‘With “free” wi-fi, we have no idea who else is on that network or what they are doing with the information we exchange over it. We do not even know if the owner of the free wi-fi is really who we think it is’
Data on the go is part of our everyday lives. A quick bank transfer? Done. Urgent email? Replied. Book a hotel? Sorted. Public wi-fi—provided free of charge in coffee shops, restaurants, bars, airports, hotels, railway stations, and the like—makes the convenience cost-free. We take serious work with us too—even before the pandemic, the Office of National Statistics estimated that 50 per cent of British employees will be working remotely at some point this year.
Yet using public wi-fi carelessly can be a serious mistake: in effect allowing outsiders access to your data, including those juicy logins and passwords. We also expose our employer to ransomware attacks, where vital data is scrambled to extort a large payment from the victim.
With “free” wi-fi, we have no idea who else is on that network or what they are doing with the information we exchange over it. We do not even know if the owner of the free wi-fi is really who we think it is. Cybercriminals often masquerade as well-known brands in order to poach the trust and goodwill built up amongst patrons, using wi-fi names such as “Starbucks 2.0” or “Hilton fast wi-fi”. These rogue networks are specifically set up by cybercriminals to harvest data.
In the early days of Hacker House, the ethical hacking (cyber-security) company I co-founded, we set up an experiment at Liverpool Street Station in London. We gave the free wi-fi the official sounding name “Mayor of London Free wi-fi” and waited. Of course, it didn’t take long—within minutes we had hundreds of people using the network—our network. We had good intentions. But many do not. They are then well placed to position themselves between users and their intended destinations, in so-called “man-in-the-middle” attacks. A common example of this tactic is site spoofing: creating a website that looks, acts and behaves like the login page for Gmail or a financial institution, for example, but which in fact exists to harvest users’ credentials—logins, passwords, memorable words, answers to security questions and the like. Criminals can then use these details to log in to the real site—and wreak havoc with our data, our money and our lives.
Hackers can also use an unsecured wi-fi network to plant harmful software—malware— on devices connected to it. For example, a “verification” email sent to enable a user to access what they think is an innocent free wi-fi network can contain a request to click on a link—do that, and you download the malware. This may be a virus, which infects a program in order to harm your computer or steal your data. Or it could be a “worm” which operates autonomously, travelling from device to device on the same network.
Even if your computer is safe, your data may not be. Hackers use special software kits for “snooping and sniffing”, enabling them to eavesdrop on wi-fi signals and access everything that the wi-fi users are doing online, taking login credentials, hijacking accounts, and even targeting other people’s devices. Your computer or phone can be an unwitting accomplice in an attack on someone else.
Please do not think that encrypted data, or apps with end-to-end encryption (including Facebook, WhatsApp, Messenger), are immune. They are not. End-to-end encryption is only as good as the network it is on. Anything that goes through that network, including all communications, is still up for grabs. Think of it this way: wi-fi is simply a means for devices to speak to each other, and within that network may lurk all kinds of dangers that can affect your computer or your phone.
So what can you do to keep your data—or your company’s data—secure?
First, spread the word. If you have employees, set up policies regarding cyber security—this should include not connecting to insecure wi-fi (anything that says “free wi-fi” should be an immediate red flag)—and educate workers on a regular basis. Set up a virtual private network (VPN) for your company network for remote workers to log in to (instead of public wi-fi). VPNs encrypt all data coming in and out, and enable employees to securely connect to a company network. VPNs are not a cure-all, but if hackers are on the prowl, they are less likely to get usernames and passwords. As a private individual, you can get your own VPN—either paying a few pounds a month for a full-service offering with lots of data, or using one of the bare-bones options available free of charge.
Basic cyber-hygiene helps too. Only visit websites with proper security certificates—the ones that show a little padlock at the top of your browser. These are “https-enabled” meaning they protect users’ personal information such as logins. Also make sure your network and devices are covered by good anti-malware software. If you are responsible for any network, make sure that firewalls should be enabled on all devices that use it. These control the way people move around a company’s infrastructure online. Think of them as different access points around a building, each with ID required for the door to open. A word of caution, though: firewalls need to be properly configured and kept up to date, otherwise they can pose a significant security risk—keys to doors are no use if they are not administered properly.
On the move? Turn off wi-fi auto-connect settings as well as Bluetooth discoverability settings to prevent cyber criminals gaining direct access to your device (and lose the AirPods as well—sorry). When going online, tether your laptop to your mobile device—it may cost a bit more in your data plan, but entrusting your life to a dodgy “free” public wi-fi network will cost you a great deal more.