Protecting your data from prying eyes while on the move is important and easier than ever
An axiom among network security pros is that you should treat public Wi-Fi hotspots like the cyber equivalent of public bathrooms: a convenience we all use, but only with the requisite hygiene. You wouldn’t share personal items like a toothbrush or razor with others at an office, gym or airport restroom, but too often people broadcast personal information that could be disastrous in the wrong hands over wireless networks where intercepting data is easier than many people realize. In addition, users on public hotspots leave breadcrumbs documenting their every move on the Internet for anyone, including the hotspot operator to mine through for valuable, and privacy-compromising, insights; a topic I’ll cover in more depth in my next column.
We all know that personal data leaks like a sieve on the Internet writ large, whether through Google’s collection of search history, Facebook’s aggregation of login credentials and activity tracking (using cookies and social plug-ins) on sites far and wide and other ad networks that track our every move. However the risk is acute out in the wild, in the world of public hotel, airport, cafe and convention center Wi-Fi. While Google and Facebook collect data that profiles and tailors ads and other promotions to their users, at least their customers (i.e. essentially all of us) generally know what we’re signing up for in the bargain. Out in the wilds of public hotspots, there are no the rules.
First off, with public, unencrypted Wi-Fi, you’re never sure who or what you’re really connecting to. We’re all familiar with the rogue access points (APs) using common names like “Linksys” or “Netgear”, but only a rookie would fall for those ruses. However things like Hak5’s legendary (at least among cyber security pros) Wi-Fi Pineapple exploiting convenience features in the Wi-Fi protocol, make it trivially easy to impersonate and intercept all wireless traffic directed to a given hotspot.
The tl;dr summary is that almost all Wi-Fi devices — your phone, tablet, PC, whatever — broadcast a signal looking for previously accessed networks (SSIDs in network speak). With a positive response, a “yes, I’m the network you’re looking for”, the requesting client automatically connects. Of course, this auto-connection only works if: (a) the network is open with no password or (b) your device has previously saved the correct network password. But for public hotspots like “Denver-Airport”, “Roadside-Inn” or “Tech-Conference-2014” that you’ve previously used, a rogue “yes man” – Jasager in German, hence the name for the core software used in Hak5′s Pineapple — is happy to reply with whatever network name you’re looking for, snaring you into its man-in-the-middle attack. The PC or smartphone appears to be connected to the familiar airport, motel or cafe Wi-Fi, but in actuality, the connection routes through an impersonator collecting all your data before routing traffic onto your intended destination.
This scenario is easily thwarted by using a VPN, an encrypted and authenticated connection to a known network site that scrambles all the data between your device and the Internet before routing it onto the intended destination. Since VPNs are configured to specific, known Internet addresses, not names that are much easier to spoof, and use cryptographically strong protocols to insure the validity and integrity of the connection, they thwart any Wi-Fi snooping or traffic interception.
Big corporations have been using VPNs for years to secure remote access to internal networks, however the setup and configuration on PCs and phones is confusing for most people. Although every modern OS has VPN support built in, because they impose an added step between you and the Internet, few people actually use them unless they’re required to access email or company file shares. Convenience trumps security every time, even for ostensible IT experts. When attending a big technology conference and glancing around at my colleagues busily checking their laptops and phones, I continue to be amazed at how many hop on the public Wi-Fi and go straight to the Net without connecting to a trusted VPN.
VPNs are easier than ever to use so the inconvenience argument no longer holds water. Many third-party services like GoldenFrog (VyprVPN), proXPN, Witopia and Norton Hotspot Privacy have applications for PCs and smartphones that insulate users from the messy configuration details. Just enter your username and password and the application figures out the optimal VPN gateway, establishes the connection and even auto-resumes when the device wakes from sleep.
Governments and big corporations can and will continue to vacuum up personal information online, however that’s no excuse for leaving your door unlocked and windows open for any wannabe hacker, nosy hotel operator or data hungry coffee shop chain to exploit your activities while using public Wi-Fi. Get in the habit of using a VPN whenever using public Wi-Fi. There are plenty of choices and with practice it will become second nature, like locking your car.
When using public hotspots, hackers setting up rogue networks aren’t the biggest or most common problem. In my next column I’ll explain that the bigger risk to your data privacy is the actual Wi-Fi provider.