In an ‘ethical experiment’ conducted earlier this year, a primary school child hacked into a free public WiFi hub in just over ten minutes.
The young hacker, a seven-year-old called Betsy, followed instructions she had acquired through a Google search, under the supervision of professional hacker Marcus Dempsey. It took her just 10 minutes and 54 seconds to set up a rogue access point at a free public WiFi hotspot and start eavesdropping on Internet traffic. It takes little imagination to conclude how much damage a maliciously motivated adult hacker could achieve in similar circumstances.
Yet, a recent survey (Kaspersky) reveals that 70% of tablet owners and 53% of smartphone owners use public Wi-Fi hotspots. The security risk posed by hackers using the vulnerabilities of these connections is immense, affecting all types of personal data including bank details and passwords.
What precautions can be taken to minimise this risk? To begin with, and obvious though it may sound, avoid using free public Wi-Fi. One way of doing this is to use your smartphone’s network. It may cost a bit more – particularly if you are abroad – but it could save you in the long run.
If you can’t do that, then treat all WiFi with suspicion. Possibly the greatest risk is not, as is often feared, the encryption or data but lack of verification that a hotspot is genuine. If possible, try to verify that any wireless connections are legitimate. Sometimes malicious users set up a connection name that is similar to that of the café or hotel that provides free WiFi but it is advisable to speak to someone who works there to check the correct connection name and IP address.
Using a virtual private network (VPN) will effectively provide you with a means of encrypting your data as it passes through the network. It will usually cost a bit more and performance will be slower but is still less expensive than using mobile data roaming in most cases. Accessing websites using encrypted HTTPS SSL, which is now offered on many services that exchange e-commerce data or login, is also a wise precaution as is anti-malware and security software for your device.
Two-factor authentication is a good idea for any computer user but has added benefits for those using an open WiFi hotspot. For example, Google offers two-step verification on all user accounts which means that in the unlikely event that a password or username is intercepted, hackers will still need to go through an added step to break into the account.
At the risk of repetition, however, it is important to emphasise that the greatest risk in using free public WiFi is that a malicious or ‘evil twin’ hotspot can be set up to carry out spoofing attacks that manipulate DNS to feed the user authentic-looking login screens. Troels Oertig, head of Europol’s cybercrime centre, has said (in a BBC interview) that people should only send personal data across networks they trust. Authentication and trust are therefore key.
And if the ‘ethical experiment’ proves anything it is that you can’t even trust a seven-year-old.