Free WiFi Access the Not-so-Great Deal

Mobile devices have long since moved from a nice to have to a requirement for existence.  The glue that holds this mobile experience together is the wireless network.  Driven by consumer demand, the wireless connection is automatic and seamless with uninterrupted streaming and downloading.  This ability to connect and wirelessly access your data has become a common requirement in shopping, dining, lodging, and everything else.  The expectation for wireless access is as common as the expectation for access to a restroom or water.  The inherent problem is the ease of connection, defined as the easy access to wireless networks; is a requirement that makes this connection dangerous as the ease of use is often at the expense of security.

The new normal is teleworking, wireless networking from home, a hotel, or other remote locations.  To address this security dilemma in June, the National Security Agency (NSA) released a Cybersecurity Information Sheet, “Securing Wireless Devices in public Settings.”  The Information Sheet addressed the risks in wireless networking, and it addressed three means of wireless connections, WiFi, Bluetooth, and Near Field Communications (NFC).  The general recommendations for all three wireless connection types are standard cybersecurity actions focused on basic cyber hygiene.  These recommendations are to ensure all software is up to date with the latest versions of software, including antivirus software.  Use multifactor authentication, WPA2 level encryption, and restart your system frequently.  Other recommendations are to ensure your firewalls restrict traffic by whitelisting and other more technical suggestions.

A specific recommendation is to avoid free or public WiFi hotspots.  The reason being these connections are easily exploited.  For example, it is easy to deploy illegitimate access points (an evil twin) that masquerade as trusted access points; they can be battery operated or disguised as other objects.  The user’s device will seek the access point with the strongest signal; these are often illegitimate by design.  If the assumption is that this is a legitimate public hotspot, there is also an assumption of trust.  But the reality is that every keystroke, connection password, and file transferred can be copied.  Many public connections do not require a means of authentication, and the data is not encrypted.  Often user vulnerabilities are self-induced; there is no encryption, their operating system and antivirus software are out of date, there is no multifactor authentication; these and other issues combine to make an easy target to exploit.  This is a common technique for hacking systems in hospitals, office buildings, Universities, etc.  The challenge for the hacker is the setup; once the user logins in through the criminal’s access point, the information from every transaction is copied and stored. 

The remedy is to use your own hotspot; this can be through a cellular phone or a portable hotspot device.  The hotspot acts as a personnel mobile access point.  Where you establish secure access through a password and where the transactions are encrypted ideally at WPA2 or better.  Often hotels or other businesses will offer access through their wireless network; these are better options than open or public WiFi.  These options allow you to set your own password or use a random password other than the room number.  However, it is hard to determine absolute security. 

The infosheet recognizes that there may be times when a personal hotspot is unavailable, and there is no other option than to use a public hotspot.  In this case, the best option is to use a secure virtual private network (VPN).  Of course, this is not something that a remote user can set up; it is an option that must be built and provisioned in advance.  Another recommendation is to ensure that your user profile is not the system administrator and only access secure websites. Such websites use the Hypertext Transfer Protocol Secure (HTTPS) or https://. Other recommendations are to restrict your activity on these open networks, do not transmit sensitive information, avoid shopping or financial transactions, avoid accessing sensitive information PII, healthcare, etc.  When on these networks, act as if someone you do not trust is looking over your shoulder and recording your activity.  Last, the recommendations are to close out your activity, forget the access point, clean out the web browser cache, and restart the computer when complete.  These last precautions are to remove any threats that may be in memory.

For the other two wireless classes Bluetooth and NFC, the specific recommendations are to ensure that only approved devices are connected, disable the connection, turn off discovery mode when not in use, and if possible, whitelist connections.  For NFC, the issue is distance; this only works at short distances, about 8 inches; it is used for credit card transactions, turn it off when not in use.  The general security requirement for all three connections classes is the same.  Essentially this boils down to four things make sure all your software is up to date, use antivirus software and MFA, and encrypt your data.  To secure your systems start with the easy stuff first.