By Eric Geier
July 28, 2006
It’s true: using and hosting a Wi-Fi hotspot can threaten security and compromise personal documents, privacy and identity.
The major concern of users at Wi-Fi hotspots, beyond not being able to connect, is security. These types of wireless networks are inherently “unsecure.” This is because encryption methods such as WEP and WPA, which are usually used to protect private wireless networks, aren’t implemented due to the complexities of supporting users. Furthermore, using WEP or WPA means you’ll have to advertise the “private” encryption key(s). This kills the whole idea of using encryption, because wireless eavesdroppers then have the key(s) to quickly decode the Wi-Fi hotspot traffic.
Many Wi-Fi hotspot users don’t understand the issues related to using public wireless networks, and so they don’t take any steps to ensure their personal documents, privacy and identity are safe. The same goes with the people installing the hotspots. They may not be aware of the issues they face, or the fact that they can take a few steps to help secure user access.
To understand how to protect yourself while using Wi-Fi hotspots and how hotspot administrators can better secure hotspots, everyone needs to be familiar with the main issues of these public wireless networks.
Real-Time Traffic is Exposed
Unlike public wired connections to the Internet, the use of hotspots imposes the risk of people capturing real-time traffic over the wireless connections. As shown in an earlier tutorial (Wi-Fi Security Issues Up Close), people can easily capture, from the air, the packets of unsecured connections to hotspots. Even with free tools, wireless eavesdroppers can see things such as:
- The Web sites you’re visiting. This may not pose any big problems, but some people may be sensitive about this.
- Login information to unsecured sites (non-SSL) along with the content. You log into a Web site such as a message or discussion board, which typically isn’t secured. Someone is nearby, capturing all the wireless packets out of the air, including your username and password. Now this person can log into your account and post messages that might misguide others and damage your reputation.
- Login information and content from services such as POP3 e-mail accounts and FTP connections. Say you typed up some replies to your e-mails while on a flight, and during your layover you logon to a hotspot to quickly synchronize your POP3 e-mail with Microsoft Outlook. Anyone capturing wireless packets nearby at that time now has your e-mail account information and the content of your sent and received messages.
Your Mobile Device May be Exposed
Wi-Fi hotspots use essentially the same type of architecture of other wireless networks found in enterprises and homes. The benefits of networking in those locations, such as file and resource sharing and client communication, aren’t so beneficial on public networks. They can, in fact, open you up to the outside.
- Access may be open to any shared files on your mobile device. You may have a wireless network at home and files in your Shared Documents folder for easy access from your other PCs. Typically, you don’t connect to public wireless networks, but you need to get a few e-mails sent and received while waiting for your flight. Thanks to your Shared Documents folder, others may be able to copy and/or edit your files.
- Authorized access of mobile devices. When users connect to Wi-Fi hotspots, they connect to a network. Therefore, the user devices may be able to communicate with each other. As a result, hackers within the hotspot may be able to access other mobile devices. Also, if not properly prevented from doing so, intruders may even come over the Internet.
“Evil-Twin Hotspots” Could Pop Up
“Wi-Fi troublemakers,” taking advantage of public networks, may set up an access point (AP) posing as a legitimate hotspot, and try to clone the look and feel of a real hotspot nearby. This is done in the hopes that Wi-Fi users will be fooled and connect to the fake hotspot. This then allows hackers to:
- Steal hotspot account and/or payment information. The fake hotspot may pretend it will provide Internet access for a fee, and when the user inputs their payment information, it goes into the hands of the evil twin operator (the hacker).
- Steal personal data by comprising the overall security of your mobile device. Some hotspots implement features so users can’t communicate with each other and snoop around their shared folders. However, the fake hotspot won’t have this feature. Any other clients can access your shared files, too.
Unprotected Public Workstations
Locations that offer wireless Internet access like hotels and airports typically also provide the use of Internet kiosks or public computers for Web access and word processing. This is a great benefit for those without their own devices, but can also pose many risks:
- Key loggers may be installed. Every keystroke you make may be recorded – comprising any login information, even for VPN connections.
- Your browsing history may be cached. People can see what Web sites you’ve visited, and they may be able to view these cached sites, which may invade your privacy, especially if you…
- Saved login information. Any saved login information — such as from clicking the well-known “Remember Me” option when logging into a site — may allow others to access your account(s).
Hotspot Operator Issues
Hotspot owners also have a few issues to worry about when hosting these public wireless networks, such as:
- Improper integration of public and private networks. This may compromise any PCs or data on any private networks, due to the public wireless access.
- Legal liabilities. Wi-Fi hotspots may be used for illegal purposes, such as sending SPAM or the use of illegal file-sharing programs.
Stay tuned for solutions that address these issues, so you can protect yourself when using or hosting Wi-Fi hotspots.
Eric Geier is a computing and wireless networking author and consultant. He’s employed with Wireless-Nets, Ltd., a consulting firm focusing on the implementation of wireless mobile solutions and training. Eric is an author and contributor to several books, including Wi-Fi Hotspots: Setting up Public Wireless Internet Access, as well as eLearning courses.