A Warning from the NSA: Just Don’t Use Public Wi-Fi
by Robert McGarvey
I don’t recall the first time I wrote up a warning against using public Wi-Fi when traveling – and that means hotel, airport, restaurant, public transportation (subways, busses) coffee shop, even inflight Wi-Fi. Probably 10 years ago. Maybe longer.
And yet public Wi-Fi sites multiply – one count finds over a half billion globally. That’s because we use it. One survey found 18% of respondents use it more than once a day.
Definitely, too, usage is upped among travelers. When I ask people if they would use the public Wi-Fi up the street from their home the reaction displays similar enthusiasm to what I’d get if I asked their willingness to use a public toilet in the Covid-19 era. But those very same people, when asked, acknowledge they do use public Wi-fi when they travel because “what are my better options?”
We’ll answer that question momentarily – you do have a better option – but, first, understand I now have a heavyweight that is issuing the same stern warnings about public Wi-Fi as I have been. That’s the NSA – aka National Security Agency aka the Puzzle Palace — which now has broken its cover to warn about public Wi-Fi and the risks it poses to us and our employers.
In a recent information sheet, NSA pulls no punches: “Avoid connecting to public Wi-Fi, when possible, as there is an increased risk when using public Wi-Fi networks…. If users choose to connect to public Wi-Fi, they must take precautions. Data sent over public Wi-Fi—especially open public Wi-Fi that does not require a password to access—
is vulnerable to theft or manipulation.”
What that says – put in simple terms – is don’t use public Wi-Fi because whatever data you enter is easy pickins for savvy cyber criminals.
Sure, if you want to grab a baseball score from ESPN, or a stock quote, by all means use public Wi-Fi if that’s easy. It probably doesn’t matter. But if what you want to do is send business email or access files on your company’s server or even research prospects on LinkedIn, the strong advice is don’t use public Wi-Fi.
There are thousands of white papers online documenting how hackers hack public Wi-Fi. For them it is rather straightforward. There even are automated tools to speed up the process for the inexpert hackers.
NSA elaborates: “Accessing public Wi-Fi hotspots may be convenient to catch up on work or check email, but public Wi-Fi is often not configured securely. Using these networks may make users’ data and devices more vulnerable to compromise, as cyber actors employ malicious access points, redirect to malicious websites, inject malicious
proxies, and eavesdrop on network traffic.”
What the NSA is saying is that when you are using public Wi-Fi you are a fish in a transparent fish bowl and the hackers’ eyes are on your every keystroke. The password to your employer’s server – it’s theirs. The login to your email – it’s theirs. The login to your bank account – yep, that’s theirs too.
All because you took what seemed the easy – and free! – access lane onto the Internet Superhighway and that is what public Wi-Fi is for many millions of us.
What if public Wi-Fi truly is your best option? Here’s NSA’s advice: “If connecting to a public Wi-Fi network, NSA strongly advises using a personal or corporate-provided virtual private network (VPN) to encrypt the traffic.”
Not all VPNs are good. Not all are even trustworthy. Choose a VPN cautiously. Here’s a list of recommended providers from TechRadar. Here’s CNET’s list.
Won’t a VPN slow your speed? Probably, at least a little. But that is a price worth paying for the enhanced security a good VPN provides.
Even with a VPN in place NSA’s “don’t’s list” includes these about public Wi-Fi: *Do not enter most sensitive account
passwords on sites/applications. *Avoid accessing personal data (e.g., bank accounts, medical, etc.).
That’s good, cautious advice.
Either way, if you really insist on using public Wi-Fi, do it with a VPN. You don’t have guaranteed safety. But you are pretty secure.
Personally, however, I still prefer to use my cellphone to create a hotspot that I connect an iPad or laptop to. The security is quite good.
Alternatively, since I use a Google Pixel phone on Google FI network, an option I have set up is to use a Google VPN when surfing via Wi-Fi. I use that feature often.
This is the reality: safer surfing is yours if you want it.
But with all the cyber criminals out there, just do something to stay safe.
Maybe I’m wrong, but I’d thought the SSL transport used by almost every website these days – although, notably, not by yours – means we have secure end to end encryption that is safe from prying eyes, other than those with, ahem, govt-level resources at hand.
The NSA even grudgingly acknowledges this.
What is the remaining risk?
David – this NSA quote points to the underlying issues: “[…] as cyber actors employ malicious access points, redirect to malicious websites, inject malicious proxies, and eavesdrop on network traffic.”
Examples are that the bad guys have been found to issue their own SSL certificates, set up their own access points with official-sounding names in areas frequented by travelers / tourists, and to drop malware via hijacked access points. In the latter case, all that SSL transport does is getting the malware/spyware faster to your phone, tablet, or laptop.