Public Wi-Fi is available almost everywhere and has made our lives a little easier, but it also poses security risks to any work or personal data on our laptops and smartphones. The biggest threat with free unsecured Wi-Fi is the ability of hackers to position themselves between you and the connection point.
Open Wi-Fi Access
According to a recent survey by Purple Wi-Fi currently, over 90% of businesses offer open Wi-Fi access. This is not secure. Wi-Fi filtering and encryption secures your wireless internet. Without it, you are leaving your device open to online threats like viruses, malware, data snoops, and hackers. Understanding the risks of public Wi-Fi may help prevent you from falling victim to an attack.
Real Examples of Public Wi-Fi Hacked
Open public Wi-Fi is a double-edged sword. What can serve as a lifesaver for an international tourist or someone with a limited data plan also functions as a hacker’s paradise. While many users are aware of the risks involved in open Wi-Fi, many choose to accept those risks, not considering the true consequences of having their financial and personal data stolen. The fact is that public Wi-Fi puts everyone connected to it in a highly vulnerable position, because hacking these open networks is, well… easy.
How easy is it to hack an open Wi-Fi?
Earlier this year in England, an 86-year old man name Alec Daniels with very little knowledge or experience with computers was able to hack a public Wi-Fi hotspot in less than 17 minutes in a controlled experiment organized by the Spanish Bank, Santander. The experiment was part of a concerted effort to discourage their customers from using public Wi-Fi. According to the bank’s own research, 41% of their customer base claimed to regularly use public Wi-Fi to carry out financial transactions on their mobile phones and 10% claimed to log onto to unsecured Wi-Fi networks several times a day. To help further their efforts, the bank started the Santander Scam Avoidance School in order to educate senior citizens on how easy it is for hackers to steal data from those who use public Wi-Fi. Alec Daniels was their first graduate and was chosen for the experiment.
Within 17 minutes, Daniels was able to create a mock phishing email and set up a rogue access point to conduct man-in-the-middle attacks on those connected to the targeted hotspot. Daniels was able to intercept traffic from at least one unsuspecting person immediately afterward.
Wi-Fi Experiment on a mass scale
While the experiment conducted by Santander involved only a small sample size, an experiment conducted by the cybersecurity company, Avast, showed just how truly indifferent people are to the danger of public Wi-Fi. The company set up rogue hotspots at the U.S. Republican National Convention in Cleveland, Ohio in 2016. They set up these mock Wi-Fi networks throughout the arena hosting the convention as well as the city’s airport. They broadcasted SSIDs such as “I Vote Trump Free Internet”, “I Vote Hillary Free Internet”, “XfinityWi-Fi” and “Google Starbucks.” The fact that so many people connected to the Clinton related Wi-Fi network shows how many users completely overlook what networks their devices are connecting to and exhibit little regard to where these networks originate from. Avast was able to witness gigabytes of data that included email, instant messaging as well as shopping and financial transactions.
A hacker takes over an entire city’s Wi-Fi system
Back in 2014, an ethical hacker was able to hack into Tel Aviv’s free public Wi-Fi from which he could have obtained the usernames, passwords, pictures and sensitive information of most anyone utilizing the system. The Israeli hacker named Amihai Neiderman, spent three evenings after work targeting the public Wi-Fi system. After discovering a new public Wi-Fi offering named “Free_TLV”, Neiderman connected to it and then obtained the public IP address of the involved router by simply going to http://whatismyip.com. Once he obtained the public IP, he then went home and began assaulting the router on an open port he discovered. He was then able to determine the manufacturer of the router after finding that the administration interfaces were online. Lastly, he found a known exploit in the outdated firmware installed on the router that could have allowed him to connect to the router and manage it. He then reported his findings to the managing firm of the network who quickly alleviated the vulnerability.
A hotel Wi-Fi is hacked live on TV
What is one of the first things you do in a hotel once you have unpacked your bags? Check out the hotel Wi-Fi of course. Naturally, you look for an SSID that emulates the name of the hotel and determine that it must be safe. Or is it? Cybersecurity expert Jim Stickley appeared on Today, a popular U.S. TV morning show to show just how vulnerable hotel guests are with their mobile devices. The live demonstration took place at the Grand Fiesta Americana Hotel in Cancun, Mexico. The hotel’s Wi-Fi network was called “Fiesta Rewards”, so Stickley set up his own wireless network called “Fiesta Rewards Pool” to lure unsuspecting guests who would assume that the signal belonged to the hotel. Guests by the pool were drawn to the SSID due to its stronger signal as Stickley’s rogue access point was located under his poolside lounge chair. The Today Show had several guests go to various sites in order to test Stickley’s ability to monitor them, which he was able to do so in real time, live on TV. During the staged event, numerous guests connected to the fake network.
Even Legitimate Wi-Fi is risky
Last year in Buenos Aires, visitors to a local Starbucks found themselves victims of a crypto mining operation unbeknownst to them. A ten-second delay was foisted upon anyone connecting to the coffee shop’s free Wi-Fi as their device’s CPU power was used to mine Monero, a popular cryptocurrency. After an investigation, it was discovered that the internet provider was using embedded JavaScript code to snare its mining victims. Starbucks forced the provider to discontinue the inappropriate practice.
An open unfiltered Wi-Fi network is an invitation to attack your users, data, privacy and data integrity. A successful attack could result in:
• Total loss of customer data privacy
• Total loss of customer data integrity
• Total loss of data customer confidentiality
• In some parts of the world, it's illegal to not protect your customers' data
• The company networks can be attacked by anyone using that network
• Serious brand reputation and resulting costs and implications
• Potential litigation
Advice if offering public Wi-Fi
TitanHQ recommends the following for businesses offering free Wi-Fi :
- Mitigate against all risk as a public Wi-Fi provider.
- Provide a splash screen prior to log in explaining what the customer is signing up to.
- Ask users to register and accept terms and conditions
- Ensure the customer’s data is stored by a reputable provider in line with your country’s regulations.
- Proactively engage in the filtering of internet traffic, to block file-sharing traffic or traffic to pornographic or suspicious websites.