Don't Get Tricked, Beware the Hacker's Playground!
A Hacker's Playground - Public WiFi Hotspots
People are in love, no stratch that, they are ADDICTED to free WiFi and will connect to any available public WiFi hotspot to get online, according to a Symantec 2017 WiFi Risk Report (the report polled thousands of adults who used public WiFi hotspots in 15 countries). As a cybersecurity professional, that statement baffles me, and seems ludicrous.
Results from that report show roughly 50 percent of respondents believe one of the most important reasons to access public WiFi is to get some sort of GPS information. Around 40 percent admitted to accessing adult content at their work place or through public WiFi hotspots in hotels, airports, and transportation modes such as buses, trains, taxis, and ride share. If you think that is insane, 60 percent believe their data is safe when using public WiFi hotspots, EVEN THOUGH 53 percent of that 60 percent can't tell the difference between a secure and insecure WiFi hotspot. You can't make this stuff up.
With this in mind, I decided to put together a few tips around secure browsing best practices when accessing the Internet using public WiFi hotspots.
- Ensure the network you select is actually the correct network.
Attackers often change a single letter of a legitimate network and folks select that network by mistake. This is known as a "man in-the-middle" attack. Every keystroke typed, while on the attackers network, is recorded for use later by the attacker. The unsuspecting target is transferred to the correct network, never knowing they were on the attackers network first. Before accessing any public WiFi hotspots, verify the name and check the spelling.
- Always select a secure network, if at all possible
Look for a network with a padlock in parenthesis next to the network name. This indicates you are locked out, but that's not necessarily a bad thing if you can get a valid password/passphrase. Some networks use a "walled garden" and that simply means it looks open until you select it at which time a login page will appear. This is very common at hotels where you will receive the credentials when you check in.
- Set devices to "Ask Before Connecting" to a network
This can be a headache initially, but it will be worthwhile the first time it saves your device from auto connecting to a previous network with the same name. Attackers know the network names for popular establishments like hotels, coffee shops etc. They will activate a public WiFi hotspot from the parking lot of a Starbucks close to a Hilton property. Everyone that stayed at the Hilton property the night before BUT has to have their Starbucks in the morning will auto connect to the attackers network because it uses the same name as the network they just left. In the WiFi settings for your device, there should be an option that asks you to confirm connection to any network. After that, your only excuse is "I hadn't had my coffee yet when I connected to the hackers network by mistake."
- Avoid using personal data while connected to a public WiFi hotspot
There is nothing technical about this one. It's a behavioral change that can be as challenging as quitting an addictive vice (alcohol, tobacco, caffeine, the shopping channel, etc.). Anything you wouldn't stand up and proclaim publicly wherever you are, should not be shared on a public network if you can avoid it. Save bill paying, banking, taxes, insurance, medical (you get my point) for the security of your home network. Use public WiFi hotspots for the really important stuff like Facebook, Twitter, Instagram (tongue in cheek obviously).
- Only use HTTPS and SSL while on a public WiFi hotspot
Websites use HTTPS (Hypertext Transfer Protocol Secure) to support SSL (Secure Sockets Layer) and make connections more secure. Translation, "Websites use blah blah blah to make connections more secure". Seriously, just look for HTTPS in the URL or look for a padlock icon and the word "Secure" at the beginning of the address bar.
I hope this helps the next time you find yourself half-awake at Starbucks in a hurry to transfer money and submit insurance claims all while wondering why the Starbucks network is the same name as the hotel you checked out of 15 minutes earlier. Call me if I can help. Until next time, remember … think twice and type once.
About the Author
Mike has over 30 years of IT experience with the last 15 focused exclusively on information and cyber security. During that time, Mike has served in organizational leadership roles as a Chief Information Security Officer (CISO) and as a cybersecurity consultant.
Regardless of the role, Mike enjoys helping organizations develop effective cybersecurity programs by addressing risk and creating a cybersecurity conscious culture.