By Al Kelly, MCIS
Faculty, College of Science, Engineering and Technology
Free WiFi networks have seen an explosive growth in recent years. You can find them at your local coffee shop, restaurants and even college campuses. All your personal electronic devices have built-in wireless interfaces and they are eager to make the connection. But, is free really free? Ask the question: Who is sharing the network with you?
As a consumer of these networks, what has this explosive growth meant to you? Well in the good old days, I would secure the information on my computer or network by isolation, not allowing outside access. As free wireless networks become more popular, we extended our networks and, of course, add additional risks. You can see where I am going with this: New technologies are expanding the boundaries of our networks, introducing new threats. Wireless devices open our networks to anyone within its range. If a cyber bad guy wanted to access your network, using wireless, all they would need to do is sit in the parking lot and connect to the same free WiFi that you are. They don’t need to be next to you sipping a latte or look like a creepy hacker person lurking in the corner.
So, what do I have to lose? You might think your information is not worth anything to the cyber bad guy. The fastest growing crime in America today is identity theft. “The 2017 Identity Fraud Study, released by Javelin Strategy & Research, found that $16 billion was stolen from 15.4 million U.S. consumers in 2016, compared with $15.3 billion and 13.1 million victims a year earlier. In the past six years, identity thieves have stolen over $107 billion.” (Javelin, 2017)
Most computer users keep a wealth of personal information on their systems, from bank accounts and credit card information to resumes and social media accounts. Each one of these makes your computer a target to would be thieves. You are also giving away your username and passwords, bank account information, browsing habits – the list of personal information goes on.
Wireless security depends heavily on securing the access point using authentication and encryption. For example, using WiFi Protected Access (WPA2), this standard is used by a majority of access points and wireless clients. Free wireless access points are open so this protective measure is not utilized. Everything that you transmit from your wireless device to the access point is in the open. You can rely on server side security such as Transport Layer Security (TLS) that is used on most websites that utilizes HTTPS. You can tell if the site supports HTTPS by looking for the green lock in the upper left corner of your web browser’s address bar.
When you connect to a free access point or any access point for that matter, you discover it by using the access point’s Service Set Identifier (SSID). This is the name of the access point that your operating system displays. Here at Grand Canyon University, our open WiFi network is called “LOPES.”
But, what happens when the cyber bad guy impersonates a normal access point by deploying a rogue access point? Rogue access points are frequently used by attackers to activate what is known as a ‘man in the middle’ attack and to begin eavesdropping on or “sniffing” traffic. You have no way of knowing if the access point is official or rogue. The cyber bad guy is going to use an SSID that makes sense for the location such as “StarCups” at the coffee shop. They will not use an SSID of “Hacker Net” for obvious reasons.
At the Rio Olympics in 2016, security experts discovered rogue access points not only at the Olympics, but also at the airport and major resort hotels. Each of these rogue wireless networks was prime real estate for stealing tourist personal information that can be used for identity theft. More recently, the 2017 RSA Security Conference attendees fell victim to rogue access points with common names like Starbucks. You cannot easily tell that you have fallen victim to a rogue access point, so it is always better to assume that someone is eavesdropping on your wireless communication.
I think I have made my point – free WiFi is convenient but risky! It’s not all bad. You can practice safe computing. If you need to use public WiFi networks, avoid logging into your private accounts. Your best bet is to only access public info such as news sites and Google. For more sensitive information, use your smartphone’s 4G cellular network.
Another solution is to encrypt your wireless communication using a Virtual Private Network (VPN) service. There are many that are freely available, but I prefer a paid VPN service. The one that I use is Private Internet Access (PIA) – they offer anonymous high-speed VPN service at a low cost. VPNs can secure your data and ensure your privacy at all times, not when just using free WiFi.
While I focused on only one wireless attack and a typical solution to reduce risk, there are other attacks the cyber bad guy can use when you share a network with them. Follow standard security practices at all times: Patch often, use anti-malware, turn on the firewall and use strong passwords on everything. The next time you connect to a free (public) access point, ask yourself, “What am I giving to the cyber bad guy?”
The College of Science, Engineering and Technology helps students prepare for dynamic careers in high-demand fields. Visit our website or click the Request More Information button on this page to learn more.
- Javelin, (2017, February) Identity Fraud Hits Record High, retrieved from javelinstrategy.com/press-release/identity-fraud-hits-record-high-154-million-us-victims-2016-16-percent-according-new
- Private Internet Access (PIA), VPN Service, retrieved from privateinternetaccess.com
More About Al:
Al Kelly is proud of a distinguished 20-year career in the U.S. Air Force, where he worked as a jet engine mechanic on various aircraft, in field training as a master aircraft trainer and as a security officer. After retirement, Al worked for a privately owned computer training company in Las Vegas and moved on to head the IT office of the largest title escrow company in Nevada. Afterward, he returned to the aircraft training field, working for McDonnell Douglas Aircraft Company and later Boeing in the Middle East. In 2001, Al spent over 13 years in Arizona teaching IT and security programs as a professor at UAT. His education includes a BS from Embry Riddle University, an AS from the Community College of the Air Force and an MCIS from the University of Phoenix.