Don’t bank on public WiFi being secure: 3-in-4 hotspots vulnerable, claim experts
There are now tens of millions of public Wi-Fi hotspots around the world, and many of us take advantage of them on a regular basis to access the internet for free and avoid costly mobile broadband charges.
But as useful as they can be Wi-Fi hotspots also represent a huge security risk. Intercepting data sent over a Wi-Fi network is worryingly easy and can be done with free software and just a little technical knowledge. Yet many of us use them for confidential and personal activities such as social media, email, online banking and shopping without additional security.
We recently conducted a survey of 1,515 Broadband Genie visitors regarding Wi-Fi hotspot usage and found some concerning statistics. Of the 44% who said they regularly use public Wi-Fi, 80% access social media, 25% shop online and 15% access online banking.
Locate secure hotspots with the Avast! Wi-Fi Finder
Security firm Avast! offers a free Wi-Fi Finder app which uses crowdsourced data to identify safe Wi-Fi hotspots. We spoke to Threat Intelligence Manager Michal Salat to find out more about how their app works and why public Wi-Fi can be dangerous.
As part of the Wi-Fi Finder App you crowdsourced data from you users on the security level of hotspots. What number of Wi-Fi hotspots were found to be risky, and why they were classed as such?
Our data shows that 75% of hotspots are vulnerable. The majority of these hotspot routers pose a risk to the user because they are open, meaning the web traffic is unencrypted and visible to anyone, including cybercriminals. While the hotspot may have intentionally been set up to be open by the hotspot operator, it means that anyone can connect and, therefore, anyone could spy on others connected to the hotspot. Moreover, some of the routers are accessible from the Internet, have been hacked or contain known vulnerabilities that can easily be exploited by cybercriminals.
How secure are public Wi-Fi hotspots?
Public Wi-Fi networks are an easy entry point for hackers to attack and most users don't realize that all the personal information on their mobile devices becomes defenseless over public Wi-Fi without protection. We found that 77% of Brits prefer free Wi-Fi networks that do not require registration or a password to connect and only 6% of respondents said they used a VPN (virtual private network) when connecting.
Most public Wi-Fi hotspots are, unfortunately, not secure. Through an experiment conducted last year, Avast found that more than 80% of hotspots in London were open. Anyone connected to the same open hotspot can see what you are doing unless you are using a VPN or are browsing on sites or apps that use encrypted protocols like HTTPS.
In addition to weakly protected public hotspots users also need to be cautious of fake hotspots. Hackers like to operate fake networks, hoping to collect and exploit the data from any device connected to that network. And sometimes it’s difficult for a user to tell the difference – these hackers can use the same or similar name for their bogus network, protected by the same and password.
What steps can users take to protect themselves on these networks?
Users connecting to public hotspots should always utilize a VPN when connecting to open Wi-Fi. A VPN creates a secure encrypted connection and tunnels traffic to a proxy server. The encrypted connection protects your personal data, thus preventing hackers from accessing your files and other sensitive information stored on your device.
If you are banking on a site that uses encrypted protocols, you are pretty safe. You can check if the site you are visiting is using encrypted protocols by looking for the green padlock in your address bar.
Despite the sensitive nature of many of these activities, just 15% use a Virtual Private Network (VPN) service to encrypt their communications, potentially exposing private communications to anyone else on the same network.
A VPN provides secure internet access on any connection by sending all internet traffic through an encrypted third party link. This means that if someone on a hotspot is listening they will get nothing but scrambled data.
Computer security analyst Graham Cluley, said: “If you're browsing the risk via public Wi-Fi in a cafe, hotel lobby or on the street, there's always the risk that someone could be snooping upon your activity, and potentially stealing sensitive information. I recommend taking care over the hotspots you connect to, and always using a VPN which sends your mobile communications down a secure, encrypted tunnel."
Not sure what a VPN is, or how to use one? You’re not alone; 44% in our survey said they weren’t aware of VPNs. If you’d like to find out more read our handy feature on how to use a VPN for online security and privacy.
Staying safe on public Wi-Fi: Kaspersky's view
Kaspersky are the creators of the highly rated Kaspersky Anti-Virus and other security tools. We spoke to their experts to find out more about the risks of public Wi-Fi and what you can do to protect yourself.
How secure are public Wi-Fi hotspots?
People who connect to public Wi-Fi hotspots may believe their information is protected, when in reality, these networks can be compromised allowing criminals to carry out different types of attacks to manipulate the traffic and user data being exchanged through them. It’s very difficult, if not impossible, to assess the security of some public Wi-Fi hotspots. While you may be able to trust the major Wi-Fi providers, smaller, independent outlets often provide their own Wi-Fi, which may not be as well protected. Such hotspots may be vulnerable to “man-in-the-middle” attacks, where a hacker’s computer collects all the traffic passing between your device and the Wi-Fi hotspot.
What are the biggest risks facing public Wi-Fi users?
Cybercriminals know that people regularly use public Wi-Fi and therefore they set up fake access points or compromise legitimate WiFi networks to intercept and manipulate their victim’s browsing. Their focus for the attack is user’s passwords, credit cards and other sensitive personal information. Open and misconfigured Wi-Fi networks are actually preferred vehicles for criminals.
Are public WiFi hotspots ever secure enough for users to not have to worry about someone being able to steal their account information?
It is possible to use open Wi-Fi networks and still navigate the web safely. However, the use of a VPN (Virtual Private Network) is necessary. We recommend using this technology regardless of the Internet connection you use while traveling as the info going to/from your device will be encrypted. Even if someone is able to compromise the Wi-Fi network, they won’t be able to access your data without knowing the key to decrypt the message.
Encryption of data sent via 3G and 4G makes it much safer than public Wi-Fi. Nevertheless, it would be unwise to base corporate security simply on the mechanism used to send and receive data. The use of anti-malware protection, firewall, VPN and online common sense are also vital.
How easy is it for someone to gain access to your bank or other personal account information if you access these accounts on a public Wi-Fi connection?
It is possible, for someone to gain access to your personal accounts by intercepting your device, for example, hotel networks are very lucrative targets for cybercriminals. Kaspersky Lab previously discovered the “Darkhotel” group, an elite spying crew uncovered by its experts in 2014 famous for infiltrating Wi-Fi networks in luxury hotels to compromise selected corporate executives. The criminal gang compromises hotel Wi-Fi networks and then waits for a victim to logon to the network, before tricking them into downloading and installing a backdoor, which in turn infects the device with spying software. Unless your data is encrypted and sharing is turned off hackers are free to rifle through all of the data on your device or whatever is passing through your connection – including sensitive personal data.
What steps can users take to protect themselves on these connections?
Before you use your VPN connection, make sure it does not have a DNS leak problem. If your VPN provider doesn’t support its own DNS servers, you might consider another VPN provider or a DNSCrypt service, so your DNS requests will make external and encrypted queries to secure DNS servers. Remember that what starts as a small security issue could have big security implications.
A simple formula must be this: any network you connect to, use your VPN connection with its own DNS servers. Don’t rely on any local settings since you can’t be sure if the WiFi access point you connect to is compromised or not.
Kaspersky’s top tips for protecting yourself on public Wi-Fi
1. Use only trusted and secure WiFi networks if you’re going to do anything confidential, i.e. anything that involves typing a username and password, or transmitting confidential data.
2. Make sure, before you log-in to any website, that it’s secure – look for "https", the unbroken padlock symbol and check the security certificate.
3. Secure your computer with a reputable internet security product.
4. Protect all your devices, including laptops, tablets, and smartphones, not just your PC.