Do you know what the risks are whenever you connect to the internet via Wi-Fi? And do you know how to minimize these risks?
For example, many people travel the world and assiduously search out free Wi-Fi connections as a low cost way of keeping connected. Even those of us who are prepared to pay for internet access still feel a degree of happiness when encountering free Wi-Fi, perhaps in an airport or coffee shop or somewhere. But how safe are those connections?
Other people are a bit more security aware but believe they’re protected when connected to ‘secure’ websites or through ‘secure’ Wi-Fi. But is that true?
Pretty much any time you connect to the internet, you are placing yourself at measurable risk of having your internet communications intercepted by hackers, and as a result, any user names/passwords or credit card details you enter while online could possibly be stolen.
Let’s look at the different types of internet connections and the different ways you can connect through the internet, then after having exposed the weaknesses of these connections, talk about the best solution.
Considered from most secure, to least secure, the common methods of internet connection are :
1. Wired Internet (Ethernet connections)
Sooner or later, just about every internet connection ends up traveling along a wire (or glass fiber). The good news is that these connections are pretty much only able to be received by people with physical connections to the data line, which greatly restricts the number of people who could access your data traffic, and increases the degree of sophistication needed to intercept your data.
That’s not to say it is impossible, but for casual internet hackers, it is too difficult and too dangerous (ie risk of being caught) to physically connect to an internet data line, compared to the easier and safer (ie hard to be detected and caught) approach of monitoring the airwaves for internet traffic.
So the sooner you get off the airwaves and onto some copper or fiber, the safer you are. Relatively speaking.
You are slightly more at risk if you don’t know the other people who are also connecting to the same wired router (such as is the case in a hotel, for example), or if you’re connecting via a cable modem service which has a number of customers (ie your neighbors) all sharing the same data feed.
2. Wireless (cell phone) Data Signals
It is harder to intercept a wireless data signal than a Wi-Fi signal. Wirelessly connected phones and tablets require more expensive technology to intercept than do Wi-Fi data connections, and are also protected by a weak layer of encryption.
Furthermore, the ‘quality’ of the data a hacker could steal from a wireless data connection is low. Many users are moving while connected, and so are switching regularly between cell towers and a hacker might only get half of a username/password entry or credit card/expiry/code on back data stream before the user switched over to another tower.
While it is possible to hack into wireless data connections, for the average hacker, it is too difficult, too costly, and not as potentially rewarding as going after the low hanging fruit – Wi-Fi.
3. WPA-2 Secured-With-A-Unique-Password Wi-Fi
This is probably the best form of Wi-Fi connection. It isn’t unbreakably secure, but it is better than other types of Wi-Fi.
If you are connecting to your own network, or that belonging to someone you know, you could ask them to check if they have their WPS turned off or secured – a known vulnerability – now often patched, but not always – made it possible to defeat the WPA-2 security.
4. WPA-2 Secured with a Shared Password Wi-Fi
This is not as good. If everyone who connects uses the same password, then you have to wonder how widely known the password is and how many other people are also on the network.
5. WEP Secured Wi-Fi
This is a very low grade of security indeed, and is also (happily) close to entirely obsolete (primarily due to its security weaknesses).
It is relatively easy for a hacker to break through this security, using some readily available techniques that can be quickly found on the internet.
6. Open and/or ‘Free’ Wi-Fi
If you can get immediately connected to Wi-Fi, or if you enter an access password through a website page rather than as part of a log-on process, then you’re totally insecure. Anyone can download some simple programs onto their PC or tablet and monitor all the Wi-Fi connections within range. Some of these monitoring programs are even clever enough to auto-detect user names and passwords and collect them in a file.
Indeed, for $20 or so, a hacker can get a directional antenna that will greatly extend the distance within which they can intercept signals. So they don’t even need to be visible – instead of a typical 300 ft Wi-Fi range, maybe they can be accessing your hotspot from 600 ft or 1000 ft away.
Hackers know to go to places where there is likely to be an attractive combination of free Wi-Fi and many users connected to the free Wi-Fi. That is their target rich ‘happy hunting ground’. Best of all, they can be grabbing your valuable personal data while looking totally innocent. The guy with a computer, waiting at the next airport departure gate over from you, and apparently working through his emails, could actually have a background program grabbing everything you’re sending and receiving, and you’d never be able to know he was doing so.
If, somehow, unthinkably, the police were to come and search for who the hacker was, he just needs to turn off his computer, and possibly delete some log files and data collections, and there’d be no way the police could conveniently prove anything. It is this safety and relative freedom from prosecution that makes Wi-Fi monitoring so appealing.
7. Spoofed Wi-Fi Hotspots
There’s one type of Wi-Fi hotspot that is even more dangerous than a public/open/free one. Sometimes when you are somewhere unfamiliar, you go to connect to whatever Wi-Fi service you can find, and you’re not quite sure which one. You’re staying at Julie’s Hotel, perhaps, and you find Wi-Fi connections for Julie1, Roomsguests, and FreeHotelWiFi. Which one do you connect to?
Unless you’ve asked at the front desk, you don’t know, do you, so you probably try your luck with the first of them or the one with the strongest signal. If it accepts your connection, then you’re in luck – or so you think.
But in truth, someone has created a fake Wi-Fi hotspot, using no special equipment at all, just the built in Wi-Fi transceiver in their laptop, and you’ve connected to their hotspot and now are directly feeding your personal data to them.
This is also the case with ‘secure services. Maybe you’ve been given a userid/password to connect to the hotel’s “secure” Wi-Fi. You still proceed and try connecting, and get connected.
But, for all you know, what looked to be a bona fide hotspot is actually being provided by a hacker, who is using it to get in the middle between you and the bona fide hotspot, and so is able to intercept everything you do – even the user name and password you first entered to log in (he simply sent that on to the real Wi-Fi network, as well as storing it to use again himself in the future).
Precaution 1 : Using SSL/HTTPS
You might already know that your data is encrypted when you connect to a ‘secure’ website via what is sometimes termed SSL and sometimes HTTPS.
This generally uses ‘industrial grade’ encryption that is difficult for anyone without government sized resources to break. But even this isn’t quite as secure as it could/should be, as was exemplified by Gogo with its inflight Wi-Fi service earlier this year.
For reasons best known to Gogo, and which are hard to put a positive spin on, it ‘spoofed’ the security ‘certificates’ used in establishing these secure connections. Instead of your computer creating a secure connection with the website, it instead established a ‘secure’ connection to Gogo, who then could decode your data, read it, and do whatever they liked with it before then connecting on, again securely, to the ultimate website (this is called a ‘man in the middle’ attack).
See this story for details of Gogo’s apparent perfidy.
Precaution 2 : Get a VPN
Okay, now your reward for reading this far. There is one generally secure solution that you can reasonably conveniently adopt that will give you good security, even over public Wi-Fi services, and pretty much no matter who is monitoring your data connection.
This is called a ‘virtual private network’. What it does is it creates a secure encrypted communication path from your computer, all the way through the internet, to another point, somewhere else – perhaps in your home or office, or at the location of a commercial VPN provider. The data is encrypted and decrypted at both ends of this connection, but nowhere else in the middle.
Once it has reached the other end of the connection, it then goes on through the rest of the internet, any which way, to its final destination. That part of the total journey remains at risk, but the risk is enormously lower and you’ve solved the risks of the most public part of the connection – from your computer and into the internet cloud.
It doesn’t matter who else is monitoring your connection over the Wi-Fi or anything. All they see is the encrypted data stream that flows between the VPN server and your computer. You’re secure.
Note that you need to follow some simple steps on your computer (or other device) to create the VPN connection. But first you need to create or sign up for a service.
How to Make Your Own VPN
If you have a modern Asus router, (I’d recommend the RT-AC68U or any of the even better ones) it probably has built-in VPN support, and you can create a VPN so you connect to your Asus router, whether it is at home or work or wherever, and from anywhere in the world, before then connecting back out to the internet again.
Note this includes the routers that T-mobile give away for free if you have a T-mobile account and ask for one. The VPN service seems not to be officially supported on the T-Mobile routers, but it is very simple to enable (switch on DDNS, switch on VPN, leave all the defaults untouched was all I needed to do).
Many other modern routers probably have the same feature.
Note that if you do this, you’ll be putting quite a load on your home/office router and network, because it will have to support both the traffic in to it from your remote location and then the traffic on out from it to your ultimate internet destinations. But if you have plenty of bandwidth, this is quick and simple and probably the best approach.
There’s another benefit too. If you’re traveling in another country and want to watch Netflix movies, if you connect directly in the foreign country you might find that Netflix refuses to accept your connection, but if you go through your VPN, it thinks you’re back home and allows it.
Using an External VPN Service
If you’re not able to create your own VPN, then you can choose from a number of external VPN services. Many are free (search for ‘Free VPN’ on Google), others cost a moderate sum per month and/or perhaps per GB of data you pass through the VPN.
If you do pay for a commercial service, it seems you should plan on paying less than $10/month for the service, and ideally it should be a service you can activate and deactivate as needed for when you’re traveling and not be paying for while at home.
VPN on Your Phone and Tablet, Too
It is important to realize that all the vulnerabilities we mentioned above apply equally to your phone or tablet when they are connecting through Wi-Fi. So configure those devices to use a VPN, too. It is very simple to do this on all modern Android and iOS devices.
Your internet connections are more public than you think. A VPN is the most effective way of securing your internet connection whenever you are connecting on a non-trusted network, and particularly when connecting over any type of Wi-Fi service.
Many modern routers allow you to create your own VPN network. Otherwise, you can sign up for your choice of many different free or paid VPN services.