Hi Dave, I have heard many people say how all my data can be hacked by using a public coffee house wifi network. How do they do it? I use an apple iPod Touch and an iPad Mini (wifi only, I’m too cheap for a data plan). Is there a way I can minimize the intrusion into my stuff? Should I never check my email while using a public wifi connection? Am I relatively safe just using an internet browser on a public wifi? Your thoughts/rationale are most appreciated.
Thanks for your question. You’re correct that public wifi networks can be dangerous, but it’s really all a function of what sites you’re interacting with and what protocols are in use on those sites. Whether you’re on a smartphone, tablet or laptop, it’s all the same basic danger, that of unencrypted information you send or receive being ripped off by someone else on the network. What’s worse is that malware can infect a computer and that malware can monitor wifi networks for things like account/password pairs, without the owner of the computer even knowing that’s happening. So it’s not as easy as “look around the coffee shop, if no-one suspicious is there, you’re free of danger.” Life’s not that easy.
To understand why an open wifi network is dangerous, let’s talk about the way that computers and Web servers communicate. Experts talk about the network protocol “stack” and that’s a good way to imagine it: programs have their own way of communicating, and those requests for data are then transmitted using lower level protocols and then reassembled at the other end and interpreted. With a Web browser, for example, Internet Explorer, Chrome, Firefox, Safari, whatever, they’re all using something called “http”, hypertext transport protocol.
HTTP is super-simple and the basic back and forth is: I want X. Here is X or I can’t find X for you. That’s it. When you hit this Web page, your browser asked my Web server for the skeleton HTML page (that’s the web page itself, and it’s written in hypertext markup language). My server delivered that back, then your browser went through and figured out all the other elements needed to fully render the page. That included a bunch of graphics files, so for each of those, your browser again went through the “I want X” sequence, and my server returned each graphics file, request by request.
Each of those requests and responses was translated into something called TCP/IP, which stands for the transmission control protocol, internet protocol, and it’s really TCP/IP that makes the Internet hum along: it’s the same low-level computer-to-computer protocol that your email program, your photo editor, the cloud sharing utility, and even the system itself when it translates a domain name into a domain number. Without TCP/IP you’d be dead in the water and wouldn’t be reading this page.
Meanwhile, once the HTTP request is converted into TCP/IP for transmission through the network to the remote server, it has to jump from your computer to the server via whatever path required. That first hop is through the wifi network at the coffee shop, or at your home. Wifi uses variants of the 802.11 protocol so now we’re looking at HTTP -> TCP/IP -> 802.11 … transmit to wifi base station in the coffee shop, which doubtless is hardwired to a cable modem or other device which itself is hardwired to other servers. So usually, the 802.11 hop only happens once on the path, when it jumps from your computer to the wifi base unit. Then it’s just another stream of what are called TCP/IP “packets” zipping down the wire at light speed.
The danger is that by default there’s not much being done to secure your data, so if I asked you for your bank account information and password here on this page, when you entered the information and clicked “send” it’d be converted into a stream of character information within which might be easily found “login:” followed by your account name, followed by “password:” and your password. Heck, even though I might show •••• as you type in your password, the password itself would be sent in ‘clear text’, so it’d be “HappyDog3” or whatever. If someone can grab all the packets going across the wifi network, they can then easily scan for “login:” and once they find it, grab the subsequent 40-50 characters.
Why? Because if you’re like most people, you just sent your account and password information unencrypted and they now have that information, for them to exploit as desired, hours, days or even weeks later.
But how do you grab all the packets on a wifi network? Turns out that’s alarmingly simple and there are a lot of free apps you can download right off the Internet to accomplish this task. Heck, a Google search for “wifi packet sniffer” or similar will reveal all sorts of options. See the screen capture above, from a free-to-download packet sniffer.
I was skeptical too, and a few years ago I ran a specialized wifi analysis tool that looked for images and displayed them as they were sent back from Web servers to individual users on the network. I ran it at a major tech conference, projecting the results onto a screen, and rather to my surprise, had to disable it after just a minute or two as pornographic images kept showing up. Yikes. Still, the experience demonstrated that it’s easy to intercept what others are doing on a wifi network without them even realizing that’s what’s going on.
There are three solutions. First, never, ever log in to a site on a public network unless you are sure that the site is running SSL (secure socket layer), which is demonstrated by it having an “https:” URL prefix, rather than an “http:” prefix. In that scenario the data you enter is encrypted within your browser and then the entire data packet sequence is protected from prying eyes until it gets to the Web server, however far away that might be. In that case, the wifi sniffer software just gets what appears to be gobbledygook and you’re safe.
The second option is to use what’s known as a virtual private network, a VPN that you install on your computer and then encrypts everything before it lets it go onto the network. This is particularly useful because programs like email apps have a bad habit of checking for your email every few minutes by constantly sending your account and password information to the email server. Unencrypted. Which is a really bad idea. Important to realize from that is that it means that non-Web programs are risky too!
The third option is to have your own network. You opted out by getting a wifi only tablet, but if you did have cellular connectivity, cell networks generally are completely encrypted and neatly solve the problem. Even if they aren’t, it’s considerably more difficult to copy and analyze cellular traffic than wifi traffic.
So that’s a really long answer to your question, but I hope it helps explain the dangers and how to minimize them. I’m obsessive about encryption and security and there are programs I won’t use and Web sites I won’t visit on public networks regardless. Think about this: even if you have a secure connection to the site, the name of the site is still in clear and can be detected. Do you want people to know you’re spending hours on the HIV treatment alternatives network, or the alcoholism support board?
While these dangers are going to be unrealized 99% of the time, it only takes once for things to become a real mess. So be careful!
Hi Dave! I love your site – have seen it for years – and I recently subscribed to your newsletter.
This is a great explanation of something I long heard about but never quite understood. Thanks.
I’m wondering though, what the risk really is if, as you indicate, SSL sites (Heartbleed bug aside!) encrypt your password in transit. Any site worth its salt such as Facebook, or especially your online banking, is SSL encrypted, right? So doesn’t that negate the risk for the most critical type of sites?
Agreed, however, that the “1% chance” factor, that a site with valuable info may not use SSL, means caution is indicated. There’s also, I guess, the problem of the poor souls who use the same password everywhere, so a packet-sniffer could grab that, and then gain access to the juicy banking/shopping sites you didn’t actually visit while you were at that cafe… yes?
[…] Too often, if you’re not also paying close attention to your online security, because almost any data you send via an open wifi can be captured and analyzed by hackers or even […]
Wifi Network is very unsafe..in some places..people inject virus..easily…
Correct me if I’m wrong, but isn’t it also dangerous to visit sites where a persistent cookie automatically logs you in? Imagine this scenario: On my laptop in the safety of my home, I log in to a website and click the ‘remember me’ checkbox. Then I take the laptop to a coffeeshop, connect to wifi, and go back to that website. No usernames/passwords were transmitted because the cookie got me in. But that cookie is transmitted in plain text and can be easily harvested and used by an attacker to impersonate me.
I wonder if this also applies to mobile apps like Facebook that are constantly checking the server for updates.