The cost of FREE Public WiFi

Everything has a cost, and that does not exclude free public WiFi connections.

With every second you spend connected to a public WiFi your device and personal security are at risk. Just one misstep could leave you and your devices vulnerable to attacks from cyber criminals and other threat agents.

Public WiFi hotspots are very rarely password protected and even when they are, the publicly available nature of the password makes it superfluous.  Most public WiFi hotspots are set up by businesses and public space organizations hoping to lure you to use their services with the incentive of free internet.

Using these unprotected hotspots leaves you very susceptible to phishing, hacking, malware and cryptojacking. Since hackers know that very few people have adequate cyber security  awareness or know enough to be cyber resilient, hacking public hotspots or providing their own hotspots to impersonate public ones is a favored tactic of the discerning cyber criminal.

You run the following major risks every time you log on to a public hotspot:

Identity Theft and Blackmail

At risk of sounding alarmist, it is a hacker’s fantasy to get you to connect to a network they provide. If they can do this, which they generally achieve by impersonating a trusted network, they can very easily hack all connected devices including PCs and smartphones, gaining access to the files contained therein. This means for example, that if you connect your PC to such a network, hackers can get hold of some of your auto saved passwords and email addresses, which they can exploit to steal from you and further use for criminal activities.

Say for example, you are at Dublin airport and you see an open WiFi network called “Dublin Airport Free WiFi”, there is a strong possibility that you might connect to it based on the assumption that it is a free internet connection provided by the airport. In fact, it takes only a few seconds to modify an existing network’s SSD and make it say pretty much anything the criminal wants it to say. The criminal could change the name of their smartphone WiFi hotspot to “Dublin Airport Free WiFi” and you would have no way of knowing.

Once you connect to this network, they can go through the files on your device at ease because unknown to many people, the files on a networked device can generally be viewed by other devices on the network. Confidential company information, sensitive personal information like passwords and credit card details from browser auto saved forms and even media files can be harvested from your device while you stream a YouTube video or read the news using the “free WiFi”.

You would in effect have given the hackers your digital footprint on a platter, granting them full access to your most private data which is generally stored on networked devices. After stealing from you by impersonating you, they can further compromise your network by posing as you using your email address for example to send phishing messages.

Ransomware and Cryptojacking Malware

In some particularly unfortunate cases, the data stolen from such devices is so sensitive that it is used to blackmail the owner or extort them. Alternatively, such networks can be used to upload ransomware or cryptocurrency mining malware to connected devices, which would at best make them run slower and use more system resources, or at worst physically damage the devices or render them unusable by encrypting all the data on them.

If your device is hit by ransomware, what generally happens is that all the data on the device including the operating system is encrypted and locked away from you, and then a message appears telling you to pay a certain amount of money (usually using a privacy-focused cryptocurrency like Monero or Zcash) to a scarcely-traceable cryptocurrency wallet. Whether such cyber criminals actually provide a decryption key following payment is a very hit-and-miss affair.

If crypto mining malware is uploaded to your device on the other hand, you will basically help the cybercriminals money all day by unwittingly donating all your computer’s ‘spare’ processing capacity to mining cryptocurrencies like Monero and Bitcoin. At best, this may result in loss of CPU speed and increased power consumption, but at worst it could render your device unusable or even physically fry it. This practice is known as “cryptojacking” or stealing computer resources to mine cryptocurrencies instead of investing in mining hardware.

Man-In-The-Middle Attacks

Another name for this is ‘Data Interception.’ These malicious attacks ensure that hackers get any communication you make over the internet for the period you are connected to the public WiFi. Financial transactions, emails, private messages can be easily accessed by these hackers and used as previously outlined. Unlike with the previous method of impersonating a trusted network, this method involves penetrating the actual trusted network and intercepting data packets being sent on the network – hence the name.

While many argue that using an HTTPS would block these attacks, the truth is the risk is still high as through this connection, hackers can also access files on your device, clone them or drop a malware that keeps running long after you’ve disconnected from the public WiFi.

Internet security company Avast recently carried out a study to assess how easily hackers could lure people through free Wi-Fi. The security company set up a number of fake free WiFi hotspots to see how many people would connect and the answer was A LOT. Setting up free fake WiFi isn’t a new trick and is something hackers do especially in tourist-friendly areas and popular public spaces.

Avast’s study revealed that identities of 68.3% of the users were exposed, 30.7% checked their emails, and 13.8% used chat applications like WhatsApp and Skype. Had the hack been real, the pool of data the hacker would have had access to is best left imagined. This, unfortunately, happens every day and the only sure way to ensure you are protected is by staying away from public hotspots altogether. This can be achieved by having your own portable hotspot MiFi for those times you really need internet access. Also ensure that your personal hotspot is protected by a strong password.

When you unavoidably have to connect to a public WiFi connection, be careful not to access sensitive platforms (like your work email for example) or share sensitive / confidential information. Also make sure that any information you send is that which you would be happy seeing on the front page of a newspaper, because that is about how private public WiFi networks are.