By Joeri de Ruiter, Technical Product Manager at SURF
Nowadays, wherever you go it is likely that there is free wifi on offer. This can be very convenient when you are travelling by train, reading a book in the library or having a coffee at your favourite cafe. Unfortunately, using such public wifi networks can also pose a real security risk. For example, it might be possible that someone eavesdrops on your network traffic. Even when a key or password is used to connect to them, public wifi networks can be a security risk. In this article we will explain what the problems are and what you can do to minimise the risk.
When you have a conversation in a public space, anybody around you might overhear what you are talking about. When using wifi, this is no different. Anybody around can easily eavesdrop on your wifi signals with a standard laptop or phone and widely available software and, if the wifi signals are not properly protected, can see what you do on the network. Often you can connect to a public wifi without entering any password or with a password that is shared with everyone, for example, because it is written on the chalkboard behind the bar or it is given to everyone who asks for it. This usually does not provide sufficient protection to the wifi signals and could, for example, reveal which websites you visit or, even worse, it might also leak personal information, such as, your passwords or private emails. The lock symbol in your browser shows when a website uses HTTPS. This is important, but even this does not mean you are completely safe. When you connect to a website using HTTPS, an eavesdropper might still see which website you visit, even though they cannot see what you are doing exactly. Therefore it is important that your wifi connection is secure.
Who runs the network?
Another problem when connecting to a public network is that you do not know who actually runs the network. It is very easy for an attacker to setup a wifi network with any name they want. So even if you connect to a wifi network called “Public Library”, you do not know for sure that it is actually run by the library, even when you connect to it using the public password on the wall.
Whoever operates the network that you are connected to, could see all your traffic. Next to seeing all your traffic, the attacker could also change your network traffic. They could show you their own version of a website you want to visit and, for example, show a fake login page to try to get your username and password or infect your system with malware when you try to download a file.
Who else is on the network?
Not just the people operating the network can pose a threat. Also other users that are connected to the same wifi network could try to attack you. This might be easier to do than you think. For example, both Windows and macOS offer convenient mechanisms to share files with other users on the network, through File Sharing and AirDrop respectively. If you have this enabled, possibly without realising it, your files might be accessible by all the other users on the network and anybody might be able to download your files. Attackers keep coming up with new ways of attacking users, so it is important to keep your system and software up to date to make it more difficult to be attacked.
What can you do?
If you really have to use a public wifi network:
- do not use it for sensitive or personal purposes, e.g. banking or exchanging personal information;
- disable sharing services such as Window’s File Sharing and Apple’s AirDrop;
- make sure your system and software are up to date;
- and protect your traffic using a VPN.
When using a VPN, your traffic can be sent via the VPN provider in a secure manner. This can, for example, be done using eduVPN. In the case of eduVPN, this can be via your home organisation. Now, when somebody is eavesdropping on your wifi traffic, they can no longer see the actual traffic but only that that is going via VPN.
The best protection against the risks of using public wifi however: do not use them. Instead, use your phone as a hotspot or a trusted network such as eduroam.
About the author
Joeri de Ruiter has broad experience in network security research. He works as Technical Product Manager in the Security and Privacy group at SURF, the Dutch NREN. Previously he worked as research engineer at SIDN, the organisation managing the Dutch .nl top level domain and as assistant professor on network security in the Digital Security at the Radboud University, Nijmegen.