Ashley Walker's Blog

Public Wi-Fi and Security

, ,

You have probably seen it, a slick marketing campaign about protecting your privacy, and stopping the nasty hackers sitting at your local coffee shop from intercepting your web requests. And the only solution is to use their VPN solution. Well, in a lot of instances, that is all security pantomime, and simply moves the trust from the current network to the VPN providers’ network.

When between 95% and 96% of the internet 1 is accessed via an encrypted or secure connection. That means that even if someone is sitting on the same network as you, they cannot see the contents of what you are seeing. However, they may be able to see some meta such as:

  • The website that you are trying to access (unencrypted DNS).
  • The website that you are accessing (header information, and the destination IP address).
  • The apps that you are using (domain names, protocols).

But critically, they cannot see the contents of the vast majority of the web sites you are visiting. This still means that potentially sensitive information can be leaked such as you are accessing a dating app or site or could provide the URL to hidden corporate sites. But, again in most instances they cannot view the contents, this is because of the magic of Public Key Infrastructure (PKI) that is designed to provide security in compromised, or unsecured networks.

That means that if you are accessing popular social media sites, web searching, news or other sites. Your traffic will likely be uninteresting to a malicious actor. But if you are accessing a site that is highly personal, low traffic, or potentially identifying of you individually, there may be concern that someone could use this information to attempt to blackmail you.

Where possible, you should connect to your phone’s hotspot, or a 4G/5G dongle, but if you must connect to public or shared Wi-Fi, there are several steps that you should take to protect yourself such as:

  1. Choose the Correct Network2:
    • When connecting to public Wi-Fi, you’ll often see multiple network names that look similar. Be cautious! Some hackers use a technique called “Wi-Phishing” to create fake networks that mimic legitimate ones. Always verify that you’ve selected the correct network. If in doubt, ask an employee for the official network name.
  2. Do not install software just to connect:
    • Some malicious networks will require you to download and install a piece of software, or a certificate to allow you to connect. Do not do this. At best, the software is a virus that will be picked up by your anti-virus solution. At worst the certificate will allow them to see all of your data, even the encrypted connections.
  3. Opt for Secure Networks:
    • Look for networks with security features. A lock icon next to the network name indicates encryption. Networks without security won’t have this icon. However, be aware that some networks may not show a lock due to “hotspot portal” security, where you need to log in via a browser. Stick to networks provided by trusted sources (hotels, conferences, coffee shops) with clear instructions and passwords.
  4. Ensure that the network is set to “Public”:
    • In Windows, there is a firewall setting called “Public Network”. When this mode is enabled, it stops the Windows OS from trying to discover services on the network, and blocks several services from being called. Most mobile devices have a setting to “Randomise the MAC Address”. This can be used to help to reduce the ability to be fingerprinted.
  5. Ask for Permission to Connect:
    • Configure your devices to prompt for permission before connecting to a network. Avoid automatically connecting to open networks or previously used networks. This extra step ensures you’re connecting intentionally and reduces the likelihood of connecting to a spoofed network.
  6. Avoid Sensitive Transactions:
    • Refrain from online banking, shopping, or accessing confidential work-related content while on public Wi-Fi. Save these activities for when you are on a known network.
  7. Keep Software Updated:
    • Regularly update your device’s operating system, apps, and security software. These updates often include critical security patches.
  8. Beware of Unencrypted Websites:
    • While most websites now use encryption (HTTPS), some enterprise applications and large websites (BOM) may still rely on unencrypted connections. Be cautious when accessing such sites, especially if they contain sensitive data.
  9. Consider the use of a VPN:
    • A VPN will mask all of your network traffic to anyone else on the local network. But it may come with some side effects depending on how it has been setup. It also is unlikely to provide additional protections if a malicious actor attempts to attack your computer, or phone.

Depending on your individual threat profile, or the threat profile of the organisation that you work for. It may be wise to have a mandatory set of company policies that have the following:

  • As the primary data connection, in public spaces, only connect to your company provided mobile devices hotspot, or company provided 4G/5G device.
    • Do not allow anyone else to share this data connection.
  • As a redundant, if the primary does not have reception, or has no data allowance remaining, connect to the public Wi-Fi and then use the company provided VPN.

  1. HTTPS encryption on the web – Google Transparency Report ↩︎
  2. Connecting to public Wi-Fi and hotspots | Cyber.gov.au ↩︎