“Don’t do your online banking or anything sensitive on a public Wi-Fi network.” The advice is out there, but why can using a public Wi-Fi network actually be dangerous? And wouldn’t online banking be secure, as it’s encrypted?
There are a few big problems with using a public Wi-Fi network. The open nature of the network allows for snooping, the network could be full of compromised machines, or — most worryingly — the hotspot itself could be malicious.
Encryption normally helps protect your network traffic from prying eyes. For example, even if your neighbor at home is within range of your Wi-Fi network, they can’t see the web pages you’re viewing. This wireless traffic is encrypted between your laptop, tablet, or smartphone and your wireless router. It’s encrypted with your Wi-Fi passphrase.
When you connect to an open Wi-Fi network like one at a coffee shop or airport, the network is generally unencrypted — you can tell because you don’t have to enter a passphrase when connecting. Your unencrypted network traffic is then clearly visible to everyone in range. People can see what unencrypted web pages you’re visiting, what you’re typing into unencrypted web forms, and even see which encrypted websites you’re connected to — so if you’re connected to your bank’s website, they’d know it, although they wouldn’t know what you were doing.
This was illustrated most sensationally with Firesheep, an easy-to-use tool that allows people sitting in coffee shops or on other open Wi-Fi networks to snoop on other people’s browsing sessions and hijack them. More advanced tools like Wireshark could also be used to capture and analyze traffic.
Protecting Yourself: If you’re accessing something sensitive on public Wi-Fi, try to do it on an encrypted website. The HTTPS Everywhere browser extension can help with this by redirecting you to encrypted pages when available. If you frequently browse on public Wi-Fi, you may want to pay for a VPN and browse through it when on public Wi-Fi. Anyone in the local area will only be able to see that you’re connected to the VPN, not what you’re doing on it.
Compromised laptops and other devices may also be connected to the local network. When connecting, be sure to select the “Public network” Wi-Fi option in Windows and not the Home network or Work network options. The Public network option locks down the connection, ensuring Windows isn’t sharing any files or other sensitive data with the machines on the local network.
It’s also important to be up-to-date on security patches and use a firewall like the one built into Windows. Any compromised laptops on the local network could try to infect you.
Protecting Yourself: Select the Public network option when connecting to public Wi-Fi, keep your computer up to date, and leave a firewall enabled.
Most dangerously, the hotspot you connect to itself may be malicious. This may be because the business’s hotspot was infected, but it may also be because you’re connected to a honeypot network. For example, if you connect to “Public Wi-Fi” in a public place, you can’t be entirely sure that the network is actually a legitimate public Wi-FI network and not one set up by an attacker in an attempt to trick people into connecting.
Is it safe to log into your bank’s website on public Wi-Fi? The question is more complicated than it appears. In theory, it should be safe because the encryption ensures you’re actually connected to your bank’s website and no one can eavesdrop.
In practice, there are a variety of attacks that can be performed against you if you were to connect to your bank’s website on public Wi-Fi. For example, sslstrip can transparently hijack HTTP connections. When the site redirects to HTTPS, the software can convert those links to use a “look-alike HTTP link” or “homograph-similar HTTPS link” — in other words, a domain name that looks identical to the actual domain name, but which actually uses different special characters. This can happen transparently, allowing a malicious Wi-Fi hotspot to perform a man-in-the-middle attack and intercept secure banking traffic.
The WiFi Pineapple is an easy-to-use device that would allow attackers to easily set up such attacks. When your laptop attempts to automatically connect to a network it remembers, the WiFi Pineapple watches for these requests and responds “Yes, that’s me, connect!”. The device is then built with a variety of man-in-the-middle and other attacks it can easily perform.
Someone clever could set up such a compromised hotspot in an area with high-value targets — for example, in a city’s financial district or anywhere people log in to do their banking — and attempt to harvest this personal data. It’s probably uncommon in the real world, but is very possible.
Protecting Yourself: Don’t do online banking or access sensitive data on public Wi-Fi if possible, even if the sites are encrypted with HTTPS. A VPN connection would likely protect you, so it’s a worthy investment if you find yourself regularly using public Wi-Fi.
If you use public Wi-Fi connections regularly, you may want to invest in a VPN. As a bonus, a VPN will allow you to bypass any filtering and website-blocking in place on the public Wi-Fi network, allowing you to browse whatever you want.
Image Credit: Jeff Kovacs on Flickr