The question came from someone close to the Pocketnow family, which means that even the geeks among us are still confused with just how secure (or insecure) public WiFi is. It’s a valid concern, and one that you may not have stopped to consider. We all like free WiFi, right? Should we be worried? What’s the worst that could happen?
For the context of this article we’re going to limit the conversation to just “public” WiFi — meaning wireless Internet access that’s available to the general public. This could be offered at a school campus, public library, your work’s office, a fast food restaurant, coffee shop, or even the hotel at which you’re staying. My church even has WiFi available. Another kind of of “public” WiFi is when someone — a neighbor perhaps — doesn’t secure access to their wireless network.
Let’s talk about security
Wireless access can be restricted by various technological mechanisms. Some access points require a passcode (of varying length — the longer the better). Some require that a “unique” code from your device (your MAC) be submitted, approved, and checked every time you attempt to connect to the network. Some have a “waypoint” password that you must supply via a web browser before access is granted. On others, the door is wide open.
When it comes to security there are two things to talk about: securing access, and securing communications.
Securing access comes by way of MAC restriction and/or waypoint password authentication. These, by themselves, do not secure your communication, and are meant as a certain level of protection for the network itself.
Securing communication can happen in a few places: at the website via an SSL socket, and at the access point through an encrypting protocol like WEP or WPA — which can also serve to secure access to the network.
WEP (Wireless Encryption Protocol) was one of the first, and is probably the most popular encryption protocol for WiFi-based networks. It’s been hacked. WEP should no longer be relied upon to secure communications or access, though it is one step better than no encryption at all — albeit a small one.
WPA (WiFi Protected Access) was the replacement to WiFi. Unlike WEP’s hexadecimal key, WPA uses a standard password system and enhanced encryption, which offers greater security than WEP. In 2008, hackers successfully broke into a WPA-protected network.
WPA2, the second generation of WPA, increases security even more. In 2010, hackers found an exploitable weakness in the system that allowed unauthorized access to the network. This breach would be similar to someone plugging their laptop into an Ethernet port to gain access to a network, and wasn’t considered a real “breach” of the encrypting protocol.
None of that does any good if your access point isn’t using them. Passcodes can be long and difficult to input, that’s part of what makes using networks provided by them more secure. Unfortunately this also makes them cumbersome for users to set up. Even if you use the latest and greatest encrypting protocols available and your passcodes are sufficiently long, you’re only encrypting your communication to the network. Once you’re on the network, you’re essentially “friends” with everyone else on it.
If you’re not connecting via WPA2, your connection to the access point should be considered insecure and you don’t want to send anything across it that you wouldn’t be okay if a complete stranger overheard — including that creepy guy in the corner.
“Sensitive” information is frequently encrypted from the site that you’re visiting to your machine — whether that’s a smartphone or tablet, or laptop or desktop computer. This uses a technology called SSL (Secure Sockets Layer). This type of encryption is fairly secure. It protects your login credentials as well as your payment information from being sent in clear text across the Internet.
Think of it like writing something down on a postcard and mailing it across the country. Anyone along the way can see how you look in your bikini and read your message. In the mail analogy, this is pretty much limited only to postal workers (which is disturbing enough), but with computers, there are many more potential points where someone can “listen in” on your conversation.
Even SSL isn’t “secure”.
Say you’re buying something from Amazon.com, you go online, you surf “in the clear”, but when you go to check out it switches you over to HTTPS rather than HTTP (the “s” stands for “secure”). At that point your communication should be encrypted from Amazon all the way down to your device. No one in the middle should be able to “listen in” on your communication.
But they can.
Your local firewall (which is there to protect your network from all the bad guys on the innertubez) can’t do it’s job unless it knows what’s inside each and every packet of data that it’s processing and allowing inside the network. Since HTTPS packets are encrypted, a bad guy could simply deliver his payload right to your computer and the firewall wouldn’t know anything about it, because the packets were encrypted.
Modern firewalls, however, can function as a “man in the middle”. They can impersonate you to the server that you’re connecting to so they can open all your SSL-encrypted traffic, make sure it’s safe, then re-secure it and pass it along to you. Sounds okay, right?
Once that packet is no longer encrypted, the “man in the middle” has access to it, and can do whatever it’s told to do with it — including logging a copy that’s then sent off to a hacker somewhere. In legitimate networks, this shouldn’t happen — but there’s nothing but your trust of the guy running the network that actually keeps it from happening.
If we take things to the extreme, it is possible that a black-hat could set up shop in a public place and deploy a publicly accessible WiFi access point and monitor the traffic that comes across is. He could even set up the firewall on it to act as a “man in the middle” and have access to all your encrypted communications as well.
Or can they?
Several readers in the comments have said that firewalls, in fact, cannot unpackage SSL encrypted packets and inspect them. Multiple firewall vendors have told me the opposite. I’m “Joe the Android Guy”, not “Joe the Firewall Guy”, so take what I said above as a voice of warning. Some in the industry claim that it’s impossible and others in the same industry are trying to sell products based on the promise that it is. In either case, use caution.
Are you sure that wireless access point is really being offered by Starbucks, and not by some guy in the parking lot?
Anything done in public should never be considered “private”. Communications that you send over one of these networks, even if you trust it, is subject to various methods of monitoring and intrusion. Is the type of information that you’re sending of a sensitive nature? Perhaps not, but remember that your online identity can be stolen and even hijacked to paint you as someone that you’re not.
This article wasn’t written to instill a false sense of security, nor is it intended to scare you. Rather, it was written to let you know what could happen. I certainly hope that the worst-case scenario won’t happen to you, but now you know that it can, and you can take whatever measures you think are appropriate to protect yourself, your information, and your identity.
“Just remember: just because you aren’t paranoid, doesn’t mean they aren’t out to get you.”
You may think I’m being overly paranoid, and perhaps I am. If you’ve got cellular data that’s reasonably fast available on your smartphone or tablet, you’d probably be safer to use the cellular network than a public WiFi hotspot.
Image Credit: Java Shock