Are public Wi-Fi hotspots really a major security risk?

Public Wi-Fi is used by many to avoid big roaming bills. Can its risks be mitigated?

Intel Security (formerly McAfee) has done a cheerful summer poll that discovered something almost anyone who travels more than once in a blue moon could have told them for nothing - when it comes to Internet access, British holidaymakers happily flock to use cheap or free Wi-Fi hotspots over extortionately expensive 3G or 4G mobile alternatives.

Of course they do. Why would anyone pay pounds, dollars or Euros for each crappy megabyte when they can get the same access for nothing? The problem is that many of these Wi-Fi hotspots are open, that is use no encryption security, and are therefore risky.

According to Intel, 38 percent of the 2,000 people they asked were happy to use unsecured Wi-Fi, a percentage that sounds pretty optimistic - it's probably closer to 100 percent under certain circumstances, for example receiving an important email. Half of the respondents weren't sure how to secure themselves when using hotspots even if they saw them as a bad idea.

"Cybercriminals can intercept login information, credit card information and, if equipped with the right tools, can even use this information to lock users out of their own devices," said Intel Security's VP of consumer, mobile and small business security, Nick Viney.

But is that necessarily always true?

Home, public and work

There are several layers to computer security when using any untrusted public hotspot, including commonly those nearer home in the UK. For the device itself, Windows divides network connections into home, public and work profiles, auto-detecting and securing new ones and asking for confirmation which of the three a new connection falls under.

These settings can be customised by default turn off folder sharing, network discovery (which allows people to see you), and enforces encryption for file sharing transfers. The Windows firewall is also turned on automatically for both public and private networks.

A second and more critical layer is the browser itself, which is where the issue of secure HTTPS comes to the fore. A few years back, insecure HTTP was the standard way to access most websites but these days encrypted HTTPS SSL is offered on pretty much all services that exchange e-commerce data or logins. That means that even on open Wi-Fi hotspots, nothing is exchanged in the clear, and despite having no encryption in place at the Wi-Fi network layer, the connection to that site is still secure at the transport layer.

As 2014's Heartbleed security flaw underlined, this isn't totally fool-proof. There is a theoretical chance that SSL security could can be compromised on some sites using a server-side weakness but that also applies to any connection not only those over open Wi-Fi.

Users who want to ensure that their browser uses HTTPs whenever possible can install the HTTPS Everywhere plug-in for Chrome, Firefox or Opera. That stops the browser entering a site through an HTTPS connection but then quietly moving to sub-domains that don't employ the same security.


A third and final layer are VPNs. These have tended to be used as a mechanism to avoid local blocking of UK or other services (e.g. BBC iPlayer) when abroad but they can also be used to set up a secure, encrypted connection through a third-party VPN server even when connecting to open hotspots. That will usually cost money and performance will be slower, but would still be less expensive than using mobile data roaming in most cases.

Regardless, business applications should always be accessed across a VPN with multi-factor authentication.

Captive portals

Public services such as hotels almost always stick a captive portal between the user and Internet access. It's important to remember that these are essentially authentication mechanisms for the business and don't offer any additional security although some might assume they do.

Two-factor authentication

Using services with verification is a good idea for any computer user but it has added benefits for anyone using an open Wi-Fi hotspot. Google offers 2-Step verification on all user accounts, which means that in the unlikely event that a password and username is intercepted, the criminals would still need to go through an added step (receiving an SMS code on a mobile phone) to break into the account.

Conclusion - open Wi-Fi hotspots are safe to use

Intel Security is right to point out that using open Wi-Fi is risky and there are sites we wouldn't advise users to access over an open connection even if they do have HTTPS such as banking websites, largely because of the risk of phishing or man-in-the-middle through an untrusted gateway. But Internet security has many layers. With the right precautions, on a lmited basis, open Wi-Fi hotspots are a perfectly safe alternative to mobile data for specific services.

But wait...

The real risk isn't the lack of encryption on public Wi-Fi but the lack of verification that a hotspot is genuine. A malicious or 'evil twin' hotspot can be set up to carry out spoofing attacks that manipulate DNS to feed the user convincing-looking login screens that turn out to be bogus. That's another reason why turning on two-factor or 2-step verification in tandem with a VPN is a good idea.

Join the CSO newsletter!

Error: Please check your email address.

More about GoogleIntelIntel Security

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by By John E Dunn

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place