, , , , ,

If avoidable, do not conduct sensitive business over a public WiFi connection, even if the data is encrypted. If you do need to, and your mobile device has a cellular data connection (e.g. 4G or 5G network), use that instead. Or simply wait until you are connected to a trusted network at home or work.

You are on your way to work in the morning and you make a quick stop at your local coffee shop. As you wait for your drink you browse your social media feeds while using WiFi, which your phone automatically connected to when you entered the coffee shop. No doubt this is convenient. What you did not realize is that your phone connected to a rogue access point and someone was able to monitor your online activity. Unfortunately convenience and security oppose each other more often than not.

WiFi at home versus in public

Is WiFi at home the same as WiFi in public? Generally, yes they are the same. They use the same transmission methods and typically have the same security available (e.g. WPA2). WiFi in your home and place of business can be considered trusted networks while public WiFi, even from a reputable place of business, should be treated as an untrusted network. The scope of this post is focused on public WiFi but the security issues are the same and the recommended best practices can still be applied at home or at your place of business.

WiFi can be a security issue

When you connect to an access point on a WiFi network, the data you transmit from your mobile device can be seen ‘in the air’. These wireless signals can be ‘seen’ with monitoring software (known as WiFi sniffing). The data is either being sent ‘in the clear’ (i.e. unencrypted) or encrypted. Unencrypted wireless data can be seen just as it is sent, including usernames and passwords if sent over an insecure (unencrypted) connection. Fortunately most websites will encrypt sensitive information, but not all do. Even very large and well-known companies sometimes goof up and do not encrypt sensitive information.

Since both unencrypted and encrypted traffic are sent wirelessly while connected to a WiFi network, and unencrypted traffic can be monitored, does that mean encrypted traffic can be monitored as well? Yes, encrypted traffic can be monitored as well! Do not fret though. When monitoring encrypted traffic it is usually seen as garbled and unintelligible data. I say usually because when it comes to information security, exceptions to the rule almost always exist.

A quick caveat to all of this. Unencrypted wireless traffic (i.e. public WiFi that does not require a password) may still be difficult to read by a malicious person because the website you are using may be enforcing https (secure data transmission) instead of http (insecure data transmission). You will typically be able to identify a website using https vs. http by looking for the padlock seen next to the URL in your Internet browser.

Should you use public WiFi

Sure, why not.  Using WiFi may give you faster connection speeds (compared to a cellular network), help you avoid data usage charges with your service provider, and allow you to work while away from the office.  As with any other convenience, you should be aware of some risks and how to avoid or mitigate them.  So how can you avoid becoming a victim of data theft when using public WiFi? See below for best practices you should be mindful of anytime you want to connect to public WiFi at the airport, in a mall, on a train, or anywhere else.

How to use public WiFi safely

  • Connect to WiFi that enforces encryption
    • If you are prompted to enter a password to connect to the WiFi network, encryption is being enforced
    • If a WiFi network is prompting you to enter a ‘WEP’ password I would highly suggest you not even connect to the network as WEP is an easily cracked security protocol
  • Visit websites that enforce secure data transmission
    • This is the https part of a URL mentioned earlier in the post
    • Sadly this is no guarantee your activities are completely protected and safe
  • Ensure the software on your mobile device is up to date
    • This includes both the operating system (e.g. iOS or Android) and any downloaded apps
  • Unless absolutely necessary, I suggest avoiding websites where you have to enter a username and password
    • For example logging into your bank account by visiting the bank’s website, even if it is using https
  • If you have to access sensitive data, when possible use a VPN (see below) or a mobile app instead of logging into a website
    • For example use your bank’s mobile app that you downloaded from an approved app store
  • Use a virtual private network (VPN)
    • A VPN creates a secure tunnel between your mobile device and the VPN server, encrypting the data sent between the two
    • This is essentially an additional layer of security that can be combined with a password protected WiFi network and visiting websites that start with https
    • For basic Internet browsing a VPN typically is not necessary

WiFi is convenient, just be smart with it

When it comes to technology, no set of foolproof measures exist to completely avoid all risks. And as you have read, your wirelessly transmitted data can be stolen out of the air. Which means ultimately it is best to not completely trust a WiFi connection. Remember you can never be fully protected from individuals with malicious intent. At the same time it is unhealthy to be constantly paranoid.

As with just about all of technology, it is about balancing convenience with security. Each of the best practices outlined above have so much more information that could accompany them, but if you have done your due diligence and you follow these steps you can wirelessly browse the Internet with confidence.