Risks of Connecting to Public Wi-Fi Networks

With every laptop and netbook now equipped with a Wi-Fi card and affordable access points and routers, many public places—cafés, hotels, airports, and even shopping malls—offer free Internet access as a bonus service or to attract customers. This trend hasn’t gone unnoticed by people who frequent such places. While it’s convenient to use someone else’s Internet connection, it’s important not to forget the dangers that come with this “free cheese.” Specifically, all data transmitted over the Internet from your computer or mobile device can be easily intercepted by attackers connected to the same Wi-Fi network. This is especially true for unencrypted data, such as messages sent through apps like WhatsApp. Wi-Fi networks are inherently vulnerable to hacking and eavesdropping, but you can rely on them if you take the necessary security precautions.

What Threats Can You Face?

• Connection parameter capture: Using special apps (network scanners) on a smartphone, tablet, or laptop, outsiders can easily collect information about active access points, their names, base stations, encryption types, connected devices, and the websites being visited. They can also check if file sharing is enabled on devices. This information can be used to plan targeted attacks. It’s impossible to fully protect yourself from network scanners—unless you avoid using wireless access points or only turn on your Wi-Fi adapter when absolutely necessary.
• Traffic interception: When you connect to Wi-Fi, data packets are sent to the appropriate IP address. Normally, devices ignore packets not meant for them, keeping the network organized and fast. However, with the right software, an attacker can force a Wi-Fi adapter to accept all packets, regardless of their destination. This allows the attacker to read all traffic passing through the access point while remaining undetected. They can then filter the captured data for images, website addresses, and more. To protect yourself, avoid access points without password protection. While not foolproof, it at least requires the attacker to know the password. Always use secure connections (HTTPS, not HTTP) on sites where you enter personal data, and avoid sites that don’t support encryption. Be cautious with mobile apps, as you often can’t control their security settings. For example, the Facebook app only encrypts the login process, leaving the rest of your data unprotected. Attackers may not see your password, but they can read your status updates and messages. Avoid using such apps on public Wi-Fi. Instead, use VPN technology to create a secure tunnel for your Internet connection. If an attacker intercepts your data, it will be unreadable. Tools like Hotspot Shield are available for both computers and mobile devices.
• Session cookie theft: Attackers can use ARP spoofing to intercept session cookies that identify you on sites like Facebook after you log in. These cookies let you stay logged in without entering your password each time. Special programs can extract all session cookies from network traffic, allowing an attacker to access your Facebook, Twitter, or eBay sessions and intercept all data exchanged. Using a VPN tunnel can help protect against this type of attack.
• Fake access points: By default, after you connect to a Wi-Fi network once, your device will automatically reconnect if it detects a network with the same name. An attacker can easily set up a fake Wi-Fi access point with any name, and your device may connect to it automatically, allowing the attacker to intercept all your data. To protect yourself, delete saved public Wi-Fi networks from your device’s settings, keeping only your home and work networks.
• Breaking encryption mechanisms: Attackers seeking access to sensitive information (like bank details, PayPal credentials, or email passwords) exploit vulnerabilities in encryption or user mistakes. For example, they may redirect your connection through a fake access point. If you visit a secure site through such a point, the attacker may try to redirect you to an unencrypted version to steal your password or eavesdrop on your traffic. Fake SSL certificates are also common; the attacker establishes a secure connection with both the web service and your device, but since the certificates are forged, intercepting your data is easy. If web services fully encrypted all traffic, attackers couldn’t redirect users to unprotected sites. However, SSL isn’t yet universal, though major services offer it as an option. Always choose SSL connections and check for secure connection indicators in your browser’s address bar. Unfortunately, with mobile apps, you often can’t control or verify the connection type. Check with app developers about security features. Reliable connections are indicated by browser address bar icons and valid certificates, but even these aren’t 100% foolproof due to the possibility of fake certificates.

Is Identification Required on Public Wi-Fi Networks?

The joy of free and unrestricted access to public Wi-Fi networks in Russia was somewhat diminished by a 2014 government regulation (Decree No. 758), which requires mandatory identification of users connecting to public Internet. According to the regulation, the service provider must require users to enter their mobile phone number, to which a code is sent for identity verification.

How to Protect Your Devices

• For Android, iOS, and Windows Phone: Regularly install system and app updates. Always use antivirus software, such as Kaspersky Internet Security for Android or Kaspersky Safe Browser. Prevent your device from automatically connecting to Wi-Fi networks without your knowledge, and use VPN tunnels whenever possible.
• For Windows and OS X computers: Disable file sharing and always keep your firewall enabled. In Windows, check settings via Control Panel | Windows Firewall. In OS X, go to System Preferences | Security & Privacy | Firewall. Install antivirus software and keep your system and programs up to date. Use only services that encrypt login and data transfer via SSL. Browser extensions like HTTPS Finder or HTTPS Everywhere for Firefox and Chrome enable SSL by default. Whenever possible, use VPN tunnels for data transmission.

By following these guidelines, you can significantly reduce the risks associated with using public Wi-Fi networks and keep your personal data safe.