The Alarming Truth About Public Wifi

TOM: Welcome, everybody. This is our Deeper Dive series that we do every Tuesday afternoon at 2 p.m. Central Time. Today, we’re going to talk about the alarming truth about public Wi-Fi and hopefully give you a lot of information on Wi-Fi in general and the security considerations you need to consider whenever you are using Wi-Fi.

My name’s Tom Kirkham. I am the founder and CEO of IronTech Security. Been around for several years. The company itself has been around for about 20 years, and we specialize in security for water utilities, law firms, accounting, manufacturers, and other organizations that appreciate and understand why they need to keep their business secure and their customer data, their patient data, their client data, their industrial control systems, their own data, all of that stuff, how we keep it all secure using modern security policies, procedures, and controls.

But today we’re going to talk about Wi-Fi and public Wi-Fi, so let’s get into it.

Let’s first talk about secure versus unsecure Wi-Fi. This slide on the left-hand side is from a Mac. It’s from my Mac, and it shows the networks that I can log into, or the ones that have a strong enough signal. The ones that are greyed out, I think they’re either weak – yeah, those are just weak ones. Now, on a Windows machine, the signal strength I believe is next to the locks that are on the right, but they work the same way, whether you have a Windows or a Mac. If you use an iPad, iPhone, Android device, all of those things have ways to see if it’s a secure Wi-Fi connection.

So how do you do that? Well, secure is going to show a lock somewhere. If you try to connect to it, it’s going to ask you for a password. An unsecure network will not have the lock icon on it, and you want to be very, very careful connecting to an unsecure Wi-Fi or a wireless access point.

If you go to a hotel lobby, or maybe in a fast food restaurant, maybe even hospitals, they have an unencrypted Wi-Fi available in hotel lobbies and hospitals and other places. You connect to it and it takes you to a page that you may have to put your phone number in. But the important thing to remember is that if it’s not a secure Wi-Fi connection, the data, the transmission both directions between your laptop or your device to that wireless access point, is unsecured. That means hackers can eavesdrop on all of that data.

So the last thing you want to do is log into your bank account on an unsecure Wi-Fi connection. If it’s secure, that data is encrypted between the device and the wireless access point. That’s an important distinction to make for a slide that’s going to come up here in a minute. So that’s basically the difference: one’s encrypted and one’s not.

Now, you also have to remember that even if it is encrypted, it is crackable, but it does take some time and some very special skills. It’s not something that most hackers are going to do because it requires a physical presence. If any of you have been to the main webinar and seen the whole presentation about the hackers, one of the things I try to stress is they’re interested in doing things at scale. And if you’re physically having to be somewhere in order to pull this off, it’s just not done very often. But if it’s an unsecure connection, it’s a lot easier.

So you don’t want to transmit – you don’t even want to send and receive email over an unsecure connection. About the only thing I will do on an unsecure connection is maybe stream Netflix when I’m traveling, or Amazon Prime or whatever, stream television. That’s really about it, because even your email – it’s going to exchange credentials. Now, those are going to be encrypted, but the data and everything else may not be, so you have to be really careful about that. And I’m going to tell you what you can do to protect yourself, even on an unsecure access point or unsecure wireless.

Another thing that you have to be careful of is an evil twin. The same type of hacker that would want to intercept any of the wireless data, it is extremely easy – in fact, I would say it’s much easier – to just set up an evil twin. We used to call those pineapples because a guy – I don’t know the whole story, but apparently when Wi-Fi first started becoming popular, there were hackers that were in a smoothie store or something like that and they took a plastic pineapple and set it on the table, but inside of it was a router. This was in the days when routers were a little bit larger, so you had to hide it in something. That way, if somebody saw what was going on, you’d just turn it off and nobody could tell by looking at you that you had a router right there. Well, now these devices are so small, no one could tell.

So the hacker connects to the legitimate access point, like at McDonald’s, but then he intercepts – like at Starbucks, let’s say. He intercepts everybody that connects to this Starbucks Wi-Fi that I set up today on my own router. I could take my router down, go into Starbucks, and have an evil twin ready to go. That’s how easy it is. Everybody that connects with my router to the so-called Starbucks Wi-Fi, I then have a piece of software on my laptop where I can see every single thing on their screen and all the data going back and forth. Nothing is safe, except for one thing that you can do.

Now, I also set an evil twin up for Honors. If anybody on the call has ever stayed in a Hilton property, that is typically the connection you use. The good thing about Hilton, and I think all of the hotels I’ve stayed at – those not only are secure connections, but all the guests don’t usually use the same password. It asks you for your room number, your last name, and then you have to have the password, so it’s got multi-factor authentication. It’s much harder to set up an evil twin in that environment. Just the password alone is not good enough.

Now, some of you may have some local restaurants that you go to, and maybe you’ve been other places where you just ask the waitress what the password is and there’s no other set of credentials. That means that is an environment ripe for setting an evil twin up because everybody’s using the same credentials. That’s really a great way, if you’re a criminal, to intercept private emails, website visits, banking information, things like that.

So how do you protect yourself? Because sometimes you have to connect to an unsecure Wi-Fi. I’ve been in hotel lobbies and I’ve had to do some emailing and some other things, and I’ve got to be secure. I have to be secure.

What you want to do is get you a virtual private network. In our company, we use these two primarily: NordVPN, and I personally use Private Internet Access. They’re a little bit more privacy-oriented because it also anonymizes the data as well, and they don’t store anyplace that you’ve been to. Nord is very highly rated year in and year out.

You can go on websites like wirecutter.com and just search for “best VPN.” They review them like once a year. That’s a really good source for not only looking to find the best VPN, but anything you can think about. What’s the best washing machine, what’s the best mattress, what’s the best Wi-Fi router, best cellphone, best smartphone. All of these things, they review. I go there even if I’m buying, I don’t know, some gloves. Things you wouldn’t even imagine are on Wirecutter. It’s a great review site.

You remember what I said about an encrypted Wi-Fi connection? It encrypts the data from your device, your laptop, to the wireless access point. Well, how do I know that wireless access point is secure? That’s where a VPN comes in. With a virtual private network, it creates a secure tunnel from your laptop to the destination, to the website, to your banking website, where you can securely log in. You can’t crack a VPN, and in addition to that, most websites use what’s known as an HTTPS, which means the website itself is secure.

Between that and a VPN, it is practically impossible for you to be hacked on a Wi-Fi or even a wired network. Sometimes I use them on wired network. If I’m on a guest network I’m plugged into, I may use a VPN just to be on the safe side. And if you’re doing any sort of remote work from home, which I know a lot of people do, it is a really good idea to use both a VPN to your office and multi-factor authentication, where it takes three pieces of information, not just username and password to your desktop. You need a third set, and your IT guy or security company can set up a VPN that goes straight into your office network.

If you don’t secure that connection and you just leave it open so that you can get in from anywhere, or you don’t have to have a VPN, it’s a target for hackers. They want to crack that LogMeIn or that remote desktop, your Windows Remote Desktop. They want to hack that. If you isolate it and only allow access with a VPN and from a certain IP address, it makes it very difficult to even identify there’s a virtual private network on there, and you certainly can’t tell what’s behind the firewall. Everyone really needs a VPN if you do any traveling whatsoever.

This is another tip. You need to deploy guest networks. I would recommend doing it at your home, but certainly doing it at your business if you have patrons, like a restaurant, or you have vendors that come in or consultants that come in. If they don’t need access to your network itself, set up a guest network, and it’ll isolate that device to where that device can get in and out of the internet just fine, but it can’t see anything else on the network, nor can any guest see another guest. So it’s safer for everyone concerned, and you can be a lot freer with that password. You don’t want to give out the password to your actual business network account because you don’t know if you’ll ever see these people again or anything like that. You want to limit the attack surface. It’s least privileged principle.

I would even recommend a guest network for employees that bring their own mobile devices. They just want to get on there and maybe check personal email or text message or whatever. There’s no reason why that device should be actually connected to that company network. So by turning on a guest network, that is for anyone that needs internet access but you want to keep them off the company network and secure all those shares and all those files and things like that.

This is another one that a lot of people overlook. I’ve seen this. Not too often, but I do see it. You don’t want to name your – it’s called an SSID, but you don’t want to name your Wi-Fi that’s personally identifiable. If you were to become a target, this makes it very easy to find you and make you a target. I don’t even have to guess. See, I don’t know “TP-LINK_1D2.” Who’s that? Is that the Kirkham family? Is that the Smith family? Is that my next door neighbor? I don’t know. I can’t tell just by looking at that. I might be able to guess by the signal strength. But you need to use a name that’s generic. You might say that it’s “Apple14” or “MyWiFi.” Just don’t name it after your family or anything that’s personally identifiable just for a little more step of security.

Especially if you’re in critical infrastructure, you may be using a laptop at both places. You may be using your phone at both places. It may be a company-issued phone. You connect to your home network; well, if your company is targeted, they can just go to your home and get access to those devices and intercept your emails and things like that. So just don’t name it like that. Don’t name it after yourself. Don’t do that.

So, summary is: Do not under any circumstances trust a network that’s not password-protected. Remain vigilant. Evil twins are far and few between, but if you’re in a big city in a big hotel, a big restaurant, there might be a chance there’s one there. If you’re in a small town and there’s five people in the restaurant and it’s a local joint in the middle of South Carolina, eh, it’s probably not as likely. It could, but it’s probably not as likely. But if you’re in the Chicago Hilton right across from Grant Park, a lot of people go in and out of there. There’s a lot of information that can be discovered in and out of there. So if anything looks suspicious, keep an eye on it.

And then finally, use a VPN without exception whenever you’re traveling. If I’m on a secured Wi-Fi connection in the room, I don’t bother with a VPN. I’ll do it on my work and then shut everything off. Don’t leave email running in the background. I’ll shut my email off, and anything else that may be exchanging data with a server, and then I’ll just stream Netflix. VPNs can cause problems with streaming. It can also get around county restrictions. I’ve used it in Europe to get Netflix in Europe, because you can say “connect me as if I’m in the United States.” Or from the United States, you can say “connect me as if I’m in Switzerland” Or whatever, so it appears to the website that you’re coming from another country or another region. I’ve used it a couple times.

But yeah, get you a VPN if you do any sort of traveling, especially for business. They’re very inexpensive. You can catch deals on them for like $10 a year, and you just install it. It’s a real easy install and it automatically configures. There’s nothing technical about it. Now, that’s a little different than a VPN into your company. That does require skills and a monthly fee and it’s a little more expensive. We have that. But we use both.

So it just depends. A good security risk assessment will help pinpoint what you need in regard to that. What are these company devices? Do you guys use iPads in the field? We need to think about securing those. Those are portable devices, not only from Wi-Fi, but what if they get lost? We need a way to remote wipe those, or find them if they’re stolen. Things like that.

The security risk assessment that we do, we will help you uncover some of those things. It’s pretty easy for most people. Takes you about 20 or 30 minutes tops. We can get that set up for you.

Got a question here. “When I travel, I take my hotspot for Wi-Fi. Is this safe?” That’s a good question. It depends on how you’re connecting with your hotspot. If you’re connecting to a hardware in a hotel room – which is getting harder and harder to find; I can’t even remember the last time I saw hardware in a Hilton property – but anyway, that’s okay. And it’s a good idea because some hotels will limit the number of connections. I’ve been in a Hilton where you could only connect three devices at a time. With a Wi-Fi hotspot, you can get around that.

But you’ve got to remember – if you’re using a cell transmitter as your hotspot, you’re doing really good. You’re going to be okay. Especially if your hotspot has an encrypted connection to your laptop. So if that’s what you mean by hotspot, yes, absolutely, that’s fine. But I don’t know that – to me it’s not worth it. The only time I use a hotspot – my phone has the capability. The only time I ever use my phone as a hotspot is when I don’t have any other choice, because the performance is usually not anywhere near enough to stream movies and things like that. I’m sacrificing – I did a risk analysis, and I’m saving a little money by not having a monthly bill for a hotspot because it would be much higher if I used my phone for all of that. My data plan would have to be a lot higher. But I’m getting better throughput and a better experience, and I’m just more conscious about what I’m doing on the hotel’s Wi-Fi. That’s just me.

Okay, that’s great. Lorraine says, “My job has provided me with a hotspot as I work from home, so when I travel I take it with me.” That’s great. Once again, it’s rare that hotspot gives you anywhere near the performance of a gigabit internet connection like I have, or even a 100 megabit connection for that matter. And it’s getting better with 5G, but that’s not available everywhere. But if you’ve already got one, your company’s provided it for you, knock yourself out. You’re going to be really secure.

For those rare instances, though, that you don’t have a hotspot or whatever, I’d still be ready to use a VPN.

Any other questions?

KINDSEY: We’ll give everybody a second and see if they want to throw anything in the Q&A box or the chat box.

TOM: If you want to sign up for the security assessment, Kindsey put a link in the chat box. You can just click on that and it’ll take you straight to a page where you can set up an appointment. No obligation. Simple, simple, simple.

All right, I did that one in 23 minutes.

KINDSEY: Yeah, look at you.

TOM: Oh, if any of you guys have any topics for other Deeper Dives, just send us an email. I’d be happy to cover it in a future Deeper Dive. All right, thanks for attending. We will see you next week.

KINDSEY: Thanks, everybody.