Source: Trend Micro Blog

Public Wi-Fi is beset by increasingly complicated risk/reward calculus. The near-ubiquity of hotspots in airports, cafes and other buildings has given consumers more opportunity to use networked services wherever they go, without incurring cellular data charges. Certainly, free wireless will be important as mobile computing habits change – a recent Cisco report projected that by 2018, the average user would watch 20 hours of video, listen to 10 hours of audio, make 10 video calls and download 20 apps per month. Carrier data plans are limited, and moreover cellular infrastructure alone may not be able to accommodate this level of activity, necessitating distributed network architectures and Wi-Fi deployments to offload traffic.

However, increased reliance on Wi-Fi comes with its own set of risks. Since many users access sensitive accounts, such as banking services and e-commercial, from mobile endpoints and laptops connected hotspots, they may be in danger of having their identities stolen by attackers that exploit the lack of encryption on public Wi-Fi. Individuals may not be aware of the numerous precautions that they must take, such as preventing their devices from sharing folders with everyone on the network and keeping an eye out for imposter networks.

Together with vulnerabilities in outdated networking equipment, these risks complicate Wi-Fi usage considerations. Going forward, the issue is likely to become more complex for consumers as Internet service providers such as Comcast blur the line between private and public networks by automatically turning routers into public hotspots that broadcast to users of the same service. Given the patchy security records of some ISPs, such a move creates new concerns about keeping Wi-Fi safe, at a time when security and privacy are more important than ever to individuals and businesses.

Users should be more careful with public Wi-Fi
Public Wi-Fi has always had a soft underbelly, but its growing prevalence means that the stakes are higher than ever for educating users about best practices. A Canadian security provider recently scanned more than 12,000 Wi-Fi networks and found that more than 70 percent of them were vulnerable, with 30 percent of them critically so. The vulnerabilities applied to open Wi-Fi, as well as networks secured by the WEP and WPS standards.

But the problem isn’t simply a matter of networks lacking sufficient protection. Most end users are unaware of the risks involved in using public Wi-Fi. They treat it as just another network, and use it to send sensitive information via email or connect to online banking or e-commerce services. Doing so courts identity theft – for example, one overseas couple used public Wi-Fi to put a six-figure sum on term deposit with a New Zealand bank, only to have it stolen a few months later, after attackers used stolen account details to email instructions to the bank.

The funds were eventually restored, but the incident serves as reminder that unsecured Wi-Fi opens the doors for man-in-the-middle attacks. Individuals should utilize VPNs or wait until they’re on safer corporate or home networks to carry out critical transactions. Still, not everyone will employ these tactics, putting some of the security burden on network operators to be more scrupulous about how they offer Wi-Fi and use authentication if feasible.

The recent Super Bowl illustrates how much work these providers still need to do to lock down Wi-Fi. During pre-game coverage, television cameras captured the credentials for MetLife Stadium’s internal Wi-Fi – the username “marko,” and a password that was merely leet-speak for “welcome here.” These details were likely changed after the incident went viral on Twitter and several blogs, but they underscore the inconsistent Wi-Fi security practices of organizations.

Last year, the NFL prohibited fans from bringing in any wireless equipment that would interfere with the New Orleans Superdome’s Wi-Fi network. The goal was to prevent “rogue access points or rogue equipment from attempting to operate in the same frequency” as the official installation, SMG director of IT and production told ZDNet at the time. This year, approximately 82,000 fans used the in-stadium Wi-Fi system built by Verizon, without any reported security violations. It appears that organizations such as the NFL can do Wi-Fi security right when they execute well – the risk lies in oversights like the public credentials broadcast leak, which if left unaddressed can leave unaware users vulnerable to attacks and identity theft.

Many Comcast customers unaware that routers were broadcasting public Wi-Fi signals
The security onus on Wi-Fi network operators has become even more apparent in light of recent revelations about Comcast, the largest Internet service provider in the U.S. The ISP has recently begun providing modems that broadcast two signals – one for the private use of households and businesses, and another for any Comcast Xfinity subscriber who happens to have a device within range. In this way, Comcast equipment serves as a de facto public Wi-Fi hotspot.

The feature is enabled by default, as Comcast tries to build a huge, interlocking network of wireless coverage on the back of its residential infrastructure. But some customers have turned it off out of fears that private data may become available over the public network, or that an excessive number of users on the hotspot would degrade the performance of the private network. In a sense, they fear that the inherent risks of public Wi-Fi are being thrust upon them as part of their Internet service packages.

Comcast has explained that the private and public networks are separate from one another and that these types of risks aren’t plausible. While no evidence to the contrary has emerged, the blurring of lines between public and private networks could be cause for concern, since it could confuse users about the relative risk levels of each category. The recent revelation that Comcast’s mail servers were compromised and that attackers made off with passwords and MySQL credentials also underscores how the custodians of network security aren’t impervious to attack. It’s up to users to be smart when using Wi-Fi, and to push providers to look out for customers’ best interests.