How safe is public Wi-Fi?

 
 
The Context
You’ve just arrived in a foreign country. Jet-lagged and tired, you discover your phone’s SIM is not playing ball with the local 4G/5G network. You badly need to check your email account. You go down to your hotel’s lobby. As your hotel is located in a high-density urban area there are swathes of Wi-Fi networks showing up. Some of them look like the cyber equivalent of a dark-alley in a sketchy neighbourhood. You see a network called “Guest Network”. You login but you’ve still got a nagging doubt that it’s not safe.
 
What’s the security risk of public Wi-Fi networks (802.11)?

Well, your login credentials for your email social media accounts, cloud storage and any other login accounts could be stolen. There is also the risk of confidential information such as documents, photos and intellectual property being exfiltrated.
 
Is there a real-life example of people who’ve got compromised over Wi-Fi?

A case in point which illustrates the vulnerabilities of public Wi-Fi happened at Charlotte Douglas International airport in the US a few years ago. A cyber criminal group operating out of the airport set up an evil-twin network. The group was using packet sniffing software. Scores of travelers, connecting to what they thought was a safe Wi-Fi network, had their bank accounts cleaned-out.
 
 
What are the main risks of public Wi-Fi?
 



The Evil Twin Attack
This occurs when a cyber criminal sets up a bogus SSID (wireless network ID) to emulate a genuine one. Such a network will transmit an SSID which will probably look very similar to a legitimate one. While the genuine Wi-Fi SSID might be called “Accor Guest Wi-Fi”. The cyber criminal might call his “AccorGuest_Wi-Fi”. Or, they simply might call it “Free Wi-Fi”. A bogus wireless network SSID, such as this can be set up using a device such as Wi-Fi Pineapple enabling the perfect man-in-the-middle attack. Here the threat actor can monitor users, inspect their traffic and even inject code into their browsers.
Risk Rating 8/10
 
ARP poisoning and HTTPS proxy tools
Address Resolution Protocol is used to map IPv4 addresses to MAC addresses of devices on a wired or wireless network. A MAC address is like a unique ID for your computing device. ARP helps data from the router find its way to your device. There is an ARP table in the router of the venue and in your computing device. Using a tool like Arpoison, a threat actor can manipulate these ARP tables so that his MAC address becomes associated with the default gateway. Basically, client devices such as laptops, tablets and phones are now tricked into thinking that the hacker’s computer is the wireless hotspot. A tool like Mitmproxy can now be used to redirect your browser’s HTTPS requests to a malicious page. This page will now use classic social engineering techniques to scare the user into downloading malware onto their device. For example, the user may receive a rather authoritative message exhorting them to “download this urgent update to keep your wireless browsing private and secure”.    
Risk Rating 7/10
 
Insecure or fake VPN clients
Maybe the real risk of a public Wi-Fi usage is not what users do when using public Wi-Fi, but what they do beforehand. Most likely, your users have been listening to advice in the media, internet forums and social media advice to always use a VPN whilst using public Wi-Fi. A quick sleuth on Google shows up dozens of “free” VPNs which promise them protection from potentially dangerous public Wi-Fi networks. Unfortunately, most users don’t realise that some of these free applications are in fact fake malware-laden data-stealing VPNs. For example, free VPNs such as BetternetVPN and CrossVPN are known conduits of malware. Users need to be educated on the inherent risks of some seemingly benign software applications. Don’t let the cure be worse than the disease…
Risk Rating 9/10
 
Even a legitimate VPN is not entirely safe…
Mainstream media and some IT professionals will endorse a personal VPN (a legitimate one) as a panacea against wireless threats. (By the way, a personal VPN should not be mixed up with a “remote access VPN”). And while a personal VPN will protect you against most public Wi-Fi threats, it cannot protect against all of them. For example, if a user inadvertently connects to an evil-twin SSID, it is possible that their HTTP session will be using a malicious DNS server offered by tools like Metasploit with its  “fake DNS” feature. This means that, even using a personal VPN, a user could still be redirected to, for example, a fake Office 365 domain and get their credentials stolen And of course, if the interception of the session involves any “pass the cookie” strategies, two-factor authentication won’t prevent account access.
 
What do users really need to know?

Highly Confidential Information
The sending or receiving of highly confidential information should be avoided over public Wi-Fi. Even if the user is using a personal VPN, there is still a small risk of your data getting compromised. If a user really wants to access or send confidential data, they should simply use their 4G/5G connection or use their mobile as a hotspot. The hotspot should be encrypted with WPA2 and secured with a robust alphanumeric password.   
 



Use a VPN with a kill switch
When assessing personal VPN services, try to subscribe to a service (such as Proton VPN) which uses a kill switch.  This feature automatically initiates an encrypted connection after connecting to an SSID. If the connection drops in the middle of a browsing session, it won’t default to a less secure SSID. Having an ”always on” VPN also reduces the risk of a user forgetting to turn the VPN client on.
Okay, so you’ve advised all your users to download and use a personal VPN app onto their device when away from their home or work network. But, there is where things can go badly wrong. Because there is always the possibility that one of your users will inadvertently download a rogue VPN app. This can result in credential theft and data exfiltration. Therefore, if advising your users about a VPN – email (or post on your collaboration platform) the exact URL of your organisations preferred VPN application. Don’t let the cure be worse than the disease.
 
Always connect to the official Wi-Fi
Connecting to a legitimate Wi-Fi network is always a good start. If a user is unsure of which is the official Wi-Fi network when visiting a public venue such as a café, restaurant or hotel – they should ask a member of staff. This helps prevent advertently connecting to an evil twin access point setup by a cyber criminal.
 
Chrome, Safari, Edge and Firefox certificate errors are a red flag
It is very tempting for users to ignore browser warnings about invalid SSL or TLS certificates whilst using a public Wi-Fi hotspot. (Error messages like ERR_CERT_AUTHORITY_INVALID being a case in point).  However, users need to be educated that errors relating to certificate authorities or invalid SSL or TLS certificates need to be taken very seriously in the context of public Wi-Fi.
 
Sudden warnings to apply browser or system updates
For many users, the term “update” has strong connotations with good cyber security hygiene. However, users need to be educated that cyber criminals like exploit this prudent mindset. If users are connected to a public Wi-Fi network and receive urgent notifications about browser updates or system updates. Users need to be informed how cyber criminals often use system or software update notifications as a pretext to exhort users into downloading malware.   
 
Turn off file sharing on your Windows or Apple device
When using public Wi-Fi, users should have public sharing on their devices disabled. For Windows, this feature can be disabled by navigating to Control Panel > Network and Internet > Network and Sharing Center > Advanced Sharing > Turn off file and printer sharing. For Apple users, go to System Preferences > Sharing, leave all boxes unchecked.
 
Nice to know…
If you’re a frequent traveler or shared workspace user, maybe consider a travel router from GLiNet which can create its own private hotspot. For example, their BerylAX  router runs the open source OpenWrt platform and  has openVPN and WireGuard pre-installed. It supports WPA3 and IPv6. Moreover, to mitigate against malicious DNS servers, it offers DNS over HTTPS and DNS over TLS. Such a device could prove a lot more secure than public hotspots and could be ideal for those locations such shared working spaces and hotel rooms which still provide Ethernet sockets in their venues.