Staying Safe at Wi-Fi Hotspots

by VPNHaus | 03/10/2016

Wi-Fi hotspots in coffee shops, hotels, railway stations and airports have become a welcome resource for any business traveler, providing them with a convenient means to carry on working while on the move.  Employers, in turn, are increasingly happy to embrace the accompanying productivity benefits. Over 80% of enterprises now allow employees to use personal devices to connect to corporate networks.

Yet public Wi-Fi has a dubious security reputation.   Even with password protection, public hotspots are an open invitation for anyone with illicit intentions to snoop and intercept data communications to their heart’s content.

In spite of the dangers most people seem to be willing to take the risk. When, in 2015, Intel Security asked 2,000 consumers about their connection habits while traveling, 38 percent said they were happy to use unsecured Wi-Fi. Of equal concern was that just under half the respondents admitted they were not sure how to secure themselves. The fact this was a consumer survey matters little.

Thanks to BYOD, mobile technology today leads a double life – mixing business and personal communications and interactions.  There’s no reason to think that the knowledge or habits of the average business executive is any different from the average consumer.  Only their employer’s policies and mobile security precautions separate the two.

This is borne out by an experiment Avast Software carried out on delegates attending this year’s Mobile World Congress.  Researchers set up three open Wi-Fi networks near the exhibition entrance. In just four hours more than 2,000 users connected to these hotspots based solely on their name (SSID), abandoning all security practices for the sake of free Internet access. Details about each connecting device were visible as was the user’s identity in 63.5% of all the traffic.

The ability to tell the difference between a genuine hotspot and one set up with malicious intent is key. A malign hotspot, also known as an “evil twin,” is planted by hackers with the express purpose of carrying out spoofing attacks.  The DNS is manipulated so that it feeds the user fake copies of popular branded login screens. Without some way to tell if a hotspot is genuine or not it can be very easy to fall prey to such subterfuges.

Even a seemingly innocent Wi-Fi hotspot carries risks. For example, a journalist writing about the privacy standoff between Apple and the FBI connected to an in-flight Internet hotspot to send and answer emails as part of his research.  To his surprise a fellow passenger approached him at the end of the flight and admitted to reading all of his “private” communications during the journey. The hotspot provider’s advice afterwards was for anyone sending sensitive information over any public Wi-Fi network to use a virtual private network (VPN) to protect their data.

Full and proper precautions against possible threats at public hotspots include a personal firewall and a secure socket layer (SSL) browser connection as well as the use of a VPN. The first step is to have a properly configured personal firewall on the end device that restricts network communication on public hotspots so that it is only possible to communicate via VPN. On a Windows device, for example, configuration should encompass turning off folder sharing, network discovery and enforcing encryption for file sharing transfers.

A second step is to ensure that browser connections with any e-commerce transaction are facilitated via encrypted HTTPS. Consequently, even on open Wi-Fi hotspots, nothing is exchanged in the clear. Even if the Wi-Fi network itself is not encrypted at least the website connection stays secure at the transport layer. The HTTPS Everywhere plug-in for Chrome, Firefox or Opera ensures the browser maintains the HTTPS connection even if the end user then moves on to surf sub-domains that do not have the same level of security.

Step three is to use a third-party VPN. Working together a properly configured personal firewall and VPN will safeguard confidential information, protect both sent and received traffic and shield the endpoint device from attacks at a Wi-Fi hotspot.

A VPN and a private firewall can go a long way to mitigate Wi-Fi hotspot risks but company data and networks are even better protected when the following additional measures are implemented:

  • Friendly network detection – IT departments can enable a personal firewall to automatically differentiate between secure, or “friendly,” networks and unsecured public networks

  • Secure hotspot logon – some VPN clients will go further and open a restricted browser window so that the firewall only permits access for this specific browser, ignoring any configured proxy and blocking all other network traffic

  • Endpoint protection – where the VPN automatically performs a health-check on the device before allowing a connection

In summary, open Wi-Fi is risky and there are certain web services, such as online banking, that are never advisable to access over an open connection – even if they do have HTTPS.  But a good Internet security connection has many layers and with the right precautions open Wi-Fi hotspots are a perfectly safe short-stop option for busy business executives.