The easiest way to get yourself hacked is to sit down at a coffee shop, open your computer and log on to the internet. The very notion of a public Wi-Fi network means anyone, including hackers, can almost instantly access all the machines using that connection point. Now, as Wi-Fi becomes commonplace on planes, on the subway and in public places, more people are learning the hard way that their data is at risk.
Journalist Steven Petrow wrote a column for USA Today Wednesday describing how, after he used the Gogo in-flight Wi-Fi during a thee-hour American Airlines flight, he was approached by a stranger who read his entire email inbox over the course of the flight. Gogo's stock immediately fell from $10.48 a share at close Wednesday to $9.75 to open Thursday morning. Security experts agree Petrow could have avoided having his email intercepted if he'd followed even basic security protocol, but even then he might have been vulnerable to an attack.
“There were so many things he missed,” said Jerome Segura, a senior security researcher at Malwarebytes. “I don’t think the reporter expected what was going to happen, but I think he's probably regretting that story now.”
Last year, a cybersecurity researcher was questioned by a team of FBI agents after he described how easy it would be to take control of a United Airlines plane's flight path via the in-flight entertainment system. The FBI alleged the researcher in fact caused the plane to change direction.
From a security standpoint, using the Gogo in-flight Wi-Fi presents the same risks as connecting to any Starbucks, library or airport internet hub. The number of worldwide public hotspots exceeded 50 million in 2015, according to the Wi-Fi company iPass. That's 80 percent more than the number in 2013, but nothing compared to the 340 million global public networks expected to debut by 2018.
New York City alone is planning to open 7,500 high-speed internet hubs in an attempt to bring more of the city's 8.4 million residents online.
Countless people are already in the same situation as the USA Today journalist. They just don't know it yet. Luckily, this isn't a new problem, and researchers have had time to prepare for exactly this issue.
“Whenever you use an open Wi-Fi, even if you take all necessary precautions, you should avoid at all costs doing anything you don’t feel comfortable,” Segura said. “Don’t do online banking, for example. Even if you’re using the right tools, there are so many ways to redirect your connection from the intended website to an attacker’s website.”
Encrypt everything you do. It's easy. Encryption is really step one when it comes to doing anything online, especially on a public network. Steven Petrow admitted he was using EarthLink, an outdated web mail provider that does not offer SSL encryption, which guarantees that a user is connecting to the site they want.
A quick way to identify an SSL encrypted site is to look for a lock symbol and an HTTPS in the browser search bar. Sites that still rely only on HTTP are vulnerable to man-in-the-middle attacks, which occur when hackers trick visitors into visiting dangerous web pages that pose as the real ones, allowing attackers to intercept victims' traffic. The Chinese government, for instance, has been blamed for setting up a fake Apple website and logging information on all the users who visited it.
Most modern email providers, banking sites, e-commerce pages, and other high-volume web destinations use SSL. Anything that doesn't is vulnerable.
Don't let your device automatically join networks. Be selective about when and where you connect to the internet. Think about what you're doing, and ask yourself if it can wait until you get home or to the office (which hopefully used WPA-2 password security measures). Sometimes there's no time to wait, though, in which case you should delete the saved public networks on your phone or laptop.
Doing so will prevent attackers from tricking your device into connecting to a dummy network.
“If I know a public plane’s wireless network ID I can connect to it, pretend to be the network and you’d be connecting to my spoofed network instead of of a legitimate one,” said Travis Smith, senior security researcher at the cybersecurity firm Tripwire. “I can also jam your network and force you to send all your information through me. That way, I’m the gateway and all your data goes through me.”
Set up a VPN. Virtual private networks are becoming more popular as more people get wise to the notion that everyone's data is under assault. As employers expect workers to keep in constant contact, more are also setting up corporate VPNs that enable employees to connect to the internet at minimal risk.
In a sense, using a VPN is like carving out an encrypted tunnel through a public connection. All of the user's traffic — including sites visited, email accounts, passwords and other information — remains disguised to any man-in-the-middle hackers thanks to the proxy services that obscure incoming and outgoing data.
“The most popular use of VPNs is not security but redirecting user geographic location so users can watch things like Netflix from other countries,” Segura said. “But it's a precaution that these days is necessary. And as a consumer, I would say VPNs are so cheap now that you can find any service for less than $100 a year.”