Wi-Fi hotspots: A security risk

Security MEA speaks with Haider Pasha, Chief Technology Officer, Emerging Markets at Symantec about consumer behavior and perception around Wi-Fi hotspots, and the approach to safe browsing outside of home network.

Your recent report suggests that users stand exposed to risks while connecting their devices in public Wi-Fi networks such Hotspots, Cafes, Lounges, etc. Why are public Wi-Fi networks not secure enough to safeguard users against various risks?

Public Wi-Fi hotspots are open networks, which means anyone with the right tools can access the information as it travels on the network. However, an “open” network that does not require a password to log-in is generally not using encryption and allows anyone to connect to the network, inviting a greater risk by allowing sniffers to join. On the other hand, a public Wi-Fi that requires a password, does automatically limit who can connect to the network, however, this does not mean that a hacker won’t connect to such a network (at a hotel or café) for potentially dangerous activities like data theft.

Is there any way to secure public Wi-Fi networks?

One of the ways to secure public Wi-Fi networks is to enable WPA2 encryption on the Wi-Fi and update the firmware of the Wi-Fi access when new software becomes available. They can also enable security features on the access point such as IPS. Overall, they need to ensure that the access point management interface is only accessible from trusted networks and that the log-in password has been changed from the default password.

What kind of risks are users exposed to while operating in public Wi-Fi?

Operating on a public Wi-Fi network can potentially expose the user to various types of risk. Public Wi-Fi can open up consumers to Man-in-the-Middle attacks, wherein an attacker can eavesdrop and intercept their communication as a result of unsecured networks. They can also be vulnerable to malware distribution or hackers sniffing up personal information using special software kits and devices. Some hotspots can even be fakes, set up to deceive consumers into sharing sensitive information. Overall, while checking on the day’s news or sports updates on public hotspots is fine, doing online banking, making purchases or entering any sensitive account information (including email or social media accounts) are best to be done at home.

Is there any role government/administration can play either on policy level or compliance level to ensure availability of more secure public Wi-Fi networks to public?

In general, governments should take an active role in creating awareness among the public on the possible risks of using Wi-Fi networks. Best practices seen across the region typically range from policy creation to directly mandating certain security requirements of public Wi-Fi service providers, such as mobile operators. Ideally, most of the technical recommendations made earlier should be followed at a base level by public Wi-Fi providers.

What can be done to counter the perception of users that public Wi-Fi is secure and safe?

Public awareness and education will be key to counter the perception of users that all public Wi-Fis are secure and safe. For example, we all know that opening file attachments from someone we don’t know isn’t a good idea, after many years of hearing about threats spreading this way. But the threat landscape continues to evolve and it’s important for consumers to be aware of the latest threats that are developing, including how hackers are using bogus hotspots, to sniff and steal personal information.

What steps can users take to help protect themselves while operating in public Wi-Fi networks?

We would always recommend users of public Wi-Fi networks to be vigilant in identifying unsecured networks and being careful with the information that they share over these networks. For starters, they can select the most secure settings on their PCs, Macs, smartphones and tablets. They will need to turn off any features that will automatically connect their devices to any available Wi-Fi network as well as switching off their Bluetooth unless it is really needed for use.

Another useful tip is to regularly change their passwords for logins that have sensitive information, such as social media, banking, or email accounts. Switching to new complex passwords will reduce the risk of their accounts being hacked. Users will also benefit from regularly updating their software and apps, as software updates are generally released to offer fixes for newly discovered vulnerabilities. They can also add security software to their devices, such as Norton Mobile Security, which warns them of suspicious apps before they download them.

Lastly, they should avoid logging in to online accounts that store any sensitive information. This can include retail websites, health provider sites, banks or other financial institution sites, email, and social media. To promote safe online surfing, the user should also ensure that the URL of the website they’re visiting starts with “HTTPS” because the “S” stands for secure, and data is encrypted.