Public Hotspots Are a Privacy and Security Minefield: Shield Yourself

May 19, 2014 – 5:38 AM

An axiom among network security pros is that you should treat public Wi-Fi hotspots like the cyber equivalent of public bathrooms: a convenience we all use, but only with the requisite hygiene. You wouldn’t share personal items like a toothbrush or razor with others at an office, gym or airport restroom, but too often people broadcast personal information that could be disastrous in the wrong hands over wireless networks where intercepting data is easier than many people realize. In addition, users on public hotspots leave breadcrumbs documenting their every move on the Internet for anyone, including the hotspot operator to mine through for valuable, and privacy-compromising, insights; a topic I’ll cover in more depth in my next column.

We all know that personal data leaks like a sieve on the Internet writ large, whether through Google ’s collection of search history, Facebook’s aggregation of login credentials and activity tracking (using cookies and social plug-ins) on sites far and wide and other ad networks that track our every move. However the risk is acute out in the wild, in the world of public hotel, airport, cafe and convention center Wi-Fi. While Google and Facebook collect data that profiles and tailors ads and other promotions to their users, at least their customers (i.e. essentially all of us) generally know what we’re signing up for in the bargain. Out in the wilds of public hotspots, there are no the rules.

First off, with public, unencrypted Wi-Fi, you’re never sure who or what you’re really connecting to. We’re all familiar with the rogue access points (APs) using common names like “Linksys” or “Netgear”, but only a rookie would fall for those ruses. However things like Hak5’s legendary (at least among cyber security pros) Wi-Fi Pineapple exploiting convenience features in the Wi-Fi protocol, make it trivially easy to impersonate and intercept all wireless traffic directed to a given hotspot.


You must be logged in to post a comment.