26 Jul 2019

No. (more details below )

Unfortunately, most “free” WiFi come with multiple issues, here are the common ones and options to mitigate them.

1: You may not be actually connected to the WiFi you think.

Cybercriminals are known to create fake hotspots to lure you (and your information) to their system

For example, which one of those are real and which ones are fake?

  • Airport WiFi
  • Free Airport WiFi
  • YYZ Guest WiFi
  • Starbucks
  • Starbucks Free WiFi
  • Starbucks free wifi

Potential mitigation tactics:

  • Make sure what the official name is (and remember they are case sensitive)
  • Tether to your own device and do not use free WiFi

2: Your device will keep trying to connect to WiFi its been configured to use.

You went to a Marriott once and configured “Marriott Guest” as a valid WiFi to connect to, now your device will connect to anything called “Marriott Guest” it sees. Guess what: cybercriminals know that and will create fake hotspots (with the right names) to lure you (and your information) to their system when you are in other places.

Potential mitigation tactic:

  • Disable the “auto connect” option on the WiFi profiles on your device
  • Tether to your own device and do not use free WiFi

3: Free WiFi are usually configured as “Open”, which is well, open (aka not password protected and not encrypted).

Depending on how things are configured (usually for their convenience and not your security), it means everyone around you can see your Internet traffic. Yes, some of it is encrypted (the little lock (https)), but they still see which websites you go to and of course see all the unencrypted traffic.

Potential mitigation tactic:

  • Use a VPN client that tunnels all your traffic to a safe place (including DNS queries)
  • Tether to your own device and do not use free WiFi (do you start to see a pattern here?)

4: You may be sharing more than you want.

Vendors offer free WiFi for primarily 2 reasons:

  • Keep you in their establishment
  • Learn more about you

As we established in 3, even if you go to encrypted websites, there is still a lot to learn about what you are doing while connected. In this scenario it applies even if the WiFi is not “Open” since they manage the keys of the kingdom.

Potential mitigation tactic:

  • Use a VPN client that tunnels all your traffic to a safe place (including DNS queries)
  • Tether to your own device and do not use free WiFi (do you start to see a pattern here?)

So what is someone to do?

For personal casual surfing:

  • If possible: always tether, many plans include a couple of GB and 15 minutes of casual surfing will not drain it.
  • If you must use free WiFi: only connect to trusted vendors (if you are in an hotel and see “John‘s fee WiFi”, don’t use it).
  • Keep it casual (someone may be watching), it is not the right place to review your mortgage and google things that may not be in line with your public self.
  • And disable auto connect on most of those profiles.

For business use:

  • Tethering should be the default.
  • If you must use free WiFi: use a full tunnel VPN client to your office to hide your traffic.
  • Disable auto connect on most of those profile

Thanks for reading, you can find more content here: https://alcit.com/blog/

And feel free to reach out if you have any questions!