Secure or Not Secure?
Public Wi-Fi: Part 1 (An Overview)
Whether working from a hotel or the café down the street, we’ve all been in situations where the only way to be productive is via a public Wi-Fi connection. That small, locally owned café might have the best espresso and ambiance, but have they kept their wireless access point up to date on patches? While they are very convenient, public Wi-Fi networks carry significant risks of which everyone should be aware.
Public wireless access points come in a variety of configurations and security postures. Below are a few points to consider. The answers to each of these will substantially influence how trustworthy this particular access point is and what precautions should be taken, if any.
- We know that public Wi-Fi and its access points come with a variety of configurations and security. Recently, The Knowledge Center discussed encryption, but how does encryption affect public wireless access points? For our purposes, encryption, at its most basic level, is the encoding of a data transmission between two points. For example, your PC may encode a data transmission sent between your computer and, say, a switch on your network. When we refer to network level encryption, this indicates a standard for the amount of information encrypted in a transmission. So, while it’s possible that once your machine is inside a network, network level encryption could be enforced, the point of access may not be. This means that the information submitted wirelessly between your computer and the point of entry is vulnerable to being intercepted. It’s kind of like going into a high security bank but having to cross a street full of pickpockets to get in there.
- Are the access points centrally maintained and secured? If so, how? Even when network layer encryption is enabled, there are still risks. Is the access point using older WEP-based encryption which can be broken in under a few hours with a typical PC computer? These days, most access points use WPA2 encryption which is much better, but you should still be on the lookout for access points that use WEP and treat them as if they are unencrypted.
- Does the network require an email or registration portal and, if so, does this portal provide network encryption? In regard to the network portals, it seems that almost all public wireless access points these days want you to provide them with an email address and, occasionally, a password or even a credit card number. Never enter any information into one of these portals that you would not share with a random company, as it is possible, under most circumstances, for an attacker to impersonate one of these portals. Even if the access point provides strong network level encryption, an attacker can setup a man-in-the-middle access point to impersonate the legitimate one and overwhelm it using a stronger antenna. Does the access point you are using seem sluggish with lots of network errors? It might not be a poor configuration, but instead, you might be under attack!
In summary, public Wi-Fi access points are a reality for most of us who travel for work or work remotely. However, it is important to be aware of the risks present and make sure you do everything possible to mitigate them. While there is no way to know for certain, try to use access points that are centrally managed and, thus, probably better secured and patched. Most wireless attacks require the intruder to physically visit the area of the access point to launch the attack. In the case of older, unpatched access points, intruders can remotely take over the access point using publicly patched security vulnerabilities and then put your computer and data at risk from anywhere across the globe.
Listen to last week’s podcast, “Payment Processing: The e-Payment Roadmap,” here.
Take a sneak peek at our next blog article, “Secure or Not Secure: Public Wi-fi (Part 2, ePayments)”, here.
Explore The Knowledge Center library here.