Key takeaways
In part one of this series, 7SIGNAL looked at the history of public Wi-Fi, the Firesheep days, and how the Edward Snowden leaks changed the landscape forever, making HTTPS the standard security protocol. That was in 2013, and the world has changed, the internet has changed, and what is done to maintain security has changed.
As you scroll through websites and apps using your mobile device or laptop in a coffee shop, you might (and should) think about the security risks you’re taking. In this webinar, Enough FID, Public Wi-Fi Is Safe, 7SIGNAL discussed the real risks of public Wi-Fi in today’s world and why switching to Wi-Fi from your cellular provider isn’t much better. Considering public Wi-Fi security’s current and future state, what can you do to keep yourself and your devices more secure?
Some bottom-line basics that bear repeating include:
Users are more aware today of the risks of public Wi-Fi. Wi-Fi security only applies between your device and the AP/controller you’re connected to. After that point, traffic is no longer encrypted, and you cross different networks to connect to various cloud offerings. The exposure to malicious attacks increases. Just relying on Wi-Fi alone for security presents huge issues. These are some of the top risks to be aware of:
Clear-text DNS traffic, which is unencrypted, can expose the websites and apps you’re using but not the traffic or data on those apps and certainly not your credentials.
You can mitigate that with encrypted DNS, which some platforms do automatically. This makes HTTPS attacks much more difficult than in the old days of Firesheep.
HTTPS downgrade attacks are when the “man-in-the-middle” tries to downgrade you from an HTTPS session to an HTTP session so they can alter your data, get your credentials, and launch attacks.
This is much harder to do now than in the past – it may require ARP gateway spoofing to convince clients to send their traffic to the attacker and DNS hijacking to redirect the domain resolution.
Using rogue APs is how “man-in-the-middle” attacks are usually accomplished today. However, this is more of a general risk that comes into play using Wi-Fi, whether it’s a public network or not. You can use WIPS to detect and handle rogue networks. What’s more important is when using very hardened applications, clients, even those on malicious networks, aren’t at risk. Connectivity might fail, and apps might not work, but you won’t fall prey to an HTTPS downgrade attack or become vulnerable to a malicious attacker on their network if you follow those best practices.
These are real threats to using public Wi-Fi, but the risk is nowhere near what it used to be.
Captive portals are a poor choice from a security perspective for the end user. They can make public Wi-Fi unsafe. A captive portal is essentially making a “man-in-the-middle” attack on itself to force it to load.
It’s not recommended to reveal citizenship or other personal information to an airport network operator, nor should you provide a Facebook profile using a social login portal that will scrape all the data off the Facebook profile just to use a guest Wi-Fi network.
Some will ask you to fill out a form with all sorts of information – beware of these forms. They could be entirely harmless and used for marketing services, but the problem is the more your data gets into these databases, the bigger your personal attack surface.
Malicious actors target those databases because they’re full of personally identifiable information, and they absolutely are going to use that data with malicious intent.
VPNs and using your mobile device as a hotspot pose risks. Here’s why.
A corporate VPN is a very good security solution, but personal VPNs are not recommended because they have vulnerabilities. The VPN service now receives all your network traffic, so privacy becomes a factor.
Do you trust them? Are you moving the problem from trusting our ISP to this VPN provider?
An alternative to VPN is HTTPS. An extension for Firefox, Chrome, Edge, and Opera encrypts communications with major websites to put your browser in HTTPS-only mode, securing your browsing activities. Major browsers now offer native support for an HTTPS-only mode. Another option is using an ad blocker and secure DNS, although they don’t reference public Wi-Fi directly.
Something else to be aware of is supercookies. Cellular companies are adding these cookies, that act like session cookies, to identify the user, track online activities, and modify traffic.
They can also track you around the web, even if you remain logged out of sites and use private browsing modes, no matter if you stay logged-out of sites and use private browsing modes.
Most web applications now contain application-level security, and some important things to further cement HTTPS security are being implemented. One of those measures is called HTTP Strict Transport Security (HSTS), a tag added to the header of an HTTP page, so the site tells the browser to only use HTTPS with this domain from there on in. Though it will timeout, it’s often set to over a year.
Other protections are hardening browsing as well. Both Chrome and Firefox implement HTTPS-only modes where the browser won’t do anything using HTTP unless the user clicks through the alarming “This site may not be secure” warning indicating he/she could be under attack and shouldn’t proceed or at least not enter sensitive information, even if browsers expect HTTPS because that’s how web browsing should happen.
Transport Layer Security (TLS) is being enforced by mobile operating systems – iOS and Android. Since iOS 9, released in 2015, Apple has required that apps use TLS (with HTTPS) for internet connectivity. Android followed in 2018 with version 9. Operating systems require TLS through apps and will block unauthorized HTTP connections. There are exceptions, but they must specify the domains being used. These checks present roadblocks for man-in-the middle attacks.
The next step for browsers is increasing public security.
The public is in a very different state regarding public Wi-Fi security. There are hardened applications and a lot of security at the application layer. However, at the data link layer, the MAC layer where Wi-Fi security exists, public Wi-Fi networks are almost all wide open, just as they were 12 years ago.
Some options are in the works, such as opportunistic wireless encryption (OWE) and Passpoint, which have some airport deployments. WPA3 includes an interesting SAE Public Key feature that isn’t yet implemented.
Since public Wi-Fi itself hasn’t really changed, other than application security, advice surrounding the use of public Wi-Fi isn’t new. Your DNS traffic is exposed, so you can see the domains and applications in use. Some users prefer DNS to HTTPS because Chrome started using it by default in 2020.
Chrome will encrypt DNS traffic when possible, but some unencrypted traffic remains. DNS, multicast DNS, and SSDP – a simple service discovery protocol – are used on LANs to advertise the presence of Chromecast, Apple TVs, Airplay, etc. This may pose a risk if an attacker wants to use information such as device hostname. For businesses, hostnames normally are attributed to the company name and may relate to the server role or functionality. They may provide information to allow attackers to obtain information they shouldn’t have.
If you want to be more secure when using Wi-Fi, harden the applications, use strong authentication and encryption, and act as if the network is compromised. You can survive a malicious, unencrypted, or unsecured network with strong application layer security.
How do you use public Wi-Fi safely?
Practice good security hygiene. Keep your devices and apps up to date. Don’t ignore those notices that indicate, “Security updates are out of date. Are you ready to install them?” Read them carefully because they exist for a reason.
Network engineers with public Wi-Fi networks should be helpful and use some “man-in-the-middle” countermeasures to improve network security. IP spoofing protections are available from most of the major AP vendors. Cisco calls it IP Theft, and that’s enabled by default. Apple’s iOS-XE and Aruba have features to prohibit IP spoofing, which is also enabled by default. Of course, always use Wi-Fi client isolation on guest networks.
7SIGNAL can help you mitigate risk and detect many security breaches outlined in this blog.
Ask us how. Contact us to learn more about our wireless experience monitoring platform.
7SIGNAL® is the leader in wireless experience monitoring, providing insight into wireless networks and control over Wi-Fi performance so businesses and organizations can thrive. Our cloud-based wireless network monitoring platform continually tests and measures Wi-Fi performance at the edges of the network, enabling fast solutions to digital experience issues and stronger connections for mission-critical users, devices, and applications. Learn more at www.7signal.com.