Is Free Wi-Fi Dangerous?


Last week, the Sacramento Bee, citing concerns from the FBI, published an article about the security risks of free Wi-Fi networks.  These days, free Wi-Fi hotspots abound.  So what can you do to keep your personal data safe?  We asked our CTO, Niels Jonker, for some words of wisdom to help understand the potential risks, and ways to stay safe when you connect to a free or unmanaged Wi-Fi network.

LOCK OUT HACKERS WITH A VPN

According to the FBI’s Sacramento office, hackers may set up fake Wi-Fi hotspots in airports with names like “Free Wi-Fi”.  A user connects to this SSID thinking they are connecting to a legitimate airport-sponsored service, when in fact it’s bogus.  The hackers are then able to steal passwords and other personal information.

ARTICLE: Include Wi-Fi Among Security Risks At Airports, FBI Warns

Niels’ Words of Wisdom: Open Wi-Fi, by its very nature, is insecure. This means that your best defense is a good offense. Make sure you’re only using SSL-encrypted services – which means logging in to https://gmail.com instead of http://gmail.com — or use a VPN to lock down all of your traffic over the wireless network.  Most online service providers like Google and Yahoo! allow you to enforce SSL for all interactions with their services, which is a really, really good idea. Unfortunately, providers like Facebook and Twitter do not yet include this as an option on their websites, though their smartphone apps may include this as an option. And if you see ANY warnings about a “certificate problem” when you connect to an HTTPS website, that’s bad news. Disconnect from that site immediately. You should never use sites that give security warnings when on an open Wi-Fi network. Again, the prudent Wi-Fi user will make sure they’re connecting to the authorized Wi-Fi network, and the safest user will lock down their session with a VPN.”

BEWARE FIRESHEEP

In early October, a software freelancer released a Firefox plug-in that made it point-and-click simple for the layman to become a pseudo-hacker on any network, including open Wi-Fi networks.  It doesn’t enable you to steal usernames and passwords, but it does allow you to “sidejack” that user’s current session.  By sidejacking the session, you can effectively use web services such as Facebook or Twitter as that user. Think of the mischief that might ensue; you could pose as that person using their account, download their photos, send spam, change the user’s password, delete the account or worse.

ARTICLE: The Firesheep Don’t Even Look Up

Niels’ Words of Wisdom: “Again, a VPN is your best weapon to stay as secure as possible on unsecured networks.  In addition, you should also be selective about the networks you connect to.  For example, in the hotspots where Boingo manages the hardware, we’ve configured the network infrastructure to render Firesheep as ineffective as possible. If the website in question has done a reasonable job implementing their ‘session persistence’ cookies, you should be safe from Firesheep at our hotspots. Unfortunately, this is likely the exception rather than the rule, especially among unmanaged or free hotspots. Again, a VPN is your best weapon to ensure safety.”

DON’T CONNECT TO THE SSID: “FREE PUBLIC WI-FI”

How many times have you opened up your laptop and seen the SSID “Free Public Wi-Fi”?  The network itself is almost always an ad-hoc – or computer-to-computer – network, not one with access points tied to the Internet.  And while these networks are more of an annoyance than anything else, the potential for risk exists as hackers can set them up, wait for people to get connected, and then search their computer or install malware.

ARTICLE: What “Free Public WiFi” Is and Why You Should Avoid It

Niels’ Words of Wisdom: “Several years ago, I actually ran into one of these malicious ad hoc networks in an airport on the East Coast. Because I just had to see what was behind it, I connected with several monitoring tools in place, and immediately saw it start to scan my laptop. I know what I’m doing, and I wouldn’t advise that you do what I did. Your best approach here is to make sure that any network you’re connecting to isn’t an ad hoc network – especially if it broadcasts itself as a free one. Unless you’re specifically coordinating with a friend or business associate to create a computer-to-computer network to transfer files or play a game, you’d be wise to avoid ad hoc networks, since the other end is someone else’s computer, and you really didn’t want to give some random person access to everything on your hard drive, did you? You’re better off making sure that when using public Wi-Fi networks, you rely on the authorized network for the airport, coffee shop or hotel you’re sitting in.  If in doubt, ask.”

Additional Reading:

How to stay safe at a public Wi-Fi hotspot

3 personal VPNs offer safer Wi-Fi

Summarizing WiFi security revelations for the year 2010

Personal VPN Services (no endorsement implied):

Witopia — from $60/yr

HotspotVPN — from $109/yr.

StrongVPN = from $84/yr.

SurfBouncer — from $120/yr.

Golden Frog VyprVPN — from $180/yr.

AnchorFree — free

LogMeIn Hamachi2 — free

SecurityKiss — free

About Christian

Christian Gunning -- Boingo's vice president of corporate communication -- has been with the company since its beginning in 2001. Always willing to regale you with stories of the early days when Wi-Fi was still called 802.11b and we had to explain how you could get the Internet without a wire, he's grown to love the new world where wireless Internet is expected.
This entry was posted in Boingo, Technology and tagged , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , . Bookmark the permalink.

2 Responses to Is Free Wi-Fi Dangerous?

  1. Pingback: Tweets that mention » Blog Archive » Is Free Wi-Fi Dangerous? -- Topsy.com

  2. Pingback: » Blog Archive » Is Free Wi-Fi Dangerous? | Wireless Fans

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>