Ask The Cyber Security Expert: Can I trust public wifi?
The BBC today (7th March) is running with a story on criminals targeting public wifi. The report on BBC Breakfast left us a bit confused. We put the kettle on, wafted the scent of Yorkshire tea up the stairs and woke The Cyber Security Expert to see what he thought.
Can you explain whats going on here?
Its a little bit hard to be sure exactly what it is the BBC think is new. They quote Europol, but a quick review of the Europol website shows nothing recent warning about wifi use. Perhaps it will appear later, but in the meantime lets go with what we know.
Can I trust free public wifi?
As with all things security, the answer is ‘it depends’. Networks inherently offer little security, but in general we trust them because they are provided by our work, we installed them in our home ourselves or we pay the mobile company some money a month and presume they take care of our data. In other words, although most people probably aren’t aware of it, we trust the physical security of the networks to some degree.
As I mentioned in the post on the iOS and Mac OS X vulnerability last week: It is non trivial to intercept communications if you can’t get access to the network, but trivial if you can. And therein is the issue with public wifi – we have no idea who else is using it and it is pretty trivial for someone malicious to intercept all the network traffic of the other users.
So they aren’t safe?
Not necessarily. As the Mac OS issue highlighted there are ways and means of ensuring we can connect to sites we need to trust, and we can verify we are a) really connecting to the right website and not someone pretending to be our bank and b) that the data we send to the website is encrypted and hence safe from eavesdroppers. This all happens entirely transparently to most end users.
We have these means precisely because there is (and I repeat myself, I know) no inherent security built into the internet. These mechanisms for establishing trust were designed precisely because we can’t trust the network itself – and they work just as well on our behalf on free public wifi as they do at home or in the office. So secure sites should be secure regardless of how you are connecting to the internet. There are attacks against these verification mechanisms, but they are more complex than the average criminal on a free wifi is likely to be able to conduct, though the Apple issue demonstrates that sometimes the implementation of the security mechanisms on your computer or phone are deeply flawed.
Now I’m lost – what should I do??
I know, I’m sorry. It’s a slightly complicated area. Let’s cut to the chase – there are issues with free wifi because anyone can connect to it and they can mess with your internet traffic. If you are confident all of that traffic is secure between your computer and the service you’re connecting to it’s not likely to be a problem – the issue is lots of people still use insecure means to access important services. Sure, your bank connection and Amazon account should be ok – but what about your email? It is possible to use the same means to protect that traffic too. Most of the large webmail providers implement this by default now, but plenty of internet service providers don’t. If you don’t know how you’re getting your email, don’t use free wifi to pick it up.
Also if your browser ever complains about a certificate, or flags an issue with a secure site – STOP immediately and go no further. That is one indication that someone is impersonating the website, and our technology can only do so much to help us if we chose to ignore its warnings. Modern browsers are very good at warning us when something is up – pay attention when they do so. Go no further. Here be dragons.
Another way to protect yourself is to use a virtual private network (VPN) – this encrypts all the traffic between your computer and a trusted end point, where it is unpacked and unleashed out onto the internet. This means anyone on your local wifi network will just see encrypted traffic, and unless they can successfully pretend to be your trusted endpoint (see above on trust) all will be well. Modern computers and phones support this natively (take a look in Settings -> General on your iPhone. There’s a VPN option). You can pay for a VPN service, though obviously you need to pick one you trusts as you will sending them all your traffic, or you can set one up yourself. Get in touch if you want help with that.
Does it matter if the wifi is password protected or not?
The guy on BBC Breakfast intimated it does, advising viewers only to use recognised providers and networks that need a password to connect. I’d say it doesn’t really matter that much – there are different attacks against encrypted vs unencrypted wifi but unless the cafe are vetting people to see if they are criminal before handing out the password (or if for some reason criminals can’t read the password off the chalkboard behind the counter) it really doesn’t make much difference. Untrusted free public wifi is untrusted free public wifi.
You can safely use free wifi if you have a) taken some precautions to protect your internet traffic or b) are doing nothing sensitive.
I appreciate this is not a cut and dried topic. I hope it is at least a little clearer. Please get in touch if you have questions. Find us on twitter, or use the contact form.
The Cyber Security Expert