It is a warm and sunny afternoon on a weekend. This is a good time to head to a cafe to chill for a bit with a coffee and pastry. It is also perfect for some web surfing using the free Wi-Fi service. The next thing you would need to know is the Wi-Fi access point (i.e. hotspot) and password. Now you are all set and connect to the Internet. For the average user this is fine, but for cybersecurity experts there is a risk to using free Wi-Fi services.
The findings should be a red flag to all users. While some hotspots are secure, many are actually not. Public hotspots may allow users to connect without a password for convenience, but that can also compromise the security of the users. Some Wi-Fi access points, which are the modem/routers, are improperly configured. They allow anyone to access their configuration settings using a web browser without a secure connection. This is very troubling as it can expose users to dangers like data theft.
If you have been to a DEFCON conference you may have heard the term honeypot used in some of the villages. A honeypot is a type of technique used to lure users for malicious intents. To the user it appears legitimate from the outside, but a hacker is operating it on the inside. Honeypots are implemented using both hardware and software, with Wi-Fi hotspots being popular among hackers.
Anyone can put up a device as a Wi-Fi access point. You can use a smartphone as a free hotspot by enabling it in settings. In fact, many mobile workers use this feature on their smartphones to provide their laptops access to the Internet using their telecom providers 4G LTE network. That provides fast Internet access on the road, where there might not be public Wi-Fi available. Bad actors can provide a free hotspot using this feature as a honeypot.
Most users will fall for a honeypot because it is free. The honeypot will often use the name of the establishment's hotspot or the most likely name people would assume. When users search for available Wi-Fi networks on their devices and see the name, they will often just connect. This is not a very good practice, but this is how the average user connects to a hotspot. Let us say you were at a cafe called ‘Badbucks’. You want to use the free Wi-Fi so you check for the available networks and you see a hotspot named ‘_Badbucks’ and connect. The red flag may not be obvious to some users, but those who recognize it will be better off not connecting.
Someone might think they got lucky connecting to a hotspot without a password. That was actually by design in order to lure in as many users as possible. Once a user connects, they are at the mercy of whoever setup the hotspot. The bad actor can filter user traffic, allowing them to intercept personal information. This can be bad if the user connected was conducting a transaction with a credit card number or transmitting their social security number.
One of the most infamous honeypot implementations is called the Wi-Fi Pineapple. It can be any device that provides access as a hotspot. This is used for MITM (Man-In-The-Middle) attacks, which hijacks a user’s connection by redirecting it to a different device. When you attempt to connect to a hotspot, it references the SSID or network name of the device. The SSID is spoofed by the pineapple in order to trick users trying to connect to the real hotspot. If the hotspot users are supposed to connect to is named ‘PublicWiFi’, the pineapple can use the same name in an attempt to get users to connect to it instead. The real hotspot could even be compromised and the pineapple takes its place.
When users have connected to a hotspot before, their device remembers the SSID (unless the user removes it) and will attempt to connect to it the next time it is available. Users are out of luck if they connect to the pineapple instead, which is using the same SSID. The pineapple will still provide the user free Internet, but the contents of the traffic can be captured and filtered. This includes passwords, chat messages not encrypted and the websites the user is visiting. It isn’t easy to spot pineapples, but users should be aware that they exist and always be cautious when connecting to open hotspots.
White hat hackers (the good guys) also use a pineapple, but for legitimate reasons. Pentesters and network security analysts deploy pineapples for testing the security of a network. One thing they test is how easy it is to compromise the network using the pineapple. This reveals the loophole of the Wi-Fi network so that it can be further hardened to prevent anyone from using this trick to exploit users.
The hotspot is just another name for the wireless router that users connect to get Internet access. There are 2 very important pieces of information about the hotspot that users should be aware of.
SSID — This is the name of the hotspot. It is assigned by the owner and it is the name you will see when searching for available Wi-Fi networks. Hackers can spoof the name of the SSID, so be careful when accessing public Wi-Fi. To be sure it is the real SSID, when you connect to the hotspot you will be greeted with a splash page that opens in a web browser.
Security — This is the protocol used to connect to the hotspot. As of this posting WAP2 or a higher version of it is the best security available for connections. It provides a 256-bit key to encrypt connections. If the hotspot only supports WEP or WAP, which are lower version security protocols, it won’t provide the high level security WAP2 does. Those systems are vulnerable to attacks, so it is not recommended to use those hotspots. If you are using an older device that doesn't support WAP2 or higher, it is time to consider upgrading.
All this information can be found in the device's network settings (Refer to the device's documentation to learn more).
There are measures to keep alert on when connecting to public or free Wi-Fi networks.
- Check if there is a padlock icon or the word ‘secured’ on the Wi-Fi access point connection on your device. An open connection with no password security will not have a padlock icon (mac users) or in Windows you will be informed by a message that the access point you are connecting to is not secure. For mobile users on iOS and Android, you should also get an indicator about networks without proper security.
- Verify the hotspot. Ask the staff member of the establishment the name of their hotspot and the password. Hotspots with no password may not be all that secure, so proceed with caution when using open hotspots. That should also warrant suspicion since most things are not for free.
- If you are not working from home or at the office, be careful what data you are exposing on public Wi-Fi networks. This is the best time to use a VPN if that is the case. A VPN creates a secure connection through the Internet to prevent MITM and electronic eavesdropping. This creates what is called an end-to-end encryption to provide a secure communications link.
- It is probably not a good idea to use a public Wi-Fi network when filing tax returns, purchasing online items with a credit card, sharing passwords with other users by messaging app or other activities that involve sensitive information. You just don’t know if that data is being seen by others when using public or open hotspot. Perhaps it is ok for typical web surfing, as long as you don’t type in a password or share any personal data. Even if that is the case, it is still no guarantee for security.
- An authentic hotspot from an establishment typically has a splash page that identifies itself. It opens up in a web browser with a secure connection that gives the terms and conditions. It also includes the establishment’s policy and guidelines about their Wi-Fi access to customers. Hackers can still spoof the splash page though, but more likely they won’t provide a splash page because they want users to access with no password.
- Make sure you have an antivirus or computer security software installed. That is the best you can do with having a layer of protection in an open environment like public Wi-Fi networks. With these applications, direct cyberattacks can be detected and thwarted. Make sure you also have anti-spam and anti-phishing features enabled on your e-mail service. The most common form of attack uses e-mail to trick users into clicking links that execute scripts to open up a system to hackers.
- Avoid all public Wi-Fi access. Just use your smartphone as your access device to the Internet whenever necessary. Use Wi-Fi to save on data plan or when there is a weak or no cellular signal available. If you are in an environment where you are not too confident about the hotspot being safe and secure, just use the smartphone’s 3G/4G/LTE network (disable Wi-Fi on device). The smartphone’s mobile hotspot feature can also be enabled to allow your other devices to connect to the Internet. If that is not possible, just wait until you are at a location with better signaling.
Using a public Wi-Fi network is like going out into the water at a public beach. You swim at your own risk and cannot expect there to be lifeguard at all times. The establishments that offer public Wi-Fi also draft their own limits of liability and unless they can be proven without a doubt to be the reason for any hack that occurs on their network, they are not going to be responsible.
Free and public Wi-Fi access is very likely to be targeted by bad actors. There are unassuming users who may neglect safety over convenience. Free access usually has more appeal to users, and thus to bad actors as well. Considering the risks of using public hotspots, use more secure connections on top of it like a VPN if sharing confidential information.
If you are working with your company’s financial records over an unsecured network connection, think about the risk that poses to data being stolen or tampered with. Once a user connects to a honeypot, there is no turning back once data has been transmitted. People still do it though, perhaps because they think they have no other choice. There is a choice and that is to avoid these networks in favor of more secure connections like the office, mobile network or home Wi-Fi.