While we wouldn’t necessarily be lost without it in public and non-domestic settings – we can use our own, paid for data – we nevertheless expect Wi-Fi to be available in most places. It’s a sign of how times have changed in the 21st century.
However, in the rush for convenience, we seem to have overlooked security when it comes to public Wi-Fi. And, as this feature investigates, there are plenty of dangers to be wary of.
Public access points, called “hotspots,” allow many people within a specified area to tune into a specific radio transmission. In other words, everyone sitting in a Starbucks cafe can access the “Starbucks Wi-Fi” channel to connect to the Internet. Unfortunately, public hotspots also allow anyone within the area to potentially read data that is not addressed to them. Below are some common ways that your privacy can be breached while using public Wi-Fi.
* Network Sniffing. To steal your personal information all an attacker needs is a “sniffing” application that intercepts and gathers all visible traffic on a channel. Although WPA2 encrypts each connection between a Wi-Fi network and a user’s client, it is only designed to keep people who do not know the PSK off the network. If an attacker sniffs the four-way handshake and captures the PSK, he can decrypt all the traffic designated to your device until the PSK is changed. Even if the attacker doesn’t have the PSK, he may try to sniff the data itself and then try to use brute force to discover the key. The quality of the PSK that a wireless network administrator selects (i.e., length, different letter cases, use of symbols or known words) can have an impact on how easy or difficult it is to obtain the key.
* Third-Party Data Gathering. Even without the presence of active data hackers, your privacy is never guaranteed when you access a public hotspot. Often the biggest breaches of privacy are performed by the very establishments offering free Wi-Fi. Sometimes Wi-Fi is used to identify potential customers who are located in the vicinity of the access point, and sometimes it’s used to track the websites that a user visits for statistical or advertising purposes. Although not specifically malicious, this third-party data gathering can still be intrusive. Below are some common techniques that hotspot providers use to obtain information about Wi-Fi users.
Asking visitors to leave their phone number or email in exchange for the PIN to access the Internet.
Asking visitors to leave their phone number or email in exchange for the PIN to access the Internet.
Asking visitors to share something via a social network or give a program access to their social identity (e.g., to display targeted advertisements)
Leveraging multiple access points to triangulate the visitor’s physical location based on Wi-Fi signal strength (for example, to track their route through a store or to identify which establishments are currently the most crowded/popular)
Injecting cookies into their browser to track their history (e.g., to display targeted advertisements)
Leveraging multiple access points to triangulate the visitor’s physical location based on Wi-Fi signal strength (for example, to track their route through a store or to identify which establishments are currently the most crowded/popular)
Injecting cookies into their browser to track their history (e.g., to display targeted advertisements)
* Malicious Access Points. Since there are often multiple networks to choose from, you often guess which hotspot belongs to a specific venue. Some Wi-Fi users will even connect to a completely unknown network simply because it is unlocked. Obviously this practice poses some serious risks, especially if the access point is malicious or being manipulated by an attacker.
One of the biggest threats is “page spoofing,” where a malicious access point controls a domain name resolution (i.e., how a domain name is translated into its numerical IP address). In the normal DNS resolution process, a user’s client will communicate with a server in order to connect to the Internet.
In a spoofing attack, a hacker creates a fake version of a website in order to steal credentials. For example, you may be asked to “like” something on Facebook before you can access the Internet and then be directed to a fake Facebook login page that looks like the real thing. As you log in, this fake page would record your credentials, show a login error, and then redirect you to the real Facebook page for a “second attempt” at logging in. Before you’re even aware of what has happened, your social identity has been stolen.
Another tactic, commonly referred to as the “Evil Twin Attack,” leverages a fake access point to hack your data. This tactic is most often attempted in public parks or other large, unmonitored areas. Using a laptop with a wireless card, the attacker will access a legitimate access point to create an “evil twin” access point with a similar name. Imagine for a moment that you are at your local park, and your iPad detects a free Wi-Fi hotspot named “CityPark1.” Many of us would probably connect to the network based on its name alone. However, by not confirming the legitimacy of an access point before connecting to it, you enable attackers to gather an even wider range of personal information.
In a spoofing attack, a hacker creates a fake version of a website in order to steal credentials. For example, you may be asked to “like” something on Facebook before you can access the Internet and then be directed to a fake Facebook login page that looks like the real thing. As you log in, this fake page would record your credentials, show a login error, and then redirect you to the real Facebook page for a “second attempt” at logging in. Before you’re even aware of what has happened, your social identity has been stolen.
Another tactic, commonly referred to as the “Evil Twin Attack,” leverages a fake access point to hack your data. This tactic is most often attempted in public parks or other large, unmonitored areas. Using a laptop with a wireless card, the attacker will access a legitimate access point to create an “evil twin” access point with a similar name. Imagine for a moment that you are at your local park, and your iPad detects a free Wi-Fi hotspot named “CityPark1.” Many of us would probably connect to the network based on its name alone. However, by not confirming the legitimacy of an access point before connecting to it, you enable attackers to gather an even wider range of personal information.
How to protect yourself whilst using Public Wi-Fi:
Exercise caution and verify the authenticity of the Wi-Fi network before logging onto it. For example speak to an employee at the location that’s providing the public Wi-Fi connection, and ask for information about their legitimate Wi-Fi access point – such as the connection’s name and IP address.
Use a trusted Virtual Private Network (VPN) service in order to secure your traffic. By using a VPN when you connect to a public Wi-Fi network, you’ll be encrypting all of your data that passes through the network.
Use mobile data services such as 4G in preference to public Wi-Fi wherever possible.
Use a trusted Virtual Private Network (VPN) service in order to secure your traffic. By using a VPN when you connect to a public Wi-Fi network, you’ll be encrypting all of your data that passes through the network.
Use mobile data services such as 4G in preference to public Wi-Fi wherever possible.
If you are concerned about the network raise this with the organisation providing the public Wi-Fi service or contact Action Fraud.
Don’t download applications to your electronic devices.
Don’t install any updates to programmes on your computer.
Avoid accessing your emails, social network accounts or online banking services.
Don’t online shop and reveal financial details.
Don’t download applications to your electronic devices.
Don’t install any updates to programmes on your computer.
Avoid accessing your emails, social network accounts or online banking services.
Don’t online shop and reveal financial details.
没有评论:
发表评论