Are you a road warrior who enters an airport, a doctor’s office or café and immediately asks “is there WiFi here?” If so, you’re not alone. Demand for public WiFi has driven its growth exponentially. It is projected there will be 432 million public Wi-Fi hotspots globally by 2020. Everyone loves public WiFi; it helps you stay connected and productive. We get it.
You know who else also love public WiFi? Cybercriminals. When no authentication is required to establish a network connection, cyberhackers get free rein to intercept what you are sending out, including your security credentials that could allow them to further access what’s not on your device, including banking access and confidential data on your secure business network. They can also use an unsecure connection to plant malware on your device. All these should be basic cybersecurity 101, right? Apparently not.
In the latest AppRiver Cyberthreat Index for Business, 70% of all small-to-medium sized business (SMB) decision makers admit to accessing the internet through unsecure public WiFi. Quite surprisingly, many of these innocent offenders include C-level executives and IT professionals. Among the 1,059 who participated in the cybersecurity survey nationally in early 2019, 53% admit to using unsecure public WiFi connections from time to time or frequently.
When SMBs expose their business devices, networks and data to cybercriminals, it is often not only their own businesses that are at risk. An independent pharmacy’s network could be an entry point to their customers’ confidential health and personal records, accountants have access to their customers’ financial data and social security numbers. The opportunities are rich and endless, yet gaining access is often not that hard. This is precisely why cybercriminals love public WiFi.
The psychology behind the high incident of public WiFi usage is interesting. Most SMB executives must know it carries a degree of risks, so why do they do it? Is it like bungee jumping? Or willfully not brushing your teeth after consuming the most decadent dessert? Without going into a dissertation on risk-taking behaviors, here are some helpful hints on safer ways to access wireless connections in public, if you must:
Always use a VPN
Virtual Private Networks extend a corporate network through encrypted connections. Think of it as a tunnel that allows your data to pass between the device and the network. Connect only to HTTPS enabled sites HTTPS is a secure protocol that utilizes encryption to protect your data. Your web browser’s address bar will show https:// in the far left portion of the address; if the “s” is missing then you are not utilizing the encrypted protocol. Also remember that some sites do not default to HTTPS but if you simply manually replace the HTTP with HTTPS then you can often establish a more secure connection. If you want to go the extra mile, consider using a browser plugin that forces HTTPS connections – there are many available. Minimize your sensitive interactions Avoid doing anything that pertains to sensitive data such as online banking, accessing corporate assets, accessing medical records, etc. If it can wait until you are on a secured connection, it’s always best to do so. Pay attention to the network you are actually connected to Often attackers will mimic your home network name as many mobile devices are constantly broadcasting and looking for these networks by name. If you find you are connected to “my home network” and you are at the local Starbucks, then you could a problem.
One way attackers can take advantage of open networks and devices looking to connect to those networks is via specialized devices. A WiFi Pineapple can now be purchased for less than $100. While it has legitimate uses, it also provides a great resource to nefarious actors.
Recently while traveling with a fellow Pen testing aficionado, AppRiver’s senior security analyst Troy Gill witnessed his travel companion firing up a Pineapple to see what would happen at an airport. With zero intention to capture any PII, Gill saw his fellow security specialist identify at least 10 open WiFi networks per minute – roughly 10% of which were not password protected. During the two-hour airport layover, they saw more than two dozen devices attempt to forcibly connect directly to the Pineapple device even as it was denying all connections. Had the two security specialists attempted to capture any data, Gill believed there would have been an inordinate amount up for grabs.
“I think many individuals are all too willing to risk their privacy and security in exchange for convenience,” said Troy Gill. “And many are simply underestimating the scope of the risk that they face daily.”