Basic security tips for public WiFi hotspots

By Enrique Serrano and Geri L. Dreiling, Esq.

Is public WiFi safe?

Online security and data privacy are big concerns for lawyers. Client confidentiality and safeguarding privileged information were always an integral part of the law practice but now, in the age of computers, apps and the Internet, compliance is even more important — and difficult.

One question that we often receive is whether public WiFi networks are safe.

The online community is split on the answer to that question but, in this article, we provide a basic explanation of public WiFi networks, discuss some of the hazards, provide safety tips and discuss alternatives.

What Is the Difference Between a Public WiFi Hotspot and a Secure WiFi Connection?

At your office or at home, you either connect through a wire or through a secure WiFi network that requires a WEP or WPA key. It is the first part of a pipe that channels all your messages to their destination.

Securely encrypted WiFi channel

In an encrypted WiFi network your data are sent through a protected wireless communications channel

If anyone wants to see what you are sending via your wired connection, he or she would need to physically tap your wire. Another option would be to intercept your data at another point such as at your Internet Service Provider or carrier router but it is not easy. And while cracking a secured WiFi network is not impossible — there are several software tools designed for that purpose — a hacker still needs to crack this initial defense barrier, which takes time and effort, and he or she would need to be physically near your WiFi signal. These two factors can be strong deterrents to random attacks.

But the situation is different when a public WiFi hotspot is involved. A crowded, popular place is a key target for hackers seeking sensitive data. Moreover, since there is no encryption, or the password is public, other users already have access to your channel. With access to that unsecured, public channel, it is not difficult to access data traveling through it.

Insecure public WiFi channel

In a public WiFi network all users share the same, insecure communications channel

Encrypt your Connection With HTTPS for Extra Security

If you use a public channel, you can add extra security by sending sensitive data encrypted using HTTPS connections. Using the analogy of a channel, a hacker who cracks the channel would not be able to easily read the messages flowing through the channel because they would no longer be written in plain text.

Most popular Internet services and social networks, like Facebook and Gmail, offer the option to use secure HTTPS connections. This video explains how to better protect your personal accounts by activating the https connection security measure.

HTTPS protection as extra security layer

HTTPS connections add an additional security layer by encrypting the transmitted data

The HTTPS Everywhere plug-in for the Firefox or Chrome web browsers is a useful tool for securing your connection. It has some compatibility limitations but it will make sure you keep using HTTPS links throughout a list of popular sites.

Many cloud-based apps, like Evernote or Dropbox, already include this extra layer of protection in their communications by using secure HTTPS connections. However, remember that protecting the privacy of the channel isn’t the same as protecting the privacy of your data stored in the cloud, as we explained when analyzing privacy in cloud-based environments.

Are You Giving your Email Away on a Public WiFi?

It is vitally important to make sure you are using a secure connection when you access your email. Otherwise, you could be giving away your email password every time you check your email on a public network – and new email checks are usually automated tasks that happen often unnoticed in the background.

Protect your email using HTTPS

If you don’t encrypt your data on public WiFi networks, you would be giving away your email password

Configuring encryption for your email is easy. You need to enable SSL on both, incoming and outgoing email on your laptop, tablet or smartphone in your email settings. Once configured, an HTTPS connection will be used any time you sent or retrieved emails from the server.

If your email server supports SSL and uses standard connection ports, and if you are an iPhone user, you can use GoDaddy’s instructions to configure SSL for your email. If you are an Android phone user, the steps to follow would be very similar: open your Mail app, press the menu button, select “More > Settings” and choose the “Account Settings” option. The following menus are pretty much the same on both platforms – just make sure you select SSL under the “Security Type” options.

Connect to legitimate WiFi hotspots

Another security threat associated with public networks is the hazard of connecting to a rogue, fake WiFi network. Once you send information through a channel that a hacker controls, there is a good chance that your data could be compromised. This video explains the likelihood of that happening – and how easily a rogue WiFi network could be configured.

Rogue WiFi Access Point

Rogue WiFi Access Points mimic real or common public WiFi names. Connecting to a rogue WiFi means sending your data through a hacker-controlled connection.

A sound security suggestion is to double check the name of the access point of the WiFi network. If you are in a dangerous location, if the name doesn’t match with the expected name of the free WiFi network, or if you fear that a fake rogue network could be replacing your chosen network, then do not connect.

This is a real problem because many mobile devices have an option enabled by default to automatically connect to networks without asking. If a hacker configures a WiFi network, even mimicking a known network’s name, your phone could be connecting to that network on its own, without you even noticing the data leak, in what is known as a rogue access point attack. Still, it is possible to defend yourself from such an attack. Chema Alonso has some great articles about this (in Spanish) whose key points are summarized as follows:

  • Configure your device to “ask before connect” to new WiFi networks.
  • Some iOS devices keep accessing to known networks without asking, which can be fixed by selecting “forget this network” and updating to the latest iOS versions, as they fix some issues about telling known networks from new ones.

In any case, it is essential to be extremely careful in public environments because a common network name could have been replaced by a rogue WiFi access point.

There’s No True Security in Public WiFi Hotspots

Insecure Network

So, can you connect to a free WiFi with no risk following all the aforementioned basic tips? Unfortunately, the answer is no. Just as no driver is ever 100 percent safe from being involved in a car accident, no network is one hundred percent safe: there’s always some way to hack into your system. The chances of an attack increase considerably in public networks. Richard Rushing, CSO of AirDefense notes in this article at Wired, “Hotspots are great for browsing, but for personal stuff, be very wary.”

A good rule of thumb is not connecting to the Internet in unsafe environments prone to network attacks. Unfortunately, public WiFi in crowded areas like airports, hotels and convention centers are some of the most dangerous places to work with sensitive information online.

The Safest Alternative to Connect to the Internet on the Go

If it seems that the risk of using public WiFi networks is just too high, there are safer alternatives. One of the most common is to use your mobile network (GSM, 3G, LTE.)

When compared to public WiFi networks, mobile networks offer several security advantages. The channel that your mobile device uses to communicate with the base station is encrypted, and no other cell phone user should be able to access it. If you add HTTPS encryption to the transmitted data you will have some strong security barriers in place to protect your communication.

Mobile networks have secure channels

In mobile networks every phone uses its own, secured communications data channel

But like any network, mobile networks aren’t immune to hacking. However, cracking a mobile network is much more complicated than exploiting a WiFi network. For example, hacking into a mobile network would usually require the creation of a fake access point and the use of a fake base station, as depicted in this scenario, where installation is much more complex (and thus, improbable) than using an average laptop and a common piece of software to create a rogue WiFi access point.

From a practical standpoint, a public WiFi network is a free, fast Internet connection. Mobile networks are usually the opposite. First, your mobile network will be much slower. Second, the Internet fees of your mobile carrier are usually expensive. Because of this, mobile connections would make sense used to transmit sensitive, lightweight data, like checking your email on the go.

Conclusions

We’ve just scratched the surface in terms of public network security, but the quick answer is that public WiFi networks aren’t safe enough for sensitive tasks. Avoid risky environments, double-check the network you are connecting to and use secure HTTPS connections to minimize some of the risks. But public WiFi is best avoided for activities involving sensitive information. Instead, if you need to connect on the go, a mobile carrier data plan is a much safer, prudent approach.