WOOF! Newsletter

June 03, 2015

Are Coffee Shop Wi-Fi Connections Safe for Work? Umm, No.

Using free Wi-Fi at the coffee shop, hotels & airport is convenient. It's also a huge security risk. You could have data stolen right off your computer in a matter of minutes, and you'd never know it. These are the dangers lurking on public Wi-Fi networks, and how you can protect yourself.
We’ve all gone to our favorite coffee shop and seen dozens of laptops on tables. People of all ages stopping in for a hot drink and free Wi-Fi. Easy way to do some work, right?

Not so fast. While public Wi-Fi networks like these are useful and convenient, they’re not a safe way to work online.

Recently, a PlanetMagpie customer learned this the hard way. A hacker was able to steal check images off her laptop while connected to a cafe’s Wi-Fi. The hacker used these images to create & cash fake checks in person at a bank in LA. Within a week they’d stolen over $5,000 from her company.

Public Wi-Fi Uses Low-Grade Security – or None at All

This happens due to the way most public Wi-Fi networks are setup. Airports, coffee shops, hotels … when they offer “free Wi-Fi” they want guests to use it hassle-free.

So they configure their Wi-Fi to use low security – for instance, one simple password for everyone. And then post it someplace where everyone can see it.

If they use a password on the Wi-Fi at all!

While this makes for convenient Internet access, it also creates a massive security risk.

Marc Goodman, author of "Future Crimes," recently wrote an article on 5 dangers of the Digital Age. #3 talks specifically about the risks to your privacy in coffee shops.

"As you sit there sipping your overpriced latte and cruising the public WiFi, all other users on the network can see what you are doing, from your iTunes playlists to the sites you visit."

How’s this possible? Again, it’s due to public Wi-Fi setup. Every "free Wi-Fi" location is its own mini-network. Unless specially configured, every computer can see & track what else is on that network – including you.

Those other computers are just one of many more dangers lurking around coffee shops, hotels and other public Wi-Fi networks.

Phony Networks, Spies & Cyber-Eavesdroppers: What Else Threatens Your Privacy on Public Wi-Fi

The Man in the Middle: First up is the "Man-in-the-Middle Attack". This attack occurs when someone eavesdrops on your communications online. By inserting themselves between you and the Web – when you’re on an unencrypted Wi-Fi connection – they can spy on what you’re doing. They can even send you fake versions of webpages (e.g. Twitter, Facebook) and collect the data you send them.

Hotel Routers Vulnerable to Break-In: All the business travelers reading, listen up. In late March, a security flaw was discovered in InnGate routers. These routers are commonly used in hotels to provide guests with free Wi-Fi.
Flaw in common hotel router threatens guests’ devices – NetworkWorld.com

An attacker could use this flaw to break into the routers, and gain access to every computer connected to the Web through them. Then they can plant malware on your computer, steal your data, etc.

A patch does exist, but there’s no guarantee hotels will implement it. And that’s just one flaw a research firm caught. There are others.

Phony Networks: Has this ever happened to you?

You’re at a coffee shop where the sign says, "Free WiFi: XYZ COFFEE". You boot up your laptop and see a list of Wi-Fi networks. There’s "XYZ COFFEE" with 3 bars. But right below it is another network, "XYZ COFFEE FREE WIFI" – and it has 5 bars. That must be the network they mean...right?

This is an example of a Phony Network – where an attacker will set up a fake Wi-Fi network in the same area as an official one, and name it something very similar. Often it has a stronger signal too (the strongest Wi-Fi signal is most often connected to).

Any computer which connects to this phony Wi-Fi is completely open to the attacker. If you clicked on “XYZ COFFEE FREE WIFI” instead, the attacker can now steal all your files, emails & personal data.

An October 2014 article on Medium.com illustrates how a hacker can do this anywhere there’s public Wi-Fi, and what they can get from it. Anything from your email address to your credit card. It only took the subject hacker 20 minutes. Worse still, the hacker was asked how difficult setting up a phony network & harvesting data was.

"All you need is 70 Euros [$78.26], an average IQ, and a little patience."

Public Wi-Fi dangers are now so prevalent that software is in development for detecting & blocking phony Wi-Fi networks. It’s expected early next year.
Software Detects Fake Mobile, Wi-Fi Networks – NetworkWorld

Every "Free" Wi-Fi Network Carries These Risks. Always Protect Yourself.

A 2013 report from Risk Based Security, Inc. (PDF) showed hacking as the #1 type of data breach. Of 2164 incidents recorded, 1293 were hackers stealing over 592 million data records. (In this case a “data record” is a discrete item of data – a single email address, username, file, etc.)

And these are just the hacking incidents people reported. Most people aren’t even aware they’ve been hacked.

The next time you’re at the airport, in a hotel or your local Starbucks, remember – if there’s free Wi-Fi available, you’re potentially exposed to cyber-attackers.

How to Protect Yourself on a Public Wi-Fi Network

If you HAVE to use a public Wi-Fi network, do the following:
  1. Ask the business running it to confirm the details. You want to know the correct Wi-Fi name, whether it’s secured, and what the right password is. Ask a manager if necessary. It only takes a moment.
  2. Don’t send sensitive work material by email. Wait until you get back to the office.
  3. Regular Web browsing is OK on public Wi-Fi, but don’t do any of the following:
    • Banking (use your phone’s 3G/4G or wait until you get home)
    • Logging into member-only websites or corporate intranets
    • Accessing database servers
  4. Make sure you have enabled your computer’s firewall policy for Public networks
  5. When logging on to Public networks, never click on the verification icon for work or home networks. Always choose Public.
Better yet, we recommend these safer methods of getting an internet connection:
  1. Use your phone as a Wi-Fi hotspot instead. Maybe you do this already – if so, keep it up, it’s a good security practice.
    1. From Fast Company: "David Reischer, legal analyst and chief operations officer at LegalAdvice.com, says he instructs traveling employees to never connect to the Microsoft Exchange server at airports, coffee shops, and hotels. Ryan says he always jumps through his cell-phone network for a secure connection, using its hotspot capabilities."
  2. Get a standalone Wi-Fi hotspot. Every major ISP has hotspot devices available. Here's a list of recommended hotspots from PCMag.com.

  3. Buy a laptop or tablet with a built-in Wi-Fi hotspot. Dell has a Venue hybrid laptop/tablet with Mobile Broadband built in.

  4. Use a VPN. A VPN is essentially a secure tunnel between your computer and your office network. Using one means your business’ security protects you, wherever you are. It’s a great protection mechanism. Ask your IT department for a VPN connection.
Fortunately, by following some precautions like we’ve just described, you can stop those attackers from getting near your computer. Keeping your work files safe from spying eyes. Even in the coffee shop.

Related Articles:

How To Avoid Data Theft When Using Public Wi-Fi – Forbes (3-4-2014)
Staying Safe on Public Wi-Fi – CNET (8-20-2014)
Maybe Better If You Don’t Read This Story on Public WiFi – Medium.com (10-14-2014)