4 October 2022

Is free WiFi trouble-free?

Is free WiFi trouble-free?

No. (more details below )

Free WiFi is great, because, well it's free! Unfortunately this comes with a "but". Here are some of the most common issues we see and how we recommend mitigating them. (The quick summary if you don't want to read all the below: if the public WiFi is from a reputable source and you want to do some casual surfing, you're probably fine, if you want to do some business stuff: use a VPN, and if you are not sure you can trust that WiFi, then don't (aka time to use your mobile hotspot)).

1: You may not be actually connected to the WiFi you think.

Cybercriminals are known to create fake hotspots to lure you (and your information) to their system

For example, which one of those are real and which ones are fake?

  • Airport WiFi
  • Free Airport WiFi
  • YYZ Guest WiFi
  • Starbucks
  • Starbucks Free WiFi
  • Starbucks free wifi

Potential mitigation tactics:

  • Make sure what the official name is (and remember they are case sensitive)
  • Tether to your own device and do not use free WiFi

2: Your device will keep trying to connect to WiFi its been configured to use.

You went to a Marriott once and configured “Marriott Guest” as a valid WiFi to connect to, now your device will connect to anything called “Marriott Guest” it sees. Guess what: cybercriminals know that and will create fake hotspots (with the right names) to lure you (and your information) to their system when you are in other places.

Potential mitigation tactic:

  • Disable the “auto connect” option on the WiFi profiles on your device
  • Tether to your own device and do not use free WiFi

3: Free WiFi are usually configured as “Open”, which is well, open (aka not password protected and not encrypted).

Depending on how things are configured (usually for their convenience and not your security), it means everyone around you can see your Internet traffic. Yes, most of it is usually encrypted (the little lock in browser bar (https)), but they still see which websites you go to and of course see all the unencrypted traffic.

Potential mitigation tactic:

  • Use a VPN client that tunnels all your traffic to a safe place (including DNS queries)
  • Tether to your own device and do not use free WiFi (do you start to see a pattern here?)

4: You may be sharing more than you want.

Vendors offer free WiFi for primarily 2 reasons:

  • Keep you in their establishment
  • Learn more about you

As we established in 3, even if you go to encrypted websites, there is still a lot to learn about what you are doing while connected. In this scenario it applies even if the WiFi is not “Open” since they manage the keys of the kingdom.

Potential mitigation tactic:

  • Use a VPN client that tunnels all your traffic to a safe place (including DNS queries)
  • Tether to your own device and do not use free WiFi (do you start to see a pattern here?)

So what is someone to do?

For personal casual surfing:

  • If possible: always tether, many plans include a couple of GB and 15 minutes of casual surfing will not drain it.
  • If you must use free WiFi: only connect to trusted vendors (if you are in an hotel and see “John‘s free WiFi”, don’t use it).
  • Keep it casual (someone may be watching), it is not the right place to review your mortgage and google things that may not be in line with your public self.
  • And disable auto connect to those profiles.

For business use:

  • Tethering should be the default.
  • If you must use free WiFi: use a full tunnel VPN client to your office to hide your traffic.
  • Disable auto connect to those profile

Thanks for reading, you can find more content here: https://alcit.com/blog/

And feel free to reach out if you have any questions!

 

Get the Cybersecurity Risk Assessment Checklist

Subscribe and Get The Latest News

Related Posts

Now that it is becoming clear that blocking 100% of cyber attacks is not possible, that prevention, damage control and a recovery plan are the most efficient strategies: Managed Detection and...
We are all familiar with the concept of technical debt (more here), but I think it is time that we start talking specifically about cybersecurity debt.
There was great feedback and some questions about our Cybersecurity 101 blog, this 201 blog will answer those and help you to continue improving your cyber resiliency. The assumption here is that you...