Security at WiFi Hotspots

General precautions

Connecting to a random WiFi hotspot is much like strolling into a bar in a strange part of town. Most likely you'll have a good time, but it could ruin your whole day. It's wise to assume that all hotspots harbor predators, and take appropriate precautions. [example] [more]

You'll be much safer at hotspots if you implement a robust security system. For example the one I've outlined in my blog. As part of your security, it is important keep Windows and your programs updated. But beware. Do not respond to warnings or notices that announce an update is needed. Go directly to the update source instead.

While you're out and about, don't forget about the physical security of your laptop.

Other road hazards

Using a public computer at a library, Internet cafe, or hotel "business center" can be even more risky than using your laptop at a hotspot. [details and solutions]

It might seem that using a mobile (cellphone) network avoids the threats that public hotspots and hotel ethernet connections present. Yes, you avoid some of them but other's remain. The links below lead to more information on these new threats. [details]

Before you read your email, or do any business at a WiFi hotspot...

  • Take the following precautions: [detailed instructions]
  • Assume that persons unknown, with intent to commit murder grand larceny are lurking nearby wherever you use a paid or free public Internet connection. :^)
    • Rogue hotspots are common at airports, hotels, coffee shops, truck stops, and other popular WiFi venues. They may identify themselves as "Free WiFi", but many of them have more innocent looking names. [more]
    • Ethernet (wired) connections - at hotels, business centers, etc. - are not safe alternatives to WiFi hotspots. A hacker in another room can intercept all the traffic on a hotel's network, and can also easily attack any vulnerable computers. [more] [solutions]
    • Windows networking can drop it's guard and treat rogue hotspots as safe local networks, not as raw public networks as it should. Your computer, not just your data, is then open to easy attack. [more] [Also see the Caffe Latte and Evil Twins items below.]
  • Don't use anything but secure connections (WPA2 encryption) for any kind of business, including credit-card transactions. The hazards above are why you should only connect to secure wireless networks, particularly for business transactions. [Or use a VPN instead] [diagrams]
    • WPA2 networks require a network security key (obtained from the hotspot host) or require a password on a secure (https:// and padlock icon) page for sign in.
    • Windows' "Network Connections" function will also reveal a hotspot's encryption level.
    • Even if the network is encrypted, your communication is safe only from people who aren't on the network. All the other denizens at the hotspot can easily see your traffic because they are are logged on with the same password. [see solutions below]
  • Make sure you'll be using a secure connection both to log in, and to interact with any sites where you'll exchange private or business information. Otherwise it's easy for a lurker to access your traffic, for example email, from a nearby laptop.
    • And change your passwords when you get home just in case. ;-) [Example: Select "Always use https" for your "Browser connection:" under "Settings" in Gmail.]
  • Use OpenDNS to guard against DNS poisoning. OpenDNS will also improve your computer's Internet connection performance, and provide other safeguards. [video]

Here's an excerpt from Microsoft's page about choosing "Public network" for best security at public locations:

Choose Public network for networks in public places (such as coffee shops or airports). This location is designed to keep your computer from being visible to other computers around you and to help protect your computer from any malicious software from the Internet. HomeGroup is not available on public networks, and network discovery is turned off. You should also choose this option if you're connected directly to the Internet without using a router, or if you have a mobile broadband connection.
If you know you won't need to share files or printers, the safest choice is Public network.

Some features of "Public network" is implemented via the Windows firewall. If you're using another firewall, you should consider how to configure it for similar protection.

More things to consider
  • Bluetooth exposes another route of hacker entry. Even if you're not using your Bluetooth mouse, for example, you still need to turn off the Bluetooth service in your laptop. Oh bother. ;-)
  • Be sure that any sensitive data, including usernames and passwords, is encypted before it is sent or received. That means that you should only send it if you're at a site using SSL (https:// URL and the closed padlock icon should be present). Or use a VPN (virtual private network) or other form of encryption such as PGP instead.
  • Programs that update themselves automatically can be easily hijacked at Hotspots (or any WiFi network) to download malware. Any of your programs that provide that option should be set up as shown in this Firefox example (ask me what to do) to prevent these attacks.
Use a VPN for serious hotspot security

You always face serious risk when using public Wifi hotspots, public broadband (Ethernet) connections, such as those at hotels or truck stops. It is even more risky to use public computers at libraries, Internet cafes, or hotel business centers.

And don't count on SSL (secure connections with https, and the padlock) to keep your information private. They may have fixed it by now, but as an example, it has been possible to "sidejack" the highly-regarded Gmail application by simply listening to traffic at a hotspot, using nothing more than a laptop and a little free software.

Personally, I'd never do online banking or any conduct other financial business at a public venue unless I used a VPN (virtual private network).There are just too many unknown factors.

VPNs offer a good way to avoid the threats at hotspots, hotel Internet connections, etc. VPNs use encryption to "tunnel" right through insecure connections. You can rent most VPNs by the month or by the year. The protocol(s) they offer are a prime considertion - I recommend the OpenVPN protocol. Here are some VPN services to consider:

VPNs are an important tool for privacy and security when using public computers - say at a library - as well as your own. Trouble is, public computers are usually locked down so that you can't install a VPN, even temporarily. You can though bring along a thumb drive that includes a protable VPN (and add a portable browser for good measure).

Wireless hotspot service providers -- e.g., TMobile Hotspot, Boingo Wireless, iPass -- provide a degree of enhanced security for cell phones and data. But they still recommend that you use a VPN [more].

The security scene at Starbucks and other public hotspots.
  • "By exploiting driver flaws, exposed fileshares, and user mistakes, one can easily and invisibly attack WiFi laptops and phones in public venues like airplanes, hotels, and cafes."
    The Caffe Latte Attack: How It Works and How to Block It
  • "When someone calls you on the phone, the calling number that caller ID displays may or may not be true. The return address on an envelope in your mailbox is usually true, but it's not guaranteed. The same applies to the FROM address of an email message. Likewise, while the name of a Wi-Fi network is usually an indicator of its owner, nothing insures this.
    Wi-Fi's dirty secret of evil twins
  • "An Evil Twin, sometimes referred to as Wiphishing, is a potential security threat to users of WiFi, predominantly in public hotspots. A hacker sets up what is called a "rogue access point" which mimics the characteristics of the network to which users expect to connect. Users unknowingly connect to the rogue access point and the hacker's network instead of the intended network."
    Evil Twins FAQ -- WiFi Alliance document
  • "While waiting at Hartsfield-Jackson Atlanta International Airport for a connecting flight to San Francisco, Joseph Angelo thought he'd catch up on his email and do a little Web shopping at a WiFi hotspot near the departure gate. After firing up his notebook and going through the regular logon screens, everything looked as it should with the online store's slick graphics, professional-looking design, and even its annoying animated ads." Read more...
    Does Your Hotspot Have An Evil Twin?-- PC Today
Reading your email safely at hotspots without using a VPN -- if you dare.

Robert Graham, the CEO of errata security, has demonstrated that it's easy to intercept session-IDs (cookies or random strings in the session URL) from nearly all popular web applications, such as Gmail, Hotmail and Yahoo Mail, when you're using WiFi. Interception works even if you're using Secure Sockets Layer (SSL) [https://mail.google.com/mail (with the padlock closed icon)].

The web server does not use your password to authenticate each exchange during a session. It sets a cookie, or other session identifier, at the start and then interrogates the ID to validate subsequent transactions. All the attacker has to do is clone your cookie or other ID and he/she can also connect with your account. In fact you can both access your account at the same time. The attacker can then download all your email messages, and even send messages as you. :-(

Update: Gmail -- and possibly other web mail services -- does not drop back to non-encrypted http mode now if https isn't available.

Here's how Larry Dignam at ZDNet explains it: "Gmail in SSL https mode was thought to be safe because it encrypted everything, but it turns out that Gmail's JavaScript code will fall back to non-encrypted http mode if https isn't available. [more] This is actually a very common scenario anytime a laptop connects to a hotspot before the user signs in where the laptop will attempt to connect to Gmail if the application is opened but it wont be able to connect to anything. At that point in time Gmail's JavaScripts will attempt to communicate via unencrypted http mode and it's game over if someone is capturing the data."

The conclusion at this time is that you can't trust web mail. Not just current messages, but all stored messages are vulnerable. So, what's the solution? If you're going to use web mail, using Gmail can help, but it's not foolproof. Be sure you log off from Gmail each and every time when you finish using it. That prevents transmission of the unencrypted Gmail cookie before you log in at the next hotspot.

The solution is to use an email client such as Thunderbird, not Web mail, to connect with your email account. And make sure it's using SSL or TSL (Transport Layer Security, successor to Secure Sockets Layer (SSL).

More on protecting yourself at public hotspots