Six months after McDonalds started offering free WiFi, Starbucks also announced it would provide complimentary WiFi service, starting July 1, 2010. As mentioned by Starbucks, the free WiFi will be unlimited and requires just one click, without the need of a username/password to go online. Although the announcement is being perceived as a generous move, the customers should be aware of security risks while surfing at free public WiFi hotspots. ‘One Click’ WiFi access essentially means connecting your WiFi enabled device to an unsecured/open WiFi network.
Connection to an open WiFi network means that all your communication, which is happening without the use of any trusted encrypted session, is vulnerable to eavesdropping. Also, the connection will cause caching of the open WiFi network into the preferred network list (PNL) of connected WiFi devices, such as laptops, netbooks or iPhones. Such caching can be exploited by an attacker/hacker to victimize the device using the EvilTwin attack, if the option for automatic connection is enabled for the cached open WiFi network.
Eavesdropping in the case of an unencrypted session on an open WiFi network can result in unauthorized reading of personal emails, chats or other type confidential information passing over the WiFi link. Also, eavesdropping can result in leaking of personal passwords to the outside world.
Further, if your WiFi device is subjected to an EvilTwin attack by a hacker, then along with loss of confidential information, you can end up with installation of viruses, worms, Trojans and other malwares on the affected device, the results of which are known to most of us.
In wake of the aforementioned security risks linked with usage of free public WiFi services, users should take proper precautions to avoid them while still enjoying the service. One can easily find a list of hotspot access safeguards on the web. Also, software, such as Hotspot Shield, are available to ensure that some of these precautions, like use of trusted encrypted sessions, are met. To avoid EvilTwin attacks, one can turn off the automatic connection capability associated with cached open public WiFi networks.
Corporate administrators can consider the use of a wireless endpoint security agent if the endpoints are taken outside and used at public places for surfing or for accessing corporate networks using free public WiFi. The security agent generally takes care of all hotspot precautions to avoid eavesdropping or other malicious attacks.
No doubt, free WiFi provided at public places such as McDonalds and Starbucks benefits both the provider and the customer. But, with open WiFi networks as a popular means of providing free WiFi, privacy is at risk. Therefore, users need to stick to certain rules to ensure the integrity of their data, until some more sophisticated and customer security friendly hotspot technology comes up.
There seems to be some hope with upcoming technologies such as iSecurf for safe free WiFi public access. Let’s wait and watch to see if it will succeed.