Art by Chris Clemente
Culture Spotlight

Beware of hackers: Why connecting to free public WIFI is not always safe

Before you log on or start sharing important files to your heart’s content, it would be best to remember that, in the highly-digitized lives we all lead, nothing is really free.
Dominic Ligot | Aug 20 2019

Whenever people enter hotel lobbies or coffee shops, chances are the first thing in their minds is “is there WiFi here?” (“Is there wall sockets” is a close second.) If this is true for you, it simply reflects the highly-digitized lifestyle which you share with the average individual and increased dependence on mobile phones, laptops, and the internet. WiFi is now so much a part of our lives. Just this August, the City of Manila has deployed free WiFi kiosks (called Iskonek/MNL Konek) which also allow landline calls and phone charging.

 

More about our digital lives:

 

I won’t deny the convenience of free WiFi but I think it’s also important to realize the risks. Connecting to WiFi is similar to walking into a large room full of people who all pretend not to see each other. Usually this is not a big deal, as most people are not aware of who they share the network with and mind their own business.

On private networks such as in offices, network admins are able to see the users logged in as they monitor internet usage and ensure only authorized people are using the WiFi. On public WiFi, there is rarely any network admin, but occasionally a small set of people are online quietly watching and eavesdropping on the traffic.

Hackers.

Usually all hackers can really do is watch as packets of information go back and forth across the network. Most traffic is encrypted which makes the data of little use to them. But there are times when their patience is justified:

  • When a user accesses a website that is not Secure Socket Layer (SSL) encrypted (using http only and not https), a hacker will be able to see in plain text what data is being transmitted, including usernames, passwords, and pictures.
  • When a user happens to have folders and files shared (usually on an office laptop that enabled file sharing without passwords), a hacker can access these folders and files and copy them.
  • When a user’s laptop happens to have some open ports, usually from software running like CRM tools, messaging apps (like Viber, Whatsapp), and locally stored websites, a hacker can log onto these apps and download data from them.

As if listening on public WiFi isn’t bad enough, a hacker can also “impersonate” a public WiFi by launching a rogue access point. Using a tampered mobile phone or special devices called “pineapples,” hackers can broadcast a hotspot using a similar sounding name as a public WiFi fooling unsuspecting people into connecting to the fake hotspot instead. Once a user connects, the hacker has near ultimate control over the traffic that user will receive:  

  • A hacker could fool a user’s phone or laptop into loading a fake website stored in the hacker’s machine instead of a legit one. Usually this targets commonly used portals such as Facebook, emails, or popular online banking sites where a hacker can harvest usernames and passwords as the user inputs them into the fake login page.
  • A hacker could force a webpage to load as unencrypted then will now be able to see all of the user’s traffic in plain text.

With all of this sordidness, does this mean we should swear off public WiFi? Not necessarily. If public WiFi is unavoidable, here are some ways to mitigate the risks:

  1. Ensure you are connecting to legitimate public WiFi, not a rogue one. Ask the establishment the exact name of their hotspot, and avoid guessing. If you see two or three similar looking names, be extra vigilant. It may mean a hacker is nearby waiting to lure people to connecting.
  2. Avoid saving a public WiFi hotspot on your device that can auto-connect. After connecting, forget the network to avoid auto-connecting again. Temporarily shut off your WiFi transmitter when you’re not using them to avoid surprises.
  3. When on public WiFi, avoid sensitive internet activity such as online banking, and minimize activities that require user logins such as emails and social media. These are the prime target of hackers who want to steal login details.
  4. When browsing, try staying on SSL-secured sites, or URLs that start with “https” not “http.” This ensures that your traffic is encrypted and will be useless to the hacker even if they were able to view it.
  5. Be wary if your social media, email, or online banking session mysteriously logged off. It may mean you are viewing a fake version of the site and the hacker is trying to fool you into re-logging on so they can harvest your data.
  6. Be wary of apps that automatically connect to the internet when you are online, such as messaging apps. Try shutting them down before going online.
  7. Be careful of shared folders and files from your devices, especially office laptops that you use on a public network. Un-share them before going online.
  8. Some special tools to protect the common user are also available, but may need a little study to get the hang of:
  • Virtual Private Network (VPN). These are software that extend a private network (e.g. office or home) even while on public WiFi. VPNs also force encryption of traffic.
  • HTTPS Everywhere. This is a browser extension that forces the page you access to load using SSL-secured https if available.  
  • Brave Browser. This is a browser incorporating a number of security features such as forced https, ad blockers, anonymous browsing, and also Duckduckgo search which does not store your browser data history.

While not foolproof, these tips at least elevate the security of a user’s device and they can still access public WiFi safely as long as they are careful about the risks.

Meanwhile, as with many things in life, whenever you find something “free” there’s usually a catch. As the saying goes: There is no such thing as a free lunch. And if you’re not paying for a product… You are the product.

 

Dominic Ligot is a data analyst, software developer, entrepreneur and technologist. He is a founding board member of the Analytics Association of the Philippines where he is an active advocate for data literacy and data ethics. He previously held executive roles in IT and banking that included roles in governance, risk management, fraud, surveillance, and cybersecurity.