[Note: This is derived from articles originally published in the July and August editions of the SWCP Portal, our monthly newsletter. Due to the importance of the security information they contained, we’re republishing them here for everyone.]

Ars Technica tech news site recently warned that public WiFi hotspots can post a security risk to users. It’s not that the hotspots are themselves insecure. It’s the way most computers, tablets, and phones implement WiFi logins that poses a danger.

AT&T and Comcast, among others, are promoting large networks of WiFi hotspots which are free for their customers to use. For example, AT&T’s free WiFi hotspots are available at McDonald’s and Starbucks. When you see the “attwifi” network at any of these places around the country you can log in with your AT&T login. The same goes for Comcast’s “xfinitywifi“. It’s as convenient as it is dangerous.

The trick is that once you have logged in to one of these networks, your computer or tablet saves the login information so you can reconnect to these networks without entering a password the next time you are near one of their hotspots. This is the window that can let the bad guys in.

What the criminal can do to the unsuspecting device owner is set up his own WiFi hotspot using the network name “attwifi” or “xfinitywifi“. But the crook’s hotspot has some tricks up its sleeve. First, it allows you to connect regardless of what username and password is entered. Bingo, the bad guy has got your AT&T or Comcast login information. In most cases, this alone would be enough info to cause damage, either vandalism of your online life, or identity theft.

But even more insidious, this low-life and his illicit hotspot have become a “man-in-the-middle“. He now has the power to intercept all of your communication, including emails, sites you visit, and possibly account passwords sent to other web sites (Facebook, Twitter, your bank, etc.) They can also inject any kind of malware they want into the web pages you are looking at. So even if you stay away from shady sites which might have malicious code on them, the man-in-the-middle could insert them into the flow headed to your browser anyway.

Now it is true that protocols such as SSL (indicated by the little padlock icon in your browser when you are on a secure site) are intended to withstand man-in-the-middle attacks. However, there bottom line is that a man in the middle of your communication has enormous power to try and subvert any security that would otherwise be in place. He’s not just able to snoop on your packets, he gets the chance to change each one as it passes through his evil access point.

How can a person protect against this? The best advice would be to never use free public WiFi hotspots. That’s not really practical though — they are simply too useful to ignore. The next best thing is to configure your device NOT to “remember” those WiFi hotspots. Or, after you use one, specifically tell your device to forget it. If you only use them occasionally, that won’t be a huge burden. (See below for instructions.)

And finally: never, ever, log in to your bank or credit card web site through a public WiFi hot spot. Never.

Test Results

Just how real is the threat? To see how easy it might be to use wide-open public WiFi hotspots in this manner, we set up a test. The danger is thought to be that after you have connected one time, your phone, computer, or tablet is likely to automatically reconnect to any wireless signal with that name, even if it is fake. So we devised a simple experiment to see if it could really happen, and what sort of mischief it could allow.

For the experiment, we set up a WiFi hotspot in our office and gave it the name “attwifi“. We passed any connections onto the internet. In the process, we verified that we could indeed snoop on, save, and even alter all of their connections if we had wanted to (though, of course, we did not save anything).

We ran the experiment for a full week with a low-power antenna inside our office. At the end of the week, 26 different devices had connected and used the hotspot. They were roughly half Apple iPhones/iPads and half Android smartphones. Some of the “victims” of our test were our own employees, but the majority were random visitors, people walking by outside or working in nearby offices. We spoke to a few of the device owners and every one was completely unaware that they had used it, even our technically-savvy employees.

In other words, no-one saw “attwifi” as an available choice and deliberately picked it. Rather, their phone or tablet connected automatically without their knowledge or choice. In some cases they were not even using the device – it was just automatically connecting to various email, cloud, and social networking services for updates.

The software we used for this is freely available and can be set up and used by anyone with a moderate amount of computer administration experience. It’s clear that this is a real danger.

As we said before, the safest (but hardest) solution is to disable WiFi on your device when you are not at a known-safe location. Here is a more balanced approach:

  1. Tell your device not to connect to new networks without notifying you.
  2. Tell your device to “forget” all the networks it knows now.
  3. Re-enter the information for the “good” networks you use as they come up.
  4. Do not, no matter how tempting, use any public WiFi hotspots.
  5. But if you must (and sometimes you just gotta do it), repeat steps 2 and 3 afterwards.