By Chester Wisniewski, principal research scientist at Sophos
As many parts of the world appear to be finally getting a grip on the pandemic and more people can consider their approach to getting back into the world, we are suddenly out and about much more than before. This inevitably leads to needing internet access as we travel, shop, and socialise again. Almost 10 years after Edward Snowden told us we were being spied upon online, is it finally safe to just “connect”?
“The state of web security in 2021” paper shows that we’ve made great progress in improving the baseline of security by making changes behind the scenes to how encryption is implemented to ensure our communications remain private.
The WiFi attack checklist
Most public WiFi is unencrypted, that is to say anyone within radio range (up to 100 metres or 300 feet) can see the information you send over the connection. This was problematic in the past as it offered many opportunities for spying on or hijacking your communications.
The first requirement for an attacker then is to be within radio range and do one of the following:
Operate an “evil twin” WiFi point with the same name that has a stronger signal that you connect to instead of the real one
Trick you into using the attacker for name lookups (DNS) so they can redirect your requests to fake pages or through proxies
Simply observe your communications to intercept any unprotected data between you and your intended destination
This isn’t too hard, but the physical aspect of this makes it impractical. Attackers must put themselves physically close to their victims, limiting potential victims to people in their immediate area. This isn’t a crime they can easily perform from Moldova anonymously over Tor.
Next, attackers need to predict which sites their victims might want to visit and whether these sites are protected by HSTS. If they are, attackers will be unable to intercept the traffic without convincing a certificate authority to issue them a valid one for the protected domain.
Of course, attackers could just snoop on unencrypted traffic and hope for the best. As my research showed, less than approximately 5% of connections are unencrypted and the vast majority of those are marketing and ad trackers. None of the most popular destinations that lacked encryption accepted usernames and passwords, making this observation of limited use to criminals.
WiFi based attacks are a very low-yield crime with a very high likelihood of arrest, if cybercriminals are detected. If there is anything I have learned over the years, it is that criminals are usually lazy and reach for the lowest hanging fruit. The risk of attacks like this will vary though, based on your risk profile. More on that later.
Encrypted websites aren’t immune to being hijacked though. A website that doesn’t utilise HSTS can be “downgraded” by an adversary to use an unencrypted connection allowing them to tamper with or intercept your information.
In my research this was most of the sites surveyed; 61.03%. That sounds scary, but remember they need to be nearby and either target specific destinations ahead of time or downgrade only the sites without HSTS to HTTP, a difficult, if not impossible feat. None of the sites without HSTS protection were in categories where the types of information criminals often value are transmitted. This includes social media, web-based email providers, office applications, financial institutions, or dating sites.
While a few of these sites were high profile, they typically don’t offer login pages and aren’t easy for a crook to monetise the stolen data.
Risk level for most people
So where does that leave us? In two words? Largely safe. Everything most of us use from our mobiles or while traveling on our laptops in public places is protected at a level that is incredibly hard to compromise.
Does that mean it is impossible? Clearly not. There are always risks and concerns that you may decide that it isn’t right for you, so let’s investigate reasons not to trust public WiFi and what alternatives you might use to lower the risks.
Risk level for sensitive targets
Are you a high-profile target? Are you a journalist, politician, celebrity, or possibly even a spy? Public WiFi might just be too risky a gambit for you. In many countries mobile phone data is affordable enough to just get by without bothering to connect to WiFi anyhow.
The issue can be more complicated though, what if it is the government itself you are worried could be trying to compromise your communications? You could consider a VPN, but that is complicated in and of itself. Personally, for those who need more security for their communications, whether using WiFi or mobile phones, I recommend the use of Tor (The Onion Router).
Tor is a privacy and security enhanced browser to lock out anyone who may be snooping on the wire. It can be a bit slow occasionally, but if you have reason to believe you may have advanced adversaries messing with you, Tor is the best thing we have to defend against them.
Bottom line? For most people, most of the time WiFi is perfectly fine. Opportunistic criminals have far better ways to compromise victims without the physical risks of having to be within shouting distance of their crimes. Have fun. Browse Facebook, Twitter and check your Gmail all you want. Take advantage of all those online Black Friday and Cyber Monday sales while you’re on the go, you’ll be fine. And if you’re a bit more paranoid like me? Take the advice above to be a step ahead of the rest.