Public WiFi: “You will never find a more wretched hive of scum and villainy.”

Made famous by Sir Alec Guinness while playing Obi-Wan Kenobi in the original Star Wars trilogy, the line, “You will never find a more wretched hive of scum and villainy,” now most accurately describes the state of public WiFi networks. 

In order to understand why, what falls into the category of a public WiFi network, and what you can do about it, it’s important to know a couple of very simple things about how WiFi works.

WiFi was essentially “born” In 1997, and the fundamental basics of it haven’t changed since. It was, and is, a wireless network created as running a network cable to every computer, printer, TV, and especially every phone in your house is not workable. Each device connects to an access point, which is itself connected to the internet. The problem is that the range of an access point is a maximum of 150 feet.

So, larger homes, businesses, schools, airports, etc. have many access points (or “repeaters”) and as you walk around while connected to the network, your phone actually switches between access points, using whichever has the strongest signal. It does this without asking you, and without notifying you – and this is how it’s supposed to work.

The problem is that anybody can, in under a minute, look at what WiFi networks are in the area and start their own network with the same name. If their signal is stronger than the legitimate one – because you’re closer to them, or they have a booster, etc. – then your device will happily and automatically, without any notification, try to join their network as if it was an extension of the real one.

Once your traffic is going through them, they have the opportunity to see anything unencrypted and have lots of chances to cause momentary disconnections and reconnections – which would just look like a bit of lag to you – that, depending on various circumstances, could let them see much of your encrypted traffic as well.

This is so common that for about $100 anybody can, legally, buy a “WiFi pineapple” that can be configured to do all this automatically, sending any captured information to its owner’s cloud storage. These are sometimes put in planters, under chairs, behind shelves, or other such locations at coffee shops or other places where people commonly use free WiFi.

When using WiFi in your house you can be (hopefully!) sure that nobody is in your house, closer or with a stronger signal than your own trusted access points, but in public this is not the case. 

So, there are two takeaways from this.

1. TURN OFF AUTO-JOINING NETWORKS: In your settings on your phone (and tablet, laptop, and any other devices you have with you in locations with public WiFi), be sure to disable auto-joining available networks or hotspots. If these are left on, your phone is in promiscuous mode (no joke, that’s what it’s called), and will join up with any network that happens to be lying around.

2. IN PUBLIC, DON’T USE WIFI: If you’re at home, or at work, or in some other location that you trust, go ahead and use the WiFi. But otherwise, avoid it and use cell service. It has nothing to do with if it’s a fancy hotel and you trust them, it is not a comment on the security of the person hosting the legitimate network. It’s simply the way that WiFi itself was designed, and in such places as hotels, the person in the room next to you could have a booster and be playing around with anything nearby and without doing technical analysis on your network traffic there really isn’t any way that you or they would even know.

If you have questions, if you’d like to see specific topics taken up, or if you have general feedback, I’d like to hear from you! Email: [email protected].

Please share this newsletter with friends, family, colleagues, and everybody else you know. Empowering individuals and small businesses by democratizing basic cyber safety information so everyone can be safe without having to get professional level certification is the whole point.

Anybody receiving this that has not yet subscribed, please do so at: https://newsletter.thecybersafety.company.

Peter Oram
Chief Cyber Safety Officer