Myth of Public WiFi

With the recent furore in my home country about how someone got hacked, and the person claimed it was through public wifi, and agencies issuing notification and press release about evils of public wifi, I intend to take a stab at the topic, ala Mythbusters style. 

Before we start any further, it is important for us to properly define public wifi in the context of 2022 (not anytime earlier). Today, most, if not all public WiFi is protected by a password, but shared amongst users. You’d find stickers on the premise wall informing users about the password. Some establishment (i.e. Starbucks) will issue a voucher for internet use which needs to be registered to you as a user. Very few establishments has a device onboarding process. Interestingly right now, I am writing this article sitting at a cafe in downtown KL connected to a random OPEN Wifi (meaning, no passwords required and browsing works perfectly fine. Picture below as proof (we folks like to keep receipts). 

Myth1: The most common misconception that I find about public wifi myth is MITM (Man In the Middle attacks). The attack presents the attacker being in the middle of the connection listening into the connection. Anything sent can be “intercepted” by this attacker and he/she/they can now control your browsing/web sessions. I still remember pulling this type of attack during a famous hacker conference and we used to show the username/password/site pairs on the “Wall of Sheep”. Good times…

Reality1: Today, we see close to 100% penetration of SSL/TLS. Its due to the launch of LetsEncrypt, which allows small site providers to obtain free publicly verified digital certificates. Before this, you’d have to pay to get a public digital certs (somewhere around USD1k per cert per year), which made a lot of sites use self-signed cert in the event they still wanted encryption for their sites and to protect the session. If you haven’t put a digital cert on your site, I’d suggest you use LetsEncrypt to start off. And if your site runs on cleartext, browsers will warn you. I still feel using SSL/TLS is on need basis, if your site transmits sensitive information like login/password, then yes. A static text website running TLS? Overkill to me. For someone to say open wifi can disrupt your banking site is akin to saying that TLS1.2 and TLS1.3 is broken and that you should NEVER use online banking (Which isn’t the case btw). 

Caution1: Remember that MITM is still a valid attack and should the services you use runs on plain text, then it will be revealed. The usual services that most users use like Google/Facebook/Banking sites are TLS 1.2 at least which means they are sufficiently protected. 

Myth2: Hackers can hijack my session, pretend to be me and wreck havoc if I use public wifi. 

Reality2: Please read Reality1 first. Most parts are answered there. But I have more detailed explanation here as well. Besides encryption, this myth relies on the fact that the hacker is on the same network. That means a minimum of one hacker per open (private address/RFC1918 NAT based) network. Now that’s a lot of hackers to be spending 8 hours at least a day sniffing passwords and launching attacks in all states, all countries, all over the world. Hmmmm….. (see the absurdity in this?) (Maybe someone is sniffing my traffic right now…)

Secondly, the same situation happens when your phone is connected to Internet, be it on Mobile data or home. Some through NAT and some direct. In fact most mobile connections I have observed are through public IP directly. With Public IP, you are exposed to hackers globally scanning your device every second. Then the only sane rational advice to give is “The Sky is falling! Your phone is going to get hacked! Get offline!!! Stay out of Internet!!!” 

At this point you can see how passionate I am about this topic. It’s come to the point where an outdated advice is still relevant, even amongst cybersecurity professionals. 

But Suresh, someone did get hacked and the person claimed to be using public wifi. What gives? 

Without having forensic analysis of the phone and understanding how it happened, at best, I can only theorise how that hack came about. 

First, look around you. Look at all the mobile devices that’s on people’s hands. Are they all the latest? Probably not. Would they be updating their firmware timely and have the latest version of the mobile apps? Probably not. So the first problem is non-supported devices and outdated firmware software which leaves the phone open to vulnerability. 

Secondly I use Android as an example. There were multiple vulnerabilities that affected the Bluetooth stack which for most phones remain unpatched and Bluetooth happily turned on. In that instance, I don’t need free Wifi to hack the phone. Just a Bluetooth worm to run between multiple devices. So you can still get infected in this instance, even being at home connected to a “secure” network when your neighbour drops by to pass you some mangoes and your phone gets connected via Bluetooth because of the bug and gets infected. (I used mango due to the Indian terminology of “mango idiot”). 

There is a difference between telling a person “Don’t use a knife, you will hurt yourself…” vs “use the knife carefully, its sharp and can cut you. Learn how to use it to keep yourself safe”. Security Professionals and those in position should not peddle FUD (Fear, Uncertainty and Doubt) as technology is now ubiquitous and not obscure like in the early 80’s. It is disappointing downright irresponsible for those putting out public messages that are inaccurate and creates more FUD. 

This article is cross posted at https://www.linkedin.com/pulse/public-wifi-insecurity-myth-reality-ts-dr-suresh/