Public Wi-Fi security 101: What makes public Wi-Fi vulnerable to attack and how to stay safe
Authored by a Symantec employee
Nowadays, free public Wi-Fi is widely and readily available in larger cities—airports, restaurants, coffee shops, libraries, public transport, hotel rooms, you name it. Of course, we all know jumping on a free Internet connection can be a convenient way to access online accounts, catch up on work, and check emails while on the go. However, the security risks should not be forgotten. While the best way to protect your information is to avoid accessing sensitive information or performing sensitive transactions when connected to public Wi-Fi, there are additional measures you should be aware of.
Safety for every device.
Security is no longer a one-machine affair. You need a security suite that helps protect all your devices – your Windows PC, Mac, Android smartphone or your iPad.
According to the 2013 Norton Report, 68% of public and unsecured Wi-Fi users fell victim to cybercrime last year; hence, it’s only smart to take practical measures to keep you and your devices protected.
Why is public Wi-Fi vulnerable to cyber attack?
The average free public Wi-Fi isn’t secure and just because you may need a password to log in, it doesn’t mean your online activities are encrypted.
Various reasons make public Wi-Fi susceptible to attack. One issue has to do with the encryption protocol used by some wireless networks. Another reason has to do with the possibility of joining a rogue Wi-Fi hotspot.
Some wireless networks may use older standards for encryption, which can cause security problems. Wireless Encryption Protocol (WEP), one of the first encryption schemes for wireless networking devices, was found to be weak and easily susceptible to being cracked. Wi-Fi Protected Access (WPA) was intended to replace WEP as the standard for wireless networking devices, but it too was found to have weaknesses. Given their flaws, users are especially at risk when connected to a wireless network that uses these encryption protocols. In fact, tools like Aircrack-ng, available online, are built to perform brute force attacks to crack weak keys on networks using WEP or WPA.
Another issue that can arise when attempting to use free public Wi-Fi is the risk of joining a rogue Wi-Fi hotspot. In such case, an attacker creates a rogue hotspot with the intent to unleash man-in-the-middle (MITM) attacks on unsuspecting victims that join their rogue network. This type of attack allows an attacker to intercept the communication between you and the servers of the websites you visit, allowing them to read, insert, and modify messages.
With pre-built kits that can perform MITM attacks, even minimally skilled hackers can easily eavesdrop and monitor your online traffic to capture valuable information, such as login credentials, credit card numbers, and social security numbers.
Signs you may be logged on to a rogue Wi-Fi
Devices are known to probe for known Wi-Fi networks, and attackers can use this to their advantage. An attacker’s rogue Wi-Fi hotspot can pretend to act as your home network or as a public network that you might come across at a coffee shop. Instead of connecting to a real public Wi-Fi hotspot, your device ends up connecting to the attacker’s rogue hotspot and now the attacker is sitting between you and the actual Wi-Fi network, so they are able to see your online traffic. Another tactic that can be used is to create a public Wi-Fi network called “Free Wi-Fi” and wait for victims to join. Naturally, lots of people will try to connect, especially if free Internet service is being offered.
If you’re away from home, say at a coffee shop, and all of a sudden your computer shows that you're connected to your home network. Chances are someone could have caught your computer’s broadcast request. In some cases, if you’re browsing a website that you know should be encrypted (HTTPS) such as your bank or your favorite social networking site, but the page is rendering in HTTP, then someone might be performing a man-in-the-middle attack and serving you the HTTP version of the site in order to capture your login credentials.
Measures you can take to stay protected on public Wi-Fi
Generally speaking, as a precaution, you shouldn’t engage in any sort of sensitive web browsing, such as accessing your bank account or entering payment details when connected to public Wi-Fi. Consider these additional safety measures to keep your information protected:
- Never use public Wi-Fi networks to access sensitive information. If you need to get online to browse for directions or do something else that is less sensitive, you can do it. But if you’re trying to pay your bills or buy something. It can wait. If it’s a dire situation, or if you regularly use public Wi-Fi, using a Virtual Private Network (VPN) is a must. You can find a variety of trusted VPN services online, but if you want a good service you’ll have to pay. Be sure to choose one from a reputable security provider.
- If you need to use public Wi-Fi to do work and if your company offers VPN access use it. VPN creates a private network for you to shuttle information back and forth, adding an extra layer of security to your connection.
- Only browse websites that start with HTTPS and avoid websites that start with HTTP while on public Wi-Fi. Websites that start with HTTPS are encrypted, adding an extra layer of security and making your browsing more secure. If you connect to an unsecured Wi-Fi network, and use regular HTTP instead of HTTPS, your traffic is visible if hackers are snooping around in the network.
- You should also consider installing an extension like HTTPS-Everywhere to force all websites you visit to connect using HTTPS. Electronic Frontier Foundation is a recommended option: _
- Configure the wireless settings on your devices to not automatically connect to available Wi-Fi hotspots. This ensures that you do not unknowingly connect to public networks. You can do this by turning off the “Connect Automatically” feature on your computers so they don’t auto-connect and search for known Wi-Fi networks. Doing this will prevent your computer from broadcasting to the world that it’s trying to connect to “Home Wi-Fi” network and allow an attacker to spoof that.
- Consider using a privacy screen if you must access sensitive information in public areas—hackers are anywhere and they aren’t afraid to use any means necessary to access your information.
- Lastly, treat and protect your mobile devices such as smart phones and tablets with the same precautions you would your laptop or desktop computer when you join a Wi-Fi network.
Your device may not be secure.
Public Wi-Fi isn’t always safe. Without the right protection, your personal information could become public. Protect yourself with Norton Secure VPN. It encrypts the personal information you send and receive on public Wi-Fi to help keep it private wherever you want to log on.
Help protect your information with Norton Secure VPN.
Symantec Corporation, the world’s leading cyber security company, allows organizations, governments, and people to secure their most important data wherever it lives. More than 50 million people and families rely on Symantec’s Norton and LifeLock comprehensive digital safety platform to help protect their personal information, devices, home networks, and identities.
Copyright © 2019 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo, the Checkmark Logo, Norton, Norton by Symantec, LifeLock, and the LockMan Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the United States and other countries. Firefox is a trademark of Mozilla Foundation. Google Chrome and Android are trademarks of Google, LLC. Mac, iPhone and iPad are trademarks of Apple Inc. Microsoft and the Windows logo are trademarks of Microsoft Corporation in the United States and/or other countries. The Android robot is reproduced and/or modified from work created and shared by Google and used according to terms described in the Creative Commons 3.0 Attribution License. Other company names and product names are registered trademarks or trademarks of each company.