Staying safe on public Wi-Fi
What are the risks and how will GDPR affect public Wi-Fi providers?
The demand to be able to use the internet anywhere at any time has made public Wi-Fi a necessity for many, with cafés, libraries shops and train stations among those that provide it for their customers.
The General Data Protection Regulation (GDPR) – which comes into force across the EU in May 2018 – will impact every company providing public Wi-Fi services. This is because the increased data protection responsibilities for the use and storage of EU citizen data is poised to have a significant impact on how companies offer their Wi-Fi.
GDPR specifically forbids restricting access to a wireless network on the basis of a customer providing personal data. Companies that previously offset free Wi-Fi costs by selling personal data to third party marketing companies may replace their model with charging fees for Wi-Fi access. If they do request customer data, businesses will need to demonstrate consent was “explicit, freely given, specific, and informed.” Consent will not be “freely given” if there was no genuine or free choice.
The use of public Wi-Fi has always had a number of risks attached to it.
Back in 2014, a handful of Londoners in some of the capital’s busiest districts unwittingly agreed to give up their eldest child, during an experiment exploring the dangers of public Wi-Fi use.
The experiment, which was backed by European law enforcement agency Europol, involved a group of security researchers setting up a Wi-Fi hotspot. When people connected to the hotspot, the terms and conditions they were asked to sign up to included a “Herod clause” promising free Wi-Fi but only if “the recipient agreed to assign their first born child to us for the duration of eternity”. Six people signed up.
Ultimately, the research, organised by the Cyber Security Research Institute, sought to highlight public unawareness of serious security issues concomitant with Wi-Fi usage.
Man-in-the Middle attacks
One of the most common threats on these networks is called a Man in the Middle (MitM) attack. Essentially, a MitM attack is a form of eavesdropping. When a computer makes a connection to the Internet, data is sent from point A (computer) to point B (service/website), and vulnerabilities can allow an attacker to get in between these transmissions and “read” them. What you thought was private no longer is.
Encryption means that the messages that are sent between your computer and the wireless router are in the form of a “secret code,” so that they cannot be read by anyone who doesn’t have the key to decipher the code. Most routers are shipped from the factory with encryption turned off by default, and it must be turned on when the network is set up. If an IT professional sets up the network, then chances are good that encryption has been enabled. However, there is no surefire way to tell if this has happened.
Thanks to software vulnerabilities, there are also ways that attackers can slip malware onto your computer without you even knowing. A software vulnerability is a security hole or weakness found in an operating system or software program. Hackers can exploit this weakness by writing code to target a specific vulnerability, and then inject the malware onto your device.
Snooping and sniffing
Wi-Fi snooping and sniffing is what it sounds like. Cybercriminals can buy special software kits and even devices to help assist them with eavesdropping on Wi-Fi signals. This technique can allow the attackers to access everything that you are doing online — from viewing whole webpages you have visited (including any information you may have filled out while visiting that webpage) to being able to capture your login credentials, and even being able to hijack your accounts.
These “rogue access points” trick victims into connecting to what they think is a legitimate network because the name sounds reputable. You might want to connect to a hotel’s Wi-Fi and think you’re selecting the correct one when you click on the name of the hotel, but you haven’t. Instead, you’ve just connected to a rogue hotspot set up by cybercriminals who can now view your sensitive information.
If you must use public Wi-Fi, follow these tips to protect your information:
- Allow your Wi-Fi to auto-connect to networks
- Log into any account via an app that contains sensitive information. Go to the website instead and verify they are using HTTPS before logging in
- Leave your Wi-Fi or Bluetooth on if you are not using them
- Access websites that hold your sensitive information, such as such as financial or healthcare accounts
- Log onto a network that isn’t password protected
- Disable file sharing
- Only visit sites using HTTPS
- Log out of accounts when done using them
- Use a use a virtual private network (VPN) to make sure your public Wi-Fi connections are made private
A possible result of more stringent access requirements will be a widespread uptake of Federated Identity Management (FIM) technology among public Wi-Fi providers. With FIM, applications and organisations rely on a common federated authority to manage the identity of a user. There is no need to store any customer data with FIM, which makes it an attractive route for public Wi-Fi providers seeking cost-effective GDPR compliance.
Federated Identity offers perhaps the most effective route, but even with this in place there will still be elements of the legislation to consider. The shift presents an opportunity to bring all areas of data protection up-to-speed to help customers feel more secure while using public networks. GDPR has the potential to be a catalyst for real change and improved standards for public Wi-Fi services.
- Amethyst operates in both the public and private sectors, delivering a dedicated, personal service of the highest standard. Amethyst can help your business get prepared for GDPR with our team of highly qualified and experiences specialists; many have more than 20 years’ experience of in the fields of Data Protection, Cyber Security and Information Assurance.
- To find out how we can help, contact us today: email@example.com