ITRC Fact Sheet 142
What is WiFi?
WiFi is a wireless networking technology that is used around the world. A wireless network uses radio waves, just like cell phones, televisions and radios do. In a WiFi network, computers with WiFi capabilities connect wirelessly to a wireless access point or “router.” The router is connected to the Internet via a cable or DSL modem. Any user within range of the access point can then connect to the Internet. WiFi networks can either be open, where anyone can access them, or closed, where users need a password to access them. An area that has public wireless access is called a wireless hotspot.
If you’ve been in an airport, Starbucks, library or hotel recently, chances are good that you’ve been right in the middle of a wireless network. WiFi operates in more than 417,000 public hotspots and in tens of millions of homes and corporate and university campuses worldwide. Some cities such as San Francisco and Philadelphia are trying to use the technology to provide free or low-cost Internet access to residents. Soon, WiFi networks will become so widespread that you will be able to access the Internet wirelessly from just about anywhere. You most likely have a wireless router/access point in your home which uses exactly the same technology.
WiFi has a lot of advantages. Wireless networks are easy to set up and inexpensive. They allow you to easily connect multiple computers and to move around without disconnecting and reconnecting wires. These days, almost all computer manufacturers are building wireless network adapters into laptops.
However, you must remember that the WiFi adapter in your laptop communicates with the hotspot’s router over regular radio waves. That means that anyone around you can listen in on all your internet communication, simply by tuning into the right “channel.”
Hackers and Public WiFi Networks
While public WiFi networks may be numerous and convenient, they have many privacy and security risks. Consider the following stories:
- A journalist specializing in national security and technology issues pays his credit card bill online. A few days later, he notices an unauthorized charge on his card for an airline ticket to Turkey.
- In under a year, 50 customers of a Portsmouth, Rhode Island coffee house with a WiFi network report unauthorized charges to their credit cards totaling $50,000.
- A naval officer training for a Mideast mission logs onto the Internet at a hotel using a public WiFi network. The same day, he notices an unauthorized $90 charge to his checking account. The settings on his computer applications have been changed to a foreign language. The details of his mission stored on his laptop have been compromised.
- Two days after using his credit card to purchase in-flight WiFi, an airline passenger notices thousands of dollars of unauthorized credit card charges.
All of the above victims have three things in common: they used an unsecured WiFi network, their personal data was stolen, and they have no idea how this stolen data will be used in the future.
Most people have no idea how much information they casually reveal online, from telephone numbers and address information, to highly sensitive information like credit card numbers and Social Security numbers. When identify theft first emerged as a concern, thieves would go “dumpster diving” to find scraps of paper with this information. Now, however, hackers can listen in to hundreds of wireless communications, and use simple software to pick needles out of a haystack. This needle may be your Social Security number, credit card numbers, or usernames and passwords.
If you’re just passively viewing sports and news websites, you face few risks. However, let’s say you login to a website using your email address and a password. Then, perhaps you surf over to an online shopping site, or perhaps a financial website where your credit card and other sensitive information is stored. If you use the same password for critical and non-critical websites, which most people do, any hacker who watched you login to your news site now has access to all your financial information.
WiFi hackers leave no fingerprints and are nearly impossible to track. This makes it very difficult to convince people that they are in danger when using unsecured WiFi networks until it’s too late.
Dangers Inherent to Public WiFi Networks
The following list contains some additional ways in which you may be in danger when using a public WiFi network:
- Some web-based email providers (such as Yahoo) do not use HTTPS/SSL encryption for email access by default, which means that eavesdroppers can capture your login details and view your email messages.
- Instant messaging and FTP file transfers are vulnerable to WiFi hackers. These services transfer their data in easy to read text, including the login credentials. These login credentials and messages may be vulnerable to hackers when accessed via email software, such as Microsoft Outlook, over an unsecured network.
- Hackers can also connect to your laptop or other WiFi device. If you use Windows XP, for instance, you are vulnerable if you have configured your system to share any folders. These folders are also shared on public networks, so other hotspot users can access them if they aren’t password-protected.
- You may also be vulnerable to man-in-the-middle attacks, where a hacker deliberately mimics a legitimate connection to intercept information from your computer. The hacker can then use that connection to snoop around your computer and pull out not just data perhaps also your user ID and password to gain access to web sites you visit.
How You Can Protect Your Data
Below are some steps you can take to help you protect your data when you use WiFi networks:
- As a rule, you should only connect only to WiFi networks that you absolutely trust. Make sure that your communication is secure, and disconnect the WiFi network when you stop using it.
- Turn off shared folders. In some circumstances, hackers can actually reach into your PC and access information in shared folders.
- Run a comprehensive security suite and keep it up to date to prevent spyware and viruses.
- Beware of the information you share in public locations. Even seemingly innocuous logins to web-mail accounts could give hackers access to your more important data, since most of us use similar passwords for almost all online activities.
- Be sure that your home WiFi network uses encryption, specifically WPA encryption, as opposed to WEP encryption. WEP and WPA are types of security that are used to protect home wireless networks. WEP was intended to provide confidentiality comparable to that of a traditional wired network. However, several serious weaknesses in the protocol have been identified so that today it is more secure to use WPA. You should be using WiFi Protected Access, Version 2 (WPA2).
- However, the best way to protect your sensitive information is to use a Virtual Private Network, or VPN, which encrypts the data moving to and from your laptop. The encryption protects all your Internet communication from being intercepted by others in WiFi hotspots.
Most large companies have a company-supported VPN to protect corporate communications.
The following list includes common WiFi terms.
Encryption is the translation of data into a secret code. Encryption is the most effective way to achieve data security. To read an encrypted file, you must have access to a secret key or password that enables you to decrypt it. Unencrypted data is called plain text; encrypted data is referred to as cipher text.
A protocol that allows users to copy files between their local system and any system they can reach on the network.
Hypertext Transfer Protocol Secure (HTTPS) is a combination of the Hypertext Transfer Protocol with the SSL/TLS protocol to provide encrypted communication and secure identification of a network web server. HTTPS connections are often used for payment transactions on the Internet.
A man-in-the-middle attack is a form of active eavesdropping in which the attacker makes independent connections with the victims and relays messages between them, making them believe that they are talking directly to each other over a private connection, when in fact the entire conversation is being controlled by the attacker. The attacker must be able to intercept all messages going between the two victims and inject new ones. For example, an attacker within reception range of an unencrypted WiFi access point can insert himself as a man-in-the-middle. Or an attacker can pose as an online bank or merchant, letting victims sign in over a SSL connection, and then the attacker can log onto the real server using the victim’s information and steal credit card numbers.
A device that encodes digital computer signals into analog/analogue telephone signals and vice versa and allows computers to communicate over a phone line.
A protocol for securing data communications across computer networks. Secure Sockets Layer (SSL) establishes a secure session by electronically authenticating each end of an encrypted transmission. It is used by websites whose names begin with https instead of http.
Virtual Private Network. A VPN secures and privatizes data across a network, usually the Internet, by building an “encrypted tunnel.” Data passes through this tunnel which protects it from anyone who tries to intercept it. Even if the data is intercepted, it is hopelessly scrambled and useless to anyone without the key to decrypt it.
WEP and WPA Connections
WEP and WPA are types of security that are used to protect home wireless networks. Wired Equivalent Privacy (WEP) is a deprecated security algorithm for IEEE 802.11 wireless networks. Wireless transmission is susceptible to eavesdropping and so WEP was introduced as part of the original 802.11 protocol in 1997. It was intended to provide confidentiality comparable to that of a traditional wired network. In response to certain vulnerabilities, in 2003 the WiFi Alliance announced that WEP had been superseded by WiFi Protected Access (WPA). WiFi Protected Access (WPA and WPA2) are certification programs that test WiFi product support for IEEE-standard security protocols that can encrypt data sent over the air, from WiFi user to WiFi router.
This fact sheet should not be used in lieu of legal advice. Any requests to reproduce this material, other than by individual victims for their own use, should be directed to firstname.lastname@example.org.