We all know – or at least we're constantly being told – that we should be careful about connecting to free public Wi-Fi networks, although it's an easy warning to forget about when you're away from home and need to get online in a hurry.
But a new experiment by Czech security software makers Avast highlights why you really need to think twice before hitting up Wi-Fi from unknown sources. The company set up a bogus honeypot hotspot showing just how easy it is seduce people into unwittingly giving up their personal data when they've connected to what looks like a legitimate network.
To create the trap, Avast set up their honeypot in a highly trafficked public location: a registration booth in Barcelona Airport for uber-massive tech trade-show Mobile World Congress (MWC). With close to 100,000 attendees annually, the event brings in droves of tech-using travellers, many of whom would be reliant on Wi-Fi hotspots to get online.
The company's researchers set up three separate Wi-Fi hotspots in the airport with network names (SSIDs) designed to look like they were legit internet connections for travellers or conference visitors: "Starbucks", "Airport_Free_Wifi_AENA", and "MWC Free WiFi".
In only 4 hours, more than 2,000 people connected devices to the bogus Wi-Fi networks, sending and receiving some 8 million data packets. To protect people's privacy, the company did not store any of the data, but the amount of information they were able to glean from unsuspecting users in this short timeframe shows how exposed we can be when we connect to Wi-Fi sources intentionally set up as network spoofing attacks.
Among the haul, Avast detected that: 61.7 percent of users searched for information on Google or checked their Gmail; 52.3 percent had the Facebook app installed; 14.9 percent visited Yahoo; and 1 percent used dating apps (Tinder or Badoo). What's more, the researchers could see the identity of the device and user in almost two-thirds of the connections made.
While that kind of general personal data might not seem too sensitive, the same kinds of techniques can be used to hack people in all sorts of nefarious ways, delving into any unencrypted data or passwords that can then be used to gain access to other personal accounts, including financial services.
While many of us wouldn't think twice about manually connecting to a Wi-Fi network called "Starbucks", simply assuming it's an official hotspot, the problem is further compounded by devices that instantly jump onto available Internet sources.
"Many individuals recognise that surfing over open Wi-Fi isn't secure. However, some of these same people aren't aware that their device might automatically connect to a Wi-Fi network unless they adjust their settings," said Avast mobile president Gagan Singh. "With most Mobile World Congress visitors travelling from abroad, it's not surprising to see that many opt to connect to free Wi-Fi in order to save money, instead of using data roaming services."
So what's the solution? As Avast recommends, using a virtual private network (VPN) service to anonymise and encrypt your connections is a good start – and one that comes with the added bonus of stepping around any geo-blocking restrictions you might come across on your travels.
Whatever you do, try to be mindful of where your Internet may be coming from, and don't simply assume that public Wi-Fi networks are safe and uncompromised. It can be tricky to identify which Wi-Fi networks are from legitimate providers – clearly anybody can spoof an authentic-sounding SSID – so be sure to look out for anything even slightly suspicious. For more information on how to secure yourself on public Wi-Fi networks, take a look at these tips.