Security at WiFi Hotspots
Connecting to a random WiFi hotspot is much like strolling into a bar in a strange part of town. Most likely you'll have a good time, but it could ruin your day. It's wise to view all of them as hostile, if not predatory, unless you have some way to verify that they are not.
Things to know and do before you connect
- Assume that you are being stalked with intent of grand larceny whenever you use a paid or free public Internet connection.
- Rogue hotspots are common at airports, hotels, coffee shops, truck stops, and other popular WiFi venues. Sometimes they identify themselves as "Free WiFi", but expect them to have more subtle names.
- A wired Ethernet connection is not a safe alternative to a WiFi hotspot. A hacker in another room can intercept all the traffic on a hotel's network, and can also easily attack any vulnerable computers. [more]
- Windows networking can drop it's guard and treat rogue hotspots as safe local networks, not as raw Internet like it should. Your computer, not just your data, is then much more open to attack. [See the Caffe Latte and Evil Twins items below.]
- It is even more risky to use a public computer at a library, Internet cafe, or hotel business center. [solutions]
- Connect to secure (WPA2 encryption) networks only. These networks require a network security key (obtained from the hotspot host) or use an SSL (https:// and padlock icon) page for sign in. You can also use Windows' "Network Connections" utility to see a hotspot's attributes.
- Make sure you use a known secure way to check your email. Otherwise it's easy for a lurker to access your email account from a nearby laptop. And change your passwords when you get home just in case. ;-)
[Example: Use https://mail.google.com/mail/ to access Gmail.] - You can use OpenDNS as a pre-emptive measure to guard against DNS poisoning. OpenDNS will also improve your computer's Internet connection performance, and provide other safeguards.
Update: Some trouble using OpenDNS on some VPNs (virtual private networks) has been reported. - Use Microsoft's "7 tips for working securely from wireless hotspots" if you need to learn how, and take the following precautions:
- Be sure your firewall is on
- Disable all file and printer sharing.
- Use the "infrastructure networks only" wireless option. (Turn off ad-hoc mode.)
- Be sure that any sensitive data, including usernames and passwords, is encypted before it is sent or received. That means that you should only send it if you're at a site using SSL (https:// URL and the closed padlock icon chould be present). Or use a VPN (virtual private network) or other form of encryption such as PGP instead.
- If you're on the go a lot, consider renting a VPN (virtual private network) to give you security at hotspots. VPNs use encryption to "tunnel" right through insecure connections.
More things to consider
Personally, I'd never do online banking or make other financial transactions at a public venue unless I used a VPN (virtual private network). There are just too many uncontrollables.
VPNs (virtual private networks) for serious business
You always face serious risk when using public Wifi hotspots, public broadband (Ethernet) connections, such as those at hotels or truckstops. It is even more risky to use public computers at libraries, Internet cafes, or hotel business centers.
And don't count on SSL (secure connections with https, and the padlock) to keep your information private. They may have fixed it by now, but as an example, it has been possible to "sidejack" the highly-regarded Gmail application by simply listening to traffic at a hotspot, using nothing more than a laptop and a little free software.
VPNs offer a good way for serious road warriors to avoid these problems. VPNs use encryption to "tunnel" right through insecure connections. You can rent VPNs by the month or by the year at Witopia or HotSpotVPN. [compare] [update]
Wireless hotspot service providers -- e.g., TMobile Hotspot, Boingo Wireless, iPass -- provide a degree of enhanced security. But they still recommend that you use a VPN.
The security scene at Starbucks and other public hotspots.
- "By exploiting driver flaws, exposed fileshares, and user mistakes, one can easily and invisibly attack Wi-Fi laptops and phones in public venues like airplanes, hotels, and cafes."
The Caffe Latte Attack: How It Works—and How to Block It - "An Evil Twin, sometimes referred to as Wiphishing, is a potential security threat to users
of Wi-Fi, predominantly in public hotspots. A hacker sets up what is called a “rogue
access point” which mimics the characteristics of the network to which users expect to
connect. Users unknowingly connect to the rogue access point and the hacker’s
network instead of the intended network."
Evil Twins FAQ -- WiFi Alliance document - "While waiting at Hartsfield-Jackson Atlanta International Airport for a connecting flight to San Francisco, Joseph Angelo thought he'd catch up on his email and do a little Web shopping at a Wi-Fi hotspot near the departure gate. After firing up his notebook and going through the regular logon screens, everything looked as it should with the online store's slick graphics, professional-looking design, and even its annoying animated ads." Read more...
Does Your Hotspot Have An Evil Twin?-- PC Today
Reading your email safely at hotspots without using a VPN, if you dare.
Robert Graham, the CEO of errata security, has demonstrated that it's easy to intercept session-IDs (cookies or random strings in the session URL) from nearly all popular web applications, such as Gmail, Hotmail and Yahoo Mail, when you're using WiFi. Interception works even if you're using Secure Sockets Layer (SSL) [https://mail.google.com/mail (with the padlock closed icon)].
The web server does not use your password to authenticate each exchange during a session. It sets a cookie, or other session identifier, at the start and then interrogates the ID to validate subsequent transactions. All the attacker has to do is clone your cookie or other ID and he/she can also connect with your account. In fact you can both access your account at the same time. The attacker can then download all your email messages, and even send messages as you. :-(
Here's how Larry Dignam at ZDNet explains it: "Gmail in SSL https mode was thought to be safe because it encrypted everything, but it turns out that Gmail's JavaScript code will fall back to non-encrypted http mode if https isn't available. [more] This is actually a very common scenario anytime a laptop connects to a hotspot before the user signs in where the laptop will attempt to connect to Gmail if the application is opened but it wont be able to connect to anything. At that point in time Gmail's JavaScripts will attempt to communicate via unencrypted http mode and it's game over if someone is capturing the data."
The conclusion at this time is that you can't trust web mail. Not just current messages, but all stored messages are vulnerable. So, what's the solution? If you're going to use web mail, using Gmail can help, but it's not foolproof. Be sure you log off from Gmail each and every time when you finish using it. That prevents transmission of the unencrypted Gmail cookie before you log in at the next hotspot.
The solution is to use an email client such as Thunderbird, not Web mail, to connect with your email account. And make sure it's using SSL or TSL (Transport Layer Security, successor to Secure Sockets Layer (SSL).