By Andrea Pinzani, IT Security expert at Consortium GARR
More and more people work and study remotely, as employees and students connect to public Wi-Fi at home, in bars, restaurants, airports and hotels. Public Wi-Fi brings lot of advantages, but it carries security risks. It is less secure than the home or office Internet connection because the signal is not confined to a cable but is spread over the air and anyone can access it, including possible attackers. You also don’t know if a public Wi-Fi service is offered through a quality device, configured wisely, or not. It is necessary to be aware of the risks in order to be able to mitigate them with appropriate measures. Public Wi-Fi is therefore advised if you want to watch videos, check the weather or read news, but it is not recommended for activities such as home banking.
The best known attacks
Snooping and sniffing
The Wi-Fi signal can be captured by anyone in the area, if the traffic is not encrypted the data is exposed to theft.
Man-in-the-middle attack (MitM)
Allows traffic to be intercepted by compromising a hotspot or by an attack ARP-spoofing. It can also allow the user to be diverted to a counterfeit website, cloned from the original one, in order to steal access credentials or confidential data.
Fake hotspot (Evil-twin attack)
An attacker can create a bogus Wi-Fi network, with a name (SSID) similar to that of a legitimate public network, in order to trick users into connecting. Also in this case the user traffic is intercepted.
Malware, viruses and worms
Through unsecured public Wi-Fi, traffic can be manipulated into forcibly installing malware or causing fake pop-ups to appear while users browse or download programs.
Shoulder surfing
In a public place it is always possible that someone will be able to see directly (or with a hidden micro camera) what you type on your device.
Note: Also pay attention to the USB ports for charging in public places: there are harmful electronic devices, which can be installed inside sockets, which transmit malware. Use only reliable chargers and cables.
How to mitigate security risks
Choose the correct network
Anyone can set up a wireless hotspot and name it whatever they want. A scammer can choose a common network name or one very similar to a known commercial activity, in order to attract users who think they are entering a legitimate network. Make sure a network is genuine, check the network name with a store employee.
Choose a secure network
When choosing a Wi-Fi network, make sure it is protected, i.e. that the lock icon appears next to the name, and that a password is therefore required. Networks with zero security do not have a lock icon or the word “protected”. Ask the manager for the name and network and password.
Turn off automatic Wi-Fi connection
Disable the auto connect feature in the Wi-Fi settings to prevent your device from connecting to open networks without your approval.
It is good practice to keep Wi-Fi off when not in use, and also bluetooth, NFC and GPS should be disabled when not needed.
Finally, even if you have disabled the automatic connection, when you leave a public network do not just disconnect: choose “forget the network” or “delete” from the list of known networks.
Avoid handling confidential information
If possible, when connected to public Wi-Fi, avoid doing important tasks like paying bills, logging into your bank account, or using your credit card.
Avoid exposing your passwords or do it intelligently
Use a different password on each individual website, it can help to install a password manager.
If available, enable multi-factor authentication (for example 2FA).
Verify that web browsing is secure (https and valid certificate)
When you browse, make sure that the padlock symbol is present in the address bar or that the URL begins with https, and do not ignore any warning windows on the validity of the certificates. Many web browsers warn you if you are about to visit a potentially malicious site, do not ignore these warnings. You should make sure that apps also use encryption protocols to protect transmitted data.
Don’t stay connected permanently
When you have finished doing what you have to do, log out of your online accounts, do not simply close the tab or the app but select the logout / exit item.
Use secure DNS connections
Make sure that DNS requests are encrypted, for example Firefox and Chrome browsers allow you to configure the DNS over HTTPS (DoH).
Eventually configure the DNS server of your choice statically, so as not to use the one provided by the Wi-Fi connection.
Use a mobile hotspot
If you have to deal with serious matters, it is preferable to use the data connection of your mobile telephone operator. Use your smartphone as a hotspot for your notebook or tablet via the tethering or wi-fi hotspot function. You could also buy a specific device like a portable wi-fi hotspot.
Use a VPN service
A secure and encrypted tunnel is established between a device and a VPN server via a virtual private network (VPN), which makes it very difficult for an attacker to spy on a user’s activity. It is the most used technology for remote connections, especially in the workplace, and there are many commercial providers. In the academic field, consider eduVPN.
Turn off file sharing
File sharing should be disabled when not in use, especially on untrusted networks.
In Microsoft Windows, look in the configuration for “Disable file and printer sharing”.
For Apple devices turn off Airdrop.
Install an antivirus and activate a firewall
Make sure you are using an antivirus and receiving updates. Possibly install an ad-blocker in the browser (e.g. uBlock Origin). Activate a firewall.
Keep your operating system and apps up to date
When updating, do so over trusted networks (in the office or at home).
Use eduroam
Provides a reliable Wi-Fi connection. It is present in over 100 countries, with thousands of active hotspots on university campuses, schools, laboratories, libraries and public places.
You may think that something as bad as being hacked can’t happen to you, especially if you consider yourself a regular internet user with no particularly sensitive information worth stealing. The fact is that hackers often don’t need a specific reason to target your computer because they operate systematically.
To conclude, the best defence is you. If anything about the Wi-Fi connection seems strange or suspicious to you, just don’t connect. Many of today’s online attacks don’t target technology, but try to deceive users. If you receive an email, message, or phone call that seems strange or suspicious, especially if it is extremely urgent, it could be an attack.
Always be wary, only then you will start protecting yourself from the dangers of Wi-Fi networks.
About the author
He reports and manages IT security incidents, publishes security alerts on the most common vulnerabilities, provides support and training to users in the field of cybersecurity and is also dedicated to the study and analysis of cyber intelligence sources for operational data protection purposes.
Also this year GÉANT joins the European Cyber Security Month, with the campaign 'A Community of Cyber Heroes'. Read articles from cyber security experts within our community and download resources from our awareness package on connect.geant.org/csm2022
