Eric W Geier

Home Page

Technical Experience

Writing Experience

Contact Me

My Publications - Tutorials

Wi-Fi Hotspot Security: The Issues

By Eric Geier

 

- Originally Published by Wi-Fi Planet on July 28, 2006 -

The major concern of using Wi-Fi hotspots beyond not being able to connect is security. These types of wireless networks are inherently "unsecure." This is because encryption methods, such as WEP and WPA that are usually used to protect private wireless networks, aren't implemented due to the complexities of supporting users. Furthermore, using WEP or WPA means you’ll have to advertise the “private” encryption key(s). This kills the whole idea of using encryption because wireless eavesdroppers then have the key(s) to quickly decode the Wi-Fi hotspot traffic.

Many Wi-Fi hotspot users may not understand the issues of using public wireless networks; therefore, don't take any steps to ensure their personal documents, privacy, and identity are safe. The same goes with the people installing the hotspots. They may not be aware of the issues they face or that they can take a few steps to help secure user access.

To understand how to protect your self while using Wi-Fi hotspots and how hotspot administrators can better secure hotspots, everyone needs to be familiar with the main issues of these public wireless networks.

Real-time Traffic is Exposed

Unlike public wired connections to the internet, the use the of hotspots imposes the risk of people capturing the real-time traffic of the wireless connections. As shown in  an earlier tutorial (Wi-Fi Security Issues Up Close) people can easily capture, from the air, the packets of unsecured connections to hotspots. Even free tools wireless eavesdroppers can see things such as:

  • The Web sites you’re visiting: This may not pose any big problems, but some people may be sensitive about this.
  • Login information to unsecured sites (non-SSL) along with the content: You log into a Web site such as a message or discussion board, which typically isn’t secured. Someone is nearby, capturing all the wireless packets out of the air, including your username and password. Now this person can log into your account and post messages that might misguide others and damage your reputation.
  • Login information and content from services such as POP3 e-mail accounts and FTP connections:  Say you typed up some replies to your e-mails while on a flight, and during your layover you logon to a hotspot to quickly synchronize your POP3 e-mail with Microsoft Outlook. Anyone capturing wireless packets nearby at that time now has your e-mail account information and the content of your sent and received messages.

Your Mobile Device May be Exposed

Wi-Fi hotspots use essentially the same type of architecture of other wireless networks found in enterprises and homes. The benefits of networking in those locations, such as file and resource sharing and client communication, aren’t so beneficial on public networks. They can, in fact, open you up to the outside.

  • Access may be open to any shared files on your mobile device: You may have a wireless network at home and files in your Shared Documents folder for easy access from your other PCs. Typically you don’t connect to public wireless networks, but you need to get a few e-mails sent and received while waiting for your flight. Once you forget about your Shared Documents folder, others may be able to copy and/or edit your files. 
  • Authorized access of mobile devices: When users connect to Wi-Fi hotspots, they connect to a network. Therefore, the user devices may be able to communicate with each other. As a result, hackers within the hotspot may be able to access other mobile devices. Also if not properly protected, intruders may even come from the Internet.

"Evil-twin hotspots" Could Pop-Up

The “Wi-Fi troublemakers,” taking advantage of public networks may setup an access point (AP) posing as a legitimate hotspot and try to clone the look and feel of a real hotspot near by. This is done in the hopes that Wi-Fi users will be fooled and connect to the fake hotspot. This allows hackers to:

  • Steal hotspot account and/or payment information: The fake hotspot may pretend it will provide Internet access for a fee, and when the user inputs their payment information, it goes into the hands of the evil twin operator (the hacker).
  • Steal personal data by comprising the overall security of your mobile device: Some hotspots implement features so users can’t communicate with each and snoop around their shared folders; however, the fake hotspot won’t have this feature. Any other clients can access your shared files, too.

Unprotected Public Workstations

Locations that offer wireless Internet access, such as hotels and airports, typically also provide the use of Internet kiosks or public computers for Web access and word processing. This is a great benefit for those without their own devices, but pose many risks:

  • Key loggers may be installed: Every key stroke you make may be recorded – comprising any login information, even for VPN connections.
  • Your browsing history may be cached: People can see what Web sites you’ve visited, and they may be able to view these cached sites, which may invade your privacy, especially if you...
  • Saved login information: Any saved login information — such as from clicking the well known “Remember Me” option when logging into a site — may allow others to access to your account(s).

Hotspot Operator Issues

Hotspot owners also have a few issues to worry about when hosting these public wireless networks, such as:

  • Improper integration of public and private networks: This may comprise any PCs or data on any private networks, from the public wireless access.
  • Legal liabilities: Wi-Fi hotspots may be used for illegal purposes, such as sending SPAM or the use of illegal file sharing programs.

Stay tuned - for solutions that addresses these issues, so you can protect yourself when using or hosting Wi-Fi hotspots.