Wi-Fi. Individuals may not be aware of the numerous precautions that they must take, such as preventing their devices from sharing folders with everyone on the network and keeping an eye out for imposter networks.

Together with vulnerabilities in outdated networking equipment, these risks complicate Wi-Fi usage considerations. Going forward, the issue is likely to become more complex for consumers as Internet service providers such as Comcast blur the line between private and public networks by automatically turning routers into public hotspots that broadcast to users of the same service. Given the patchy security records of some ISPs, such a move creates new concerns about keeping Wi-Fi safe, at a time when security and privacy are more important than ever to individuals and businesses.

Users should be more careful with public Wi-Fi
Public Wi-Fi has always had a soft underbelly, but its growing prevalence means that the stakes are higher than ever for educating users about best practices. A Canadian security provider recently scanned more than 12,000 Wi-Fi networks and found that more than 70 percent of them were vulnerable, with 30 percent of them critically so. The vulnerabilities applied to open Wi-Fi, as well as networks secured by the WEP and WPS standards.

But the problem isn’t simply a matter of networks lacking sufficient protection. Most end users are unaware of the risks involved in using public Wi-Fi. They treat it as just another network, and use it to send sensitive information via email or connect to online banking or e-commerce services. Doing so courts identity theft – for example, one overseas couple used public Wi-Fi to put a six-figure sum on term deposit with a New Zealand bank, only to have it stolen a few months later, after attackers used stolen account details to email instructions to the bank.

The funds were eventually restored, but the incident serves as reminder that unsecured Wi-Fi opens the doors for man-in-the-middle attacks. Individuals should utilize VPNs or wait until they’re on safer corporate or home networks to carry out critical transactions. Still, not everyone will employ these tactics, putting some of the security burden on network operators to be more scrupulous about how they offer Wi-Fi and use authentication if feasible.

The recent Super Bowl illustrates how much work these providers still need to do to lock down Wi-Fi. During pre-game coverage, television cameras captured the credentials for MetLife Stadium’s internal Wi-Fi – the username “marko,” and a password that was merely leet-speak for “welcome here.” These details were likely changed after the incident went viral on Twitter and several blogs, but they underscore the inconsistent Wi-Fi security practices of organizations.

Last year, the NFL prohibited fans from bringing in any wireless equipment that would interfere with the New Orleans Superdome’s Wi-Fi network. The goal was to prevent “rogue access points or rogue equipment from attempting to operate in the same frequency” as the official installation, SMG director of IT and production told ZDNet at the time. This year, approximately 82,000 fans used the in-stadium Wi-Fi system built by Verizon, without any reported security violations. It appears that organizations such as the NFL can do Wi-Fi security right when they execute well – the risk lies in oversights like the public credentials broadcast leak, which if left unaddressed can leave unaware users vulnerable to attacks and identity theft.

Many Comcast customers unaware that routers were broadcasting public Wi-Fi signals
The security onus on Wi-Fi network operators has become even more apparent in light of recent revelations about Comcast, the largest Internet service provider in the U.S. The ISP has recently begun providing modems that broadcast two signals – one for the private use of households and businesses, and another for any Comcast Xfinity subscriber who happens to have a device within range. In this way, Comcast equipment serves as a de facto public Wi-Fi hotspot.

The feature is enabled by default, as Comcast tries to build a huge, interlocking network of wireless coverage on the back of its residential infrastructure. But some customers have turned it off out of fears that private data may become available over the public network, or that an excessive number of users on the hotspot would degrade the performance of the private network. In a sense, they fear that the inherent risks of public Wi-Fi are being thrust upon them as part of their Internet service packages.

Comcast has explained that the private and public networks are separate from one another and that these types of risks aren’t plausible. While no evidence to the contrary has emerged, the blurring of lines between public and private networks could be cause for concern, since it could confuse users about the relative risk levels of each category. The recent revelation that Comcast’s mail servers were compromised and that attackers made off with passwords and MySQL credentials also underscores how the custodians of network security aren’t impervious to attack. It’s up to users to be smart when using Wi-Fi, and to push providers to look out for customers’ best interests.