4. Public WiFi Risks
Public WiFi presents a danger to you if you perform any sensitive task while connected to the internet through it and not properly protected.
The danger comes from the ability for criminals to CLONE a free WiFi hotspot – not just the name… everything! If you have previously connected to the genuine hotspot, you will probably even auto-connect to the CLONE as it will be a stronger signal.
There are lots of ways to do this but one uses a cheapish device (~$100 US) called a WiFi Pineapple. Originally created to help ethical hackers conduct a penetration test, they are legal to buy and possess but can be used with malicious intent to conduct a man-in-the-middle attack…
Man-in-the-Middle Attack
This is an attack where the attacker gets between you and the internet. In the case of the WiFi Pineapple, they would sit in your local coffee shop and clone the free WiFi.
You come in for your low-salt coffee-free latte-chino and connect to the WiFi to save your data plan. You have a look and find “COPSTA COFFEE FREE WIFI” – you click and connect. Or, even better, you’ve been here before so it auto-connects. You log in to some things, do some banking, send some Snapchats.
The danger comes from what data your machine is sending and receiving that is not encrypted. There may be some degree of encryption from apps or the green padlock that’s showing in the browser – BUT, there are some very technical attacks that manipulate stuff going on in the background to deceive you – and that stuff isn’t being encrypted. The Man-in-the-Middle – who’s the shady person sat in the corner with a small box on the table – can read everything you’re sending over the internet.
Yes this really happens – though rarely. No this isn’t just scaremongering.
The Solution – Virtual Private Networks (VPNs)
A Virtual Private Network is an application or program that creates a fully ENCRYPTED TUNNEL between you and somewhere else on the internet – an exit point to the tunnel which you TRUST. That trust comes from the credibility of the provider. VPNs are widely used on work devices and in many cases you simply don’t know it switches itself on in the background by default. You need to know whether this is happening or not.
Everyone should consider having a VPN service available on mobile devices (phones, tablets, laptops, etc…) for use when you have to use free or public WiFi. There are free services available with low data thresholds, and for many people that is sufficient if you can establish trust in the provider – do some research, find a company that has been around for a while and for which some web searches find credible reviews from the tech press. Risk assess what you do over it, and consider whether you want a paid service.
Better still – 4G mobile data services are designed as encrypted by design back to the phone mast. Use your data plan for anything truly sensitive, but have the VPN ready to go for any WiFi use – particularly if you have no mobile signal.
The Padlock Myth
For quite some time now we have been encouraged to look for the padlock – particularly when we do online shopping. That’s great – it is very important as it signifies that the submission of data back to the web server will be done in an encrypted method as it passes over the internet.
What we all need to understand – and where we go wrong – is that the padlock symbol IS NOT a symbol of TRUST. There is little or no due diligence done in issuing the technical certificate which leads to your browser showing the padlock. Even criminals can obtain these certificates with ease. You need to verify the credibility of the website by other means – like reading reviews and finding links from other trusted organisations.