Published by Jed Laundry, Senior Manager – Security on 6 December 2024
It’s that time of year when people are getting ready for holiday travel.
It’s also that time of year when people start asking me: “Is it safe to use the hotel Wi-Fi? After all, data roaming is expensive!”
While “Don’t use public Wi-Fi” can be a legitimate risk decision, it’s been a long time since anyone has actually asked “why?”
So, from the vantage point of 2024, here’s my analysis of the risks of free Wi-Fi and how to safeguard your devices if you find yourself needing to use the internet while on holiday.
What are the risks?
The risks of public Wi-Fi can be broadly categorised into three main risks or tactics from adversaries:
- Passive Interception: observing device identifiers and unencrypted traffic over the network, without breaking into encrypted traffic
- Active Interception: breaking encrypted traffic on the network, to get more detail from the device and sites visited
- Active Reconnaissance and Exploitation: using misconfigurations and exploits to attack devices connected to Wi-Fi networks
Tactic |
Goals |
Techniques |
Prevalence |
| Passive Interception |
|
|
High – big data is big business, and solutions are readily available to use these techniques and mine the data to deliver the Goals. |
| Active Interception |
|
|
Low/Medium – while most websites and services now use strong TLS, negating DNS hijack and HTTP request tampering, it’s still extremely common to see TLS MiTM from firewalls, and for users to click-through warning messages about traffic being intercepted. |
| Active Reconnaissance and Exploitation |
|
|
Unknown – while CyberCX have observed active techniques on public Wi-Fi networks, we don’t have enough data to make an quantitative assessment. |
Astute Governance, Risk and Compliance (GRC) folks will notice that I’ve left out an Impact column, and rewritten Risk and Prevalence. That’s because the Impact varies greatly depending on the device type (iOS/Android carries lower risk than Windows/macOS), what’s on the device, and who might be carrying out these activities.
For example, while we know certain sectors love to track you for data analytics, and in the right hands, a lot of this tracking would be relatively benign. But the challenge with these datasets is that access to the data is resold after being “anonymised”, and it is difficult to truly anonymise data; getting access to location, profile, and preference data to track, stalk, and harass people is easier than most expect [1]. And therefore, the Risk of the activity as a whole is different to the Risk of individual threats.
Should I use free public Wi-Fi on my work laptop?
That depends – what does your IT/Security Policy say?
In every organisation, risk decisions are up to the senior management team. If your company has decided to allow you to use free Wi-Fi networks, that’s their call.
For example, at CyberCX, our staff are advised to refrain from using public or unknown Wi-Fi networks from company devices. We provide either a mobile reimbursement, or a mobile plan, so that our people have access to mobile data when they need it.
We made this decision because, for us, the cost of providing mobile data is less than the cost of investigating potential incidents and responding to breaches.
What about my personal devices?
That’s your call. Just like other risk activities, you should consider the risk in the context of the reward – does the benefit outweigh the risk?
Sometimes this is an easy decision: for me personally, if I’m in a hotel where the 5G coverage sucks, I am absolutely going to consider using the hotel Wi-Fi from my phone before jumping on a long video call with my family – the hotel already knows my personal details and movements, and my up-to-date phone with privacy settings enabled lowers the risk.
But I would never join the coffee shop Wi-Fi for the 5 minutes it takes to make an orange mocha frappuccino – there’s no clear benefit, and I don’t need to risk my personal information.
Other time this is more nuanced: if I’m at an event where the 3G network is overloaded, and I really want to toot out pictures on Face-X-gram… maybe.
What if I use a VPN?
If by VPN you mean one provided by your organisation, then while a VPN might be useful to mitigate some (not all) Passive and Active Interception techniques, it’s typically not effective against Active Reconnaissance and Exploitation; and where request logging is used, it absolutely confirms you as an employee of your organisation.
If by VPN you mean of the Nord or Express or Shark variety… you’re not actually reducing any of these risks, you’re just moving them around, because the same techniques could be used by the VPN provider – except it’s actually worse, because in most cases the VPN provider also has your credit card name and number, which is tied to your real identity.
What if I’m still not sure? I heard something different from someone else?
Not everyone sees risks the same way. I’m privileged to have some of the best cyber security professionals around me that I can talk to about these risks, so that I can make an informed decision.
If you’re still not sure, reach out to IT or Security people you know, and talk through these risks with them.
