Wi-Fi hotspots are wonderfully convenient, even for hackers; follow these tips to stay safe
The convenience, ease of use, and speed of wireless connectivity have made publicly accessible Wi-Fi networks a basic requirement for working professionals. The odd thing is that these same responsible professionals -- and the companies that employ them -- make so little of the risks of public networks. The vast majority of wireless connections remain unencrypted, and any malicious person within earshot can “sniff” the wireless signal, gaining access to information from confidential company data to financial transactions.
Why are public Wi-Fi networks so insecure? Unfortunately, the first answer to this question is often the following: the network administrator. The second answer: the users.
[ Also on InfoWorld: How to roll your own VPN, the open source, low-cost way. | Get expert networking how-to advice from InfoWorld's Networking Deep Dive PDF special report. ]
On public Wi-Fi networks, every user uses the same encryption key, laying their personal device open to others. Ideally, each person would have a unique encryption key, but this makes the network more complex to use and more difficult to run. And, frankly, the priority of many hotspot administrators is to minimize the number of calls to the support desk. This keeps workloads manageable and users satisfied, but it also means the network is far too open and easy to access.
With the number of public Wi-Fi networks increasing and the number of mobile data transfers keeping pace, the use of public Wi-Fi is a significant and growing security risk. As the number of hotspots and mobile users continue to expand, attacks will increasingly compromise email accounts, passwords, Social Security numbers, and credit cardholder data. Hackers will eavesdrop on communications, steal corporate information, gain access to banking accounts, and infect IT systems with malware.
What precautions can users take to help secure their use of public Wi-Fi networks? Here are five tips for using these networks safely.
1. Implement a VPN
A common step is to implement a VPN capability for all your users. The VPN establishes an encrypted tunnel through which they can not only access company information, but also surf the Internet and engage in personal business. Offering a series of controls to protect both the system and its traffic, the VPN requires an app on each device to encrypt the connection from end to end. However, this also makes it more time-consuming and complex to use and to run.
Because of its inconvenience, many users continue to check Facebook, read the news, and carry out their other personal Internet business without going through the VPN. This is a mistake. As long as they are online, users are exposing their device to hackers on the public Wi-Fi network. If a hacker can get into a machine, they can see every sensitive file, even if it is not open at the time.
2. Use two-factor authentication
Two-factor authentication identifies users with a two-step process, combining components from the system and a knowledge factor provided by the user. For example, such security systems are set up in conjunction with a token account to provide a password. However, with these extra steps (which take only a few seconds), most illicit actors can be blocked from the system. If accessing company email and other systems requires two factors, even if a bad guy sniffs a user’s password, the password alone won’t provide access to the company system.
3. Beware Open SSID
One of the hidden challenges of mobile networks is that once a device has joined a specific network, it will jump back onto that network whenever the user is within range. To prevent this, users should turn off network discovery options like “Remember networks this computer has joined,” or get into the habit of deleting the network’s SSID profile after each session. This way, users can’t be coaxed into accidentally accessing a network with a similar name. For example, an iPhone will automatically hop onto any network called “AT&T.” Similarly, many notebooks are set up to advertise their internal SSIDs -- which is why you can walk down a hotel hall and see the hard drive in every room.
In a perfect world, operators of hotspots and guest networks would stop using Open SSIDs. In the meantime, it’s important for users to keep their mobile devices from blindly hopping on networks advertising those SSIDs -- and to stop advertising their own SSIDs. Whenever a device is used on a public network, sharing should be off and the firewall should be on.
Verify the network
Before going online, each user should verify that the network is the provider’s official system. Don’t assume the strongest signal is coming from the trusted network. If there’s any doubt about the proper SSID, ask. This helps prevent a man-in-the-middle attack, where a rogue access point may capture everything the user does. Sometimes scammers even demand a fake fee for access, thus acquiring both credit card information and a payment.
The safest way to “verify” a network is to establish a secure VPN back to a known location (such as an office or a home) and tunnel all your traffic through it. If the VPN tunnel can be established, then you’re likely on a safe network. This is the best practice anyway.
5. Avoid logging in
When on a public network, users should ideally browse only websites that do not require login credentials. However, if they need to log in -- for example, to access personal email -- it is best to go to websites that support the HTTPS protocol, which encrypts the communications between website and browser. Note that images may still be distributed via HTTP since links are not typically encrypted.
Better Wi-Fi security ahead
Creating a security culture within your organization is critical to minimizing abuses. However, users will not always act responsibly. As more users and devices rely on wireless technology, risk will increase at every point of access.
For network operators, the best response to this is a method for each user to associate with the Wi-Fi network using their own unique encryption key. This lets you keep your network secure while allowing for users with an overly casual attitude.
Fortunately, new capabilities are becoming available for users too. IT administrators can now offer their users “encrypted local Wi-Fi” solutions, allowing them to create private networks among multiple devices from any location.
Such solutions allow users to take their personal Wi-Fi network with them, creating a more transparent way to securely access business and customer data while continuing to draw on the convenience of public wireless networks.
Dirk Gates is executive chairman and founder of Xirrus, a provider of high-performance, high-density wireless networking solutions.
New Tech Forum provides a venue to explore and discuss emerging enterprise technology in unprecedented depth and breadth. The selection is subjective, based on our pick of the technologies we believe to be important and of greatest interest to InfoWorld readers. InfoWorld does not accept marketing collateral for publication and reserves the right to edit all contributed content.