Welcome, Coffee Shop Yahoos, to 'Free Wi-Fi'

Ah, free public Wi-Fi—it seemed like such a good idea. A great win for democratic ideals, bringing the power of the internet to the people, who could board their chariot on the global information superhighway, without barriers, and ride it to economic and social benefit-land.

That glorious dream has died an ignoble death. Why? Because of hackers, of course.

Seeing it’s vacation season, we can present an object lesson.

What are the common things that people do when they get online when they’re out traveling and enjoying some time off? They “check in” to locations on Facebook, or upload photos to Instagram or Twitter, with a geo-tag. They might send a Snapchat with a geo-filter, or log into Gmail or other webmail services. Or, they might log into banking portals, to, say, make sure the cash is there to cover that stand-up paddle boarding outing scheduled for later in the day.

They will almost certainly be 100% unaware that someone nearby could easily be intercepting their web traffic or plotting a man-in-the-middle (MITM) attack. In its simplest form, all it takes is one of these jobbies: The Pineapple.

It’s an ironic name, given that the pineapple is the international symbol of welcome. Oh, coffee-shop denizens, you are indeed welcome—most welcome indeed to the hacker’s MITM platform.

It’s easy to set up a Pineapple. Unfold its spider-like antenna, plug it into your laptop and start broadcasting a free Wi-Fi signal, which can be named anything you’d like it to be named. People will connect to it, because again, most people are blissfully unaware that these things exist. But here be dragons, my friends. There really are monsters lurking in the shadows, with names like “Free Wi-Fi” and “Coffeeshop Free” and “Hey Idiot” (yes, I saw that one once).

Once the victim has attached to the Pineapple, the hacker can intercept every scrap of traffic and web activity that user generates. 

All too easy. And this doesn’t even scratch the surface—the are plenty of other ways to compromise public Wi-Fi networks to collect information on those attached to them.

Research from iPass (the paid public Wi-Fi company, natch) shows that the top high-risk venues are cafes and coffee shops (according to 42% of respondents), followed by airports (30%), hotels (16%), exhibition centers (7%) and airplanes (4%).

This isn’t just a consumer and ham-and-egger issue, either. C-suite types go on vacation too. About 40% of organizations surveyed by iPass believe that C-level executives—including the CEO—are the greatest risk to their organization being hacked. A big reason for that assessment is because these folks are often on the road, working outside the office—and making use of public Wi-Fi to do their thing. When on vacation, those same executives can be found populating coffee shops and cafes, not to mention airports, hotels and airplanes. And hackers don’t care that you’ve paid $2,000 more per ticket to fly first class. There’s no platinum status for cyber-protection.  

“The grim reality is that C-level executives are by far at the greatest risk of being hacked outside of the office,” said Raghu Konka, vice president of engineering at iPass. “They are not your typical nine-to-five office worker. They often work long hours, are rarely confined to the office, and have unrestricted access to the most sensitive company data imaginable. They represent a dangerous combination of being both highly valuable and highly available, therefore a prime target for any hacker.”

Many companies advocate that users make use of phone tethering or personal hotspot devices instead, though awareness of the dangers is not complete, especially in the UK. Nearly 10% of UK organizations said they have no security concerns when employees use public Wi-Fi hotspots (compared to 1% in the US and Germany, and 2% in France). UK organizations are thus the least likely to ban the use of public Wi-Fi, with just 66% planning to do so as opposed to Germany (92%), the US (90%) and France (85%).

So, sadly, we have to conclude that free public Wi-Fi falls into that category of too good to be true (Hey, Idiot!). If you absolutely must (and let’s face it, there are times when you absolutely must, like on airplanes), try not to log into anything sensitive. Try encryption methods. Be smart. Beware the Pineapple. Beware overly ironic SSIDs like "Totally Insecure Wi-Fi" (saw that one once too). In other words, don't be one of those coffee shop yahoos.  

It's always sad to see golden dreams die painful deaths, and knowing the seedy underbelly of free Wi-Fi kind of makes me feel icky. But you'll be glad in the long run that you have your eyes open.

What’s Hot on Infosecurity Magazine?