Wireless services in airports, cafés, and hotels are often not encrypted. So user beware
You have an hour before your flight, so you log in to the Wi-Fi network at the airport. You look up some stock prices, check your e-mail, pay a couple of bills online, and surf a few Web sites. Has it occurred to you that curious or hostile eyes could be peering into your computer and your network? It pays to be paranoid.
The wireless service offered in airports, coffee shops, hotels, and other hotspots is almost always unencrypted. That means anyone else on the network who is equipped with readily available software can read your transmissions with little effort. And when there is protection, it’s likely to be a form of encryption called Wired Equivalent Privacy (WEP) that’s easily broken.
A survey of 14 airports in the U.S. and three in Asia by AirTight Networks, a company that sells gear to make wireless connections more secure, found that 57% of the networks were wide open. These included both networks for public and private systems used for airport functions such as baggage handling and ticketing. An additional 28% of the networks were protected by WEP, while only 15% used a stronger form of security, called Wi-Fi Protected Access (WPA).
The risks come in a few different flavors. While browsing for an available Wi-Fi connection, you may stumble on a hostile network set up specifically to attack unprotected computers. If, alternatively, you are the operator of an open private network, your system can be attacked by hackers—although AirTight’s research didn’t look at that.
Preventive Steps for Greater Security
Obviously, companies running open or poorly secured networks should fix them for their own good. This goes for your home as well: You should use WPA, and if you have an old wireless router that doesn’t support it, you should strongly consider an upgrade. But even when you are away from home and looking for a public wireless connection, there are some simple steps that will make you safer.
First, make sure your employer provides its business travelers with virtual private network (VPN) connections. At this point, all companies should require workers to use VPN whenever they hook up remotely to corporate systems or use company computers on public networks. A VPN provides end-to-end encryption of all traffic; anyone who intercepts data will see nothing more useful than the network address of the VPN gateway. If you don’t have a VPN option, you’ll have to seek out secure Web sites—locations that encrypt all traffic. You can tell a secure site by an address that begins “https:”. If you use the Firefox browser, a secure connection will turn the address bar gold.
You can generally use these sites with confidence even on an open network. But if you are visiting an insecure site, and that includes such popular mail services as Hotmail, Gmail (GOOG), and Yahoo! (YHOO), an eavesdropper will have no trouble reading your messages. If the login page isn’t secured—again, look for https or the gold bar—your password will also be there for the taking. So don’t send or even read messages unless you are prepared to share them with the world, and don’t use a password for a Web mail account that you also use for online banking or anything else where privacy matters.
Rogue Networks
You may be tempted to save the $10 or so that an airport or hotel charges for Wi-Fi by using an open connection in your list of available networks. Don’t. If the network is legitimate, connecting without permission may be regarded as theft of service. Much worse is the risk that you will connect to a rogue network that will try to steal your data and infect your computer. To save a few bucks, it’s just not worth it.
Be especially leery of “ad hoc” or “peer to peer” networks, which are indicated in the Windows network list by a tiny icon representing connected computers. These are highly likely to be rogue or infected systems that will damage your system without ever actually connecting you to the Internet. Nearly every time I scan for networks, I see one called “Free Public Wi-Fi.” It sounds tempting but don’t even consider it—this is almost certain to be either useless or evil.
Public wireless networks are immensely useful, and I’m not trying to scare you away from them. But the dangers are real, and simply understanding them will go a long way toward keeping you safe.
by Stephen H. Wildstrom
Wildstrom is Technology & You columnist for BusinessWeek.
You can contact him attechandyou@businessweek.com