Public WiFi: A double espresso for you and passwords for the bad guys.

Published on 1st April 2021 Author: Rob Black

Thanks to the power of public WiFi, it was common for many of us to head out to the nearest coffee shop, order an iced macchiato with an extra shot of espresso, whipped cream, and caramel drizzle, and pop open the work laptop to get stuff done in a cozy, public environment.

Well, it was common before COVID.

Anyways, the public WiFi that made this possible hasn’t always been secure. In fact, it used to be terrifyingly unsecure. It’s better now than it used to be, but your company should have a policy on public WiFi usage. Here’s why.

Imagine mailing a letter to your bank instructing them to transfer funds from one account to another. You would have all sorts of personal information including bank account numbers, maybe your Social Security number and the amount of funds in the accounts.

It’s probably not that hard to imagine. We used to do it all the time – some of us still do. (There are still people who file taxes by mail!)

Now, imagine giving this letter, or your tax documents, to a postal worker and not sealing the envelope! Your letter will be handled by several mailpeople throughout its journey. Any of them could easily read all of the details of the letter and use that knowledge to commit fraud! Or at very least know a lot of personal details about you.

Public WiFi Providers are the Postal Workers

When we use public WiFi, we are essentially giving a letter to the WiFi provider. Maybe the provider is benevolent. Maybe they are malicious. Maybe the WiFi we are connecting to is a fake one (anyone can name their WiFi network “Starbucks”).

Even if you’re using encrypted sites and services on a secure network, the WiFi provider has the ability to inspect the data that it sends. Just like a postal service carrying a letter or package, they will know who the sender is, who the receiver is, and how much it weighs (how much data you are sending). If your applications are not encrypted then you are handing over an open letter – they could look at literally everything!

Worse yet – if you’re connecting to an unsecured network (like xfinitywifi) then it’s like handing over the letter without an envelope at all. Anyone nearby could look at it and see what it says!

Unencrypted websites and applications and unsecured networks are all significantly less common than they used to be, but they still exist.

Rather than relying on the benevolence of public WiFi providers and on every website and application to encrypt their traffic – it is much better to take matters in your own hands.

So what can you do?

1. Use a personal remote hotspot or smartphone tethering.

The first course of action you can take is avoiding public WiFi altogether. Instead of connecting to the Internet via a public hotspot, use a personal data access point or smartphone tethering. This guarantees that you are connecting to a trusted, private network.

There’s no need to worry about the dangers of public WiFi at all – just make sure your personal access point is secured with a good password!

2. Use a Virtual Private Network (VPN).

If you want to maximize your security while using untrusted networks (all public WiFi should be treated as untrusted), use a VPN.

VPNs are tools that provide an additional layer of encryption security to all of your web traffic. VPN providers will host a server (or many servers) in a remote location. The VPN software on your computer will encrypt your traffic and send it to the VPN server, which will then forward your traffic to its destination. Data being sent back to you is encrypted in the same way: first to the remote server and then back to you.

Continuing the letter delivery analogy, the VPN is like a private courier service. Nobody except them can tell who the sender is, who the receiver is, or even what kind of package is being delivered.

That being said, you better trust your courier. If you aren’t using an in-house corporate VPN, be cautious and selective when choosing a third-party VPN provider. Check out their privacy policy to learn what kind of data they’re collecting and keeping. Ideally, they’re collecting and keeping the least amount of data possible and storing it for the shortest period possible.

Free VPNs might sound like a good deal, but they aren’t making money by providing you a service, meaning they have to make money another way like collecting and selling your data. Avoid free VPNs altogether, with the exception of free/trial tiers of premium VPN services.

Public WiFi Policy for your Businesses

If you have remote workers with mobile devices they can work with from anywhere, your company needs a public WiFi policy. Here are a couple of options:

Option A: Users are not to connect to public WiFi networks. They should instead use a remote access point or smartphone tethering.

Option B: Users are only to connect to public WiFi networks with their company-provided VPN service turned on.

There’s nothing wrong with enjoying the coffee shop atmosphere and a vanilla cappuccino while getting some work done. Just be sure to enjoy it securely!

Rob Black, CISSP

Rob founded Fractional CISO in 2017 and has helped dozens of companies improve their security posture as a vCISO. He consults, speaks, and writes on IoT and security. Rob has held product security and corporate security leadership positions at PTC ThingWorx, Axeda and RSA Security. He received his MBA from the Kellogg School of Management and holds two Bachelor of Science degrees from Washington University in St. Louis in Computer Science and System Science and Engineering. He is also a Certified Information Systems Security Professional (CISSP).