Are public Wi-Fi hotspots really a major security risk?

Public Wi-Fi is used by many to avoid big roaming bills. Can its risks be mitigated?

Intel Security (formerly McAfee) has done a cheerful summer poll that discovered something almost anyone who travels more than once in a blue moon could have told them for nothing - when it comes to Internet access, British holidaymakers happily flock to use cheap or free Wi-Fi hotspots over extortionately expensive 3G or 4G mobile alternatives.

Of course they do. Why would anyone pay pounds, dollars or Euros for each crappy megabyte when they can get the same access for nothing? The problem is that many of these Wi-Fi hotspots are open, that is use no encryption security, and are therefore risky.

According to Intel, 38 percent of the 2,000 people they asked were happy to use unsecured Wi-Fi, a percentage that sounds pretty optimistic - it's probably closer to 100 percent under certain circumstances, for example receiving an important email. Half of the respondents weren't sure how to secure themselves when using hotspots even if they saw them as a bad idea.

"Cybercriminals can intercept login information, credit card information and, if equipped with the right tools, can even use this information to lock users out of their own devices," said Intel Security's VP of consumer, mobile and small business security, Nick Viney.

But is that necessarily always true?

Home, public and work

There are several layers to computer security when using any untrusted public hotspot, including commonly those nearer home in the UK. For the device itself, Windows divides network connections into home, public and work profiles, auto-detecting and securing new ones and asking for confirmation which of the three a new connection falls under.

These settings can be customised by default turn off folder sharing, network discovery (which allows people to see you), and enforces encryption for file sharing transfers. The Windows firewall is also turned on automatically for both public and private networks.

A second and more critical layer is the browser itself, which is where the issue of secure HTTPS comes to the fore. A few years back, insecure HTTP was the standard way to access most websites but these days encrypted HTTPS SSL is offered on pretty much all services that exchange e-commerce data or logins. That means that even on open Wi-Fi hotspots, nothing is exchanged in the clear, and despite having no encryption in place at the Wi-Fi network layer, the connection to that site is still secure at the transport layer.

As 2014's Heartbleed security flaw underlined, this isn't totally fool-proof. There is a theoretical chance that SSL security could can be compromised on some sites using a server-side weakness but that also applies to any connection not only those over open Wi-Fi.

Users who want to ensure that their browser uses HTTPs whenever possible can install the HTTPS Everywhere plug-in for Chrome, Firefox or Opera. That stops the browser entering a site through an HTTPS connection but then quietly moving to sub-domains that don't employ the same security.

VPNs

A third and final layer are VPNs. These have tended to be used as a mechanism to avoid local blocking of UK or other services (e.g. BBC iPlayer) when abroad but they can also be used to set up a secure, encrypted connection through a third-party VPN server even when connecting to open hotspots. That will usually cost money and performance will be slower, but would still be less expensive than using mobile data roaming in most cases.

Regardless, business applications should always be accessed across a VPN with multi-factor authentication.

Captive portals

Public services such as hotels almost always stick a captive portal between the user and Internet access. It's important to remember that these are essentially authentication mechanisms for the business and don't offer any additional security although some might assume they do.

Two-factor authentication

Using services with verification is a good idea for any computer user but it has added benefits for anyone using an open Wi-Fi hotspot. Google offers 2-Step verification on all user accounts, which means that in the unlikely event that a password and username is intercepted, the criminals would still need to go through an added step (receiving an SMS code on a mobile phone) to break into the account.

Conclusion - open Wi-Fi hotspots are safe to use

Intel Security is right to point out that using open Wi-Fi is risky and there are sites we wouldn't advise users to access over an open connection even if they do have HTTPS such as banking websites, largely because of the risk of phishing or man-in-the-middle through an untrusted gateway. But Internet security has many layers. With the right precautions, on a lmited basis, open Wi-Fi hotspots are a perfectly safe alternative to mobile data for specific services.

But wait...

The real risk isn't the lack of encryption on public Wi-Fi but the lack of verification that a hotspot is genuine. A malicious or 'evil twin' hotspot can be set up to carry out spoofing attacks that manipulate DNS to feed the user convincing-looking login screens that turn out to be bogus. That's another reason why turning on two-factor or 2-step verification in tandem with a VPN is a good idea.

Join the CSO newsletter!

Error: Please check your email address.

More about GoogleIntelIntel Security

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by By John E Dunn

Latest Videos

More videos

Blog Posts