In recent years, the number of publicly available Wi-Fi hotspots has increased significantly. We have reached a point in time where public Wi-Fi in coffee shops, restaurants and hotels has moved beyond ‘nice to have’ to ‘expected’ and choices of destination are often being decided by Wi-Fi availability over and above quality of food, drink and accommodation. With this increased availability, including other areas such as public libraries, airports, railway stations and onboard public transport, so are the risks increased; something not widely understood.
My first suggestion is to avoid public Wi-Fi completely and connect using 3G, 4G or 5G when it arrives. This avoids all the security issues with public Wi-Fi. The security which needs to be considered is that of the telecommunications’ provider; one provider, not 100s or 1000s of different connection points in places you might never visit again. That said, it is not always an option for any number of reasons:
- Not all tablets have SIM card capability and are sold as Wi-Fi only
- Roaming charges outside of the European Union can be extremely cost prohibitive resulting in a financial need to use Wi-Fi. However, if this is a frequently travelled destination, or a long duration abroad, the option is available to use a foreign SIM card. Again, this is only as secure as the confidence you have in the foreign telecommunications provider, but it will mean vetting one business rather than thinking or worrying about every Wi-Fi provider you connect to.
- Not many laptops have SIM card slots as standard, however USB attachable mobile broadband is available and works in much the same way. Alternatively, mobile telephones and tablets can be set up as remote hotspots to route internet traffic.
If public Wi-Fi is the only option available, the following suggestions will strengthen your security posture and reduce risks.
Use a Virtual Private Network (VPN)
With a VPN, an encrypted connection is established to a server on the Internet, and all communication is routed through this server instead of directly through public Wi-Fi.
The public Wi-Fi router will only see the encrypted connection between your PC, tablet or telephone and the VPN server. This doesn’t stop traffic from being intercepted, but when considering the effort required to decrypt the data against the reward which may be available from doing so, unless a specific person is the target for specific reasons, it is likely that an easier target will be sought.
If you were to login to your bank for example, the request is encrypted and sent to the VPN server. The public Wi-Fi only sees the encrypted connection. The connection to the bank is established by the VPN server. The bank at this point sees the connection established by the VPN server, including the IP address of the VPN, not the IP address from your device. Up to the point when you need to logon to specific services, the VPN allows you to browse the Internet anonymously.
In addition to improved security, there are other motivations for using a VPN such as gaining access to region specific websites. Many websites check the IP address of the incoming connection, and present content based on the geographical location of visitors. Using a VPN can bypass these checks if the VPN server is in the same location as the site you want to visit.
Many sites are geographically restricted for legal reasons such as the broadcasting of licensed content. The BBC requires a TV licence for streaming of live content; therefore, content is restricted to IP addresses known to be within the UK. Likewise, with Amazon Prime, films and television programmes are available under licence for specific regions and restrictions need to be applied to streamed content.
Consequently, because VPNs can be used to bypass geographical restrictions, to comply with contractual requirements, extra measures often need to be taken to block access such as checking IP address ranges against known VPN services and blocking access. Some services will ask for the VPN to be disabled in order to proceed, but such requests are not always reasonable and if you have invested in a VPN service, you should definitely think twice if a website asks you to disable it.
For improved security, some websites check previously used IP addresses with the IP address used for the current connection in an effort to prevent unauthorised access. In practice this means that using a VPN could result in a significant increase in identity checks such as emailing confirmation codes or one-time-use passwords. Although this might feel frustrating, this process does work as a form of two factor authentication. With the VPN service, the servers could be in many different countries, and the server used can fluctuate quite often, so to your bank or other online service, the connection will show as coming from different countries and could easily be interpreted as a potential unauthorised access.
The key is not to let the change in behaviour of websites you are visiting distract you from the fact that the VPN is there for your personal safety and security, and not to entertain the idea that you should need to disable it. If you were told by a website or piece of software, that your anti-virus software needed to be disabled in order to use their service, you would not follow their instructions. Treat your VPN service in the same way!
Businesses that allow remote and home working are expected to provide their staff with VPN access as a means of connecting to the company network and protecting corporate data, which often includes customer data.
VPN services are not expensive. In fact, some services are available free of charge. However, a key consideration is the trustworthiness of the VPN provider to begin with. With a VPN, you are choosing to explicitly route all your internet traffic through specific servers belonging to the VPN service provider, therefore it is essential that the provider is trustworthy. Some of the leading brands in anti-malware offer VPN services, but when searching the Internet, there are 1000s of services available, most of which will be unknown to you. When a suggestion is made that a VPN should be used, it is easy to assume that any VPN will do, but this could not be further from the truth.
If you install a VPN service belonging to fraudsters for example, then all Internet traffic will be explicitly routed through servers belonging to fraudsters, something likely to be far worse than the risk that someone might intercept communication over public Wi-Fi.
It is your responsibility to do your own research and choose a service provider that you can trust and depend on. I wrote an article last year called ‘The Website Credibility Test’, but dependability and credibility are often very subjective, and the emphasis in this article was to help people decide for themselves.
Regardless of how you connect to the internet, whether it is public Wi-Fi, 3G/4G, or connecting to the Internet from home, using a VPN is still a good idea. Without a VPN, there are still extra measures which can be taken to improve your safety and security online. Here are more suggestions, and why they are important.
Use HTTPS instead of HTTP
Accounts which require you to logon should be using HTTPS:// (Hypertext Transfer Protocol Secure) as the protocol in their web address, and not just HTTP://. HTTPS:// encrypts traffic between your browser and the website that you are using. Regardless of where you are and how you are connecting to the Internet, it is good practice to only use logon credentials on a website with HTTPS, however this is not always available or when it is available, not always enforced.
- Logging in on an HTTP website can expose your logon credentials. With the same logon credential being used in multiple places, accessing low importance sites with public Wi-Fi can facilitate access to high importance sites.
- The options to always use HTTPS is available in browsers or available as an add-on component. If a connection is attempted using HTTP where HTTPS is available, a secure connection will be made.
Other thoughts for consideration
So far, we have considered not using public Wi-Fi, using a VPN, and making sure that secure connections are made using HTTPS instead of HTTP. There are more things that can be done to help protect yourself online, and plenty of reasons why it is essential to do so.
- Malicious Wi-Fi – not all public Wi-Fi is legitimate. If the first thing you do when visiting a coffee shop, restaurant or any other location is to look for the free Wi-Fi, how do you know that the network you are selecting is a legitimate service offered by the establishment you are visiting. If in doubt, ask a member of staff for the Wi-Fi details to make sure you are connecting to the right network. Anyone could create a mobile hotspot called ‘Coffee Shop Free Wi-Fi’ and make it look official. This applies anywhere that you would normally find free Wi-Fi.
- Free Wi-Fi without logon details – if you are able to connect to Wi-Fi without a network ID and password, the connection is most definitely unencrypted
- Free Wi-Fi with auto site connection – when you have selected your Wi-Fi and open your browser, you are redirected to a specific page rather than your usual default page. These pages often open automatically and often ask for registration, but not all of them are legitimate. Some are there for the sole purpose of capturing personal information.
- Free Wi-Fi which requires extra software – Software installations are never required in order to use Wi-Fi. If a Wi-Fi connection redirects you to a page where you are asked to install software, reject the idea completely.
- Popup adverts on free Wi-Fi – advertisements delivered through free Wi-Fi often manipulate users into downloading malware such as with special offers relevant to the current location. For example, being offered a 20% discount on duty-free goods if you are connected to Wi-Fi in an airport. If you believe you are connected to the airport’s free Wi-Fi service, you would not suspect an electronic attack.
- Something free needs a credit card – there are so many sites which offer something free, then ask for credit card details. Put simply, if the intention is to provide you with something free of charge, your credit card is not required. If a credit card is required, it means their ulterior motive is to charge you for something. You should never need a credit card to connect to Wi-Fi – anywhere.
- Make sure file-sharing is turned off when connected to a public network
- Disable Wi-Fi in public places if access is not required
- Ensure that your devices are protected with anti-malware
There is no such thing as 100% safety or 100% security, and although one option is never to connect to public Wi-Fi, ever this is far from practical and there will always be times when it becomes necessary. The next alternative is to be selective over how your devices are used while connected to public Wi‑Fi, such as not accessing bank accounts, not entering credit card details, not accessing social media accounts or email accounts. Again, this is not practical and these are things people expect to be able to do.
To conclude, here are 3 suggestions:
- Use 3G/4G to access the internet instead of relying on public Wi-Fi
- Use a VPN configured to connect to the Internet. This adds a layer of security even over 3G/4G and acts as a backstop in any dead spots where Wi-Fi is needed.
- Be mindful of how you are using the Internet in public and avoid anything which is out of the ordinary or deviates from normal established practices
Robert is an information security consultant with over 20 years of experience across a diverse range of organisations, both in the UK and internationally. Robert graduated in 1997 with an honours degree in software engineering for security and safety-critical systems. Robert is contactable directly through LinkedIn.