Public WiFi networks. Are they safe?
Airports, hotels… On vacation we also spend the whole day connected to the Internet. WhatsApp has in many countries become an essential tool for personal communication. We all want to be able to check Facebook, post photos on Instagram, tweet something we’ve seen, and answer work emails from wherever we are… and it’s possible. We mostly do all these things from a smartphone, or perhaps from tablets or (increasingly less) from laptops.
It is quite common to scan for and connect to public WiFi networks which aren’t password-protected and let you connect to the Internet cheaply and simply. In fact, a typical selling-point of many restaurant chains nowadays is that they offer free WiFi connections to customers, and in many places there are public WiFi hotspots provided by local councils.
Even though the price of mobile data connections has dropped considerably (largely thanks to competition and technological advances), and connection speeds continue to increase (GPRS, 3G, HDSPA, 4G…), most users, if they can, still try to avoid using mobile data. The reason is simple: many of the mobile data rates on offer include a limit on data download volume, and once this threshold is exceeded, either the connection speed drops or the charges increase. Moreover, not everywhere has good mobile data coverage, and that directly affects the connection speed. And that’s not to mention the question of data roaming when traveling to other countries, where prices are very often completely prohibitive.
It’s obvious that most of us at one time or another will try to connect to a public WiFi network. Is it safe? What are the risks? Can anyone spy on data sent from my device? Can I get infected if the network is malicious? These are some of the questions that we’ll answer below.
When you connect to the Internet from home or from your office, you know who is responsible for the network and which people can connect to it. However, on a public network, anyone can be connected, and you have no idea of their intentions. One of the first questions that arises concerns the level of security on any Web page that requires you to enter your login credentials.
How to connect safely to a public WiFi network
Could someone connect to the same network and spy on data communications?
Yes, anyone connected to the network could capture the data traffic sent from your device, and there are simple, free apps available for this purpose.
Does this mean that someone could steal my Facebook username and password?
No. Fortunately, Facebook, along with many other social networks, webmail services, online stores, etc. have secure Web pages. You connect to them via SSL, which you can see on your browser (depending on which one you use) when the padlock icon is displayed next to the page address. This means that all the data sent to this page is encrypted, so even if it is captured by a third-party, it cannot be read.
What about other websites? Could someone see which pages I’m visiting, or access the data I enter on unencrypted site?
Yes. It’s very simple to capture this information, and anyone could see what pages you connect to, what you write on a forum or any other type of unencrypted page.
So as long as the Web page is secure, I’m alright, aren’t I?
Yes, but it must really be secure. Capturing network traffic is just one type of possible attack. If the hotspot has been deliberately set up by an attacker, they could, for example, alter the settings of the WiFi router to take you to the page they want. Imagine you enter www.facebook.com in your browser, yet the page you see is not really Facebook but a copy, so when you enter your username and password you are giving it directly to the attacker. Or, worse still, the page you are taken to contains an exploit which infects your device without you realizing. In any event, the fake page won’t be secure, which should help you detect that it is not the real site.
But is this still the case if I know that the WiFi hotspot is reliable, such as in a shop or restaurant?
Yes. although it is obviously safer, no one can guarantee that the router hasn’t been compromised, or that the DNS configuration hasn’t been changed, which would enable an attack like the one described above where you’re directed to a fake page. In fact in 2014, security holes have been discovered in popular routers which allow them to be hacked so an attacker could easily change the configuration.
This is chaos! Is there any way of protecting myself against these attacks?
Yes. One good way is to use a VPN (Virtual Private Network) service. This ensures all data traffic from your device is encrypted. It doesn’t matter whether the site is secure or not, everything is encrypted. When you are connected to the VPN, the router’s DNS settings are not used in any event, so you’re protected from the types of attack described above.
And what about password-protected WiFi networks? Is there the same risk?
This in effect ensures that only people who know the password can connect to the same WiFi access point, nothing else. In a way, you could say that this reduces risks by reducing the number of people who can connect, although the same kind of attacks can still occur in the same way as on an open network without password protection.
Does this apply to all types of devices or just to computers?
To all kinds: computers, tablets, smartphones or any other device with which you can connect to a network.
And so what about WhatsApp? Can anyone see my chats or the photos and videos that I send?
No. Fortunately that information is now encrypted. Previously it wasn’t, and in fact, an app was developed that allowed you to see people’s chats if you were connected to the same network. This is no longer possible, although there is a way someone could find out your phone number if you are connected to WhatsApp on the same network as them, but that’s the most they can do.