Public Wi-Fi is a modern convenience, but it comes with certain security risks. While it offers easy internet access in coffee shops, airports, and hotels, these networks are prime targets for cybercriminals.
The question remains: Are the dangers of public Wi-Fi overstated, or are they real threats that demand caution?
In this article, we examine the risks associated with public Wi-Fi, analyze common attack methods, and provide insights on how to stay safe when using these networks.
What does the network topology look like?
A public Wi-Fi network is a Wireless Local Area Network (WLAN).
It consists of connected devices—user devices, access points, switches, routers—linked to another network, usually the organization’s LAN or the internet.
A WLAN is a layer 2 network. Sometimes, the access point, switch, and router functions can be carried out by a single device known as a wireless router.
It is often a wireless extension of a wired LAN. In a WLAN, the user devices are known as wireless stations (STA), the wireless device to which they connect is known as the wireless access point (AP), and the Wi-Fi name or label is known as the Service Set Identifier (SSID).
This is what you see when you scan for available Wi-Fi.
What kind of attacks can be carried out?
Here are some of the techniques used by attackers on Wi-Fi networks:
1. Man-In-The-Middle (MiTM) Attack
This attack aims to intercept the network and come in between the users and the access point.
When this is done, you see the attacker’s device as the Wi-Fi access point, and the access point sees the attacker’s device as your device.
Information is being relayed between the access point and your device through the attacker.
That way, the attacker can see everything being done. A common way of doing this is ARP spoofing.
ARP Spoofing
The Address Resolution Protocol (ARP) is a protocol used by devices on a network to determine what device has what IP address on the network.
It maps physical addresses (MAC address) to the IP addresses of devices on layer 2 networks.
On a network, devices use IP addresses to communicate, but on a layer 2 network like in public Wi-Fi, they need to know where the devices are located.
That’s the job of the MAC address.
A good analogy would be an office setting where the manager’s name is John, and his office is Room 4.
The accountant’s name is Ototo, and his office is Room 15.
Take the names as the IP address and the room numbers as the MAC address.
You want to send a note to your manager, and you know his name.
The ARP protocol is what will make you know that to get this note to John, you need to send it to Room 4.
The ARP protocol builds a table called the ARP cache where you can look up the mappings.
In ARP spoofing, the attacker sends spoofed (false) ARP packets over the network so as to corrupt the ARP cache of target devices and force the victim to link the IP address of another device (in this case, the AP or router) with the attacker’s own MAC address.
So, in our analogy, let’s say the attacker was in the conference room; he’ll convince you that John is in the conference room and that if you want your note to reach John, you should send it to the conference room at Room 52 instead of Room 4.
And he can convince John that if he wants to send his reply, he should send it to Room 52, instead of Room 2 where you really are.
What happens then is that he can now receive notes from you, read them, maybe edit and modify them, and then pass them on to Room 4.
John will receive the notes from him, thinking they’re coming directly from you.
He has successfully conducted a man-in-the-middle attack.
Evil Twin Attack
This is another way Wi-Fi users can be attacked. In this method, the attacker creates a fake Wi-Fi access point and Service Set Identifier (SSID) that is a copy of the real one in the location.
An ‘evil twin. ’ Your device then connects to the attacker’s network automatically, or you do so without knowing it’s not the real network.
And your traffic is sent directly to him. The attacker can also have access to your device that way.
This is another method of carrying out man-in-the-middle attacks on WLANs.
2. Deauthentication Attack
Sometimes, the attackers have other things in mind.
They want to be able to steal from an encrypted network, or they want to log out all users.
Then, they take advantage of a feature of the 802.11 protocol—the deauthentication frame.
The deauthentication frame is a frame used to terminate connections. It can be sent by a wireless station (your device) or the access point itself, for multiple reasons.
The attacker sends fake deauthentication frames to the access point with the MAC address of the target.
This deceives the access point into thinking that your device requested to disconnect.
This type of attack is not a man-in-the-middle attack, but a Denial of Service (Dos) attack.
However, it may be used to force you to connect to the attacker’s network or to capture traffic when your device is reconnecting to the legitimate network. Then try to use that to obtain the password.
What can be the effects?
The attacker has successfully executed a MiTM attack.
Your traffic now passes through him to its destination.
He’s happy. But what can he achieve with that?
Well, since he now sees all your traffic, he is able to monitor and manipulate you in certain ways.
Network Sniffing
Network sniffing is simply a term used to describe monitoring what goes on in a network. Since traffic from your device passes through his to the internet, he is able to capture packets and see what is being relayed between your device and the internet.
That can tell him a lot of things.
From your DNS requests, he knows what sites you are visiting.
From HTTP requests, he can know more precisely what you are doing with particular web servers.
He may even be able to capture passwords and login details that are relayed in plain text.
Then, he can also modify the packets you sent before sending them out or modify them before relaying them back to you.
However, the risks here may be low because almost every website now uses HTTPS, which is the encrypted version of HTTP, so not much can be gotten from reading your traffic.
DNS spoofing
Domain Name System (DNS) is the system that helps associate IP addresses with domain names so that you can access the internet by typing google.com instead of typing 142.250.201.78 into your browser. Your device does not know the IP addresses of various domains on the internet and has to depend on servers scattered all over the internet called DNS servers.
Most times, your devices configure DNS servers through DHCP. An attacker who is in can perform DHCP spoofing and trick your device to use his DNS server with fake records that point to his own servers.
So, when you type in google.com, a different website, maybe a clone owned by the attacker on a different IP address is delivered to your device. That way, you can hand him your password and login details or any other sensitive information peacefully without a gun to your head.
Malware
It is also possible that the attacker can then inject malware into your device, and secure his backdoor so he does not need to go through all the stress when visiting next time.
ARP spoofing can be done with any PC with the required software tools. For attacks like the evil twin attack and deauthentication attack, however, they require Wi-Fi adapters that support monitor mode, packet injection, and AP mode. That requires more prepared actors.
How do we protect ourselves?
Given all that has been said, it is obvious that there are risks associated with using public Wi-Fi. Hackers often exploit unsecured networks to steal sensitive information. However, there are things we can do to protect ourselves from potential attacks.
Disable automatic Wi-Fi connection
One of the ways you’ll be able to connect to an evil twin is if your device automatically connects to networks. Devices always prioritize the network with the stronger signal, and an evil twin looks exactly like the network your device has been connected to before. So, it can more easily connect to the evil twin than the real network, because the attackers are smart enough to make their signals stronger. Instead of automatically connecting, you should manually connect so you can see the networks and see if there’s any suspicious activity before you connect. I know that for the sake of convenience, this is easier said than done. And maybe not always practical.
Use a VPN
A VPN is basically an encrypted tunnel through which your data passes. It protects your data while in transit. So, anyone sniffing the network should not be able to glean anything from it. In the case of a public Wi-Fi where there’s a MiTM attack, the attacker in his packet capture will only see your VPN protocol. He wouldn’t be able to figure out a thing about your online activity unless, of course, the company providing the service works with him.
Activate DNS Security
DNS is one of the unencrypted protocols. For anyone sniffing, they can use your DNS traffic to have an idea of what you’re doing. However, you can add an extra layer of protection by encrypting your DNS traffic with HTTPS or TLS.
Avoid logging into sensitive accounts with public Wi-Fi
One precaution that can be taken is to not log into bank accounts or any sensitive accounts over public Wi-Fi. Just in case. If you never do that, then even when there is a breach, you don’t run the risk of handing over passwords, login details and session tokens on a platter of gold.
Conclusion
This article has hopefully given you an idea of how public Wi-Fi works, and the types of threats to expect when using public Wi-Fi. The threats usually involve someone being there in the same physical location with you. If you enjoyed the article, please share it with others.
