Don't let free Wi-Fi wreck the holidays

Malls should just name their public Wi-Fi networks "Danger" and be done with it.

Laura Hautala Former Senior Writer
Laura wrote about e-commerce and Amazon, and she occasionally covered cool science topics. Previously, she broke down cybersecurity and privacy issues for CNET readers. Laura is based in Tacoma, Washington, and was into sourdough before the pandemic.
Expertise E-commerce | Amazon | Earned wage access | Online marketplaces | Direct to consumer | Unions | Labor and employment | Supply chain | Cybersecurity | Privacy | Stalkerware | Hacking Credentials
  • 2022 Eddie Award for a single article in consumer technology
Laura Hautala
3 min read
Enlarge Image

A Wi-Fi logo seen at the Mobile World Congress in Barcelona in 2014. Public Wi-Fi portals can be taken over by hackers.

Josep Lago/AFP/Getty Images

Evan Robertson won his school science fair this year by proving just how thoughtless people can be on public Wi-Fi networks.

Evan, now 11, programmed fake Wi-Fi portals and took them to food courts shopping centers across the Austin, Texas, area and waited to see how many agreed to some pretty outrageous conditions. For the love of free internet access, they'd have to give their OK for the Wi-Fi owner to do things like "reading and responding to your emails, monitoring of input and/or output, and 'bricking' of your device."

More than half of the shoppers shown these terms accepted them.

Attention holiday shoppers: public Wi-Fi networks are dangerous, especially during the Christmas season when so many people in one spot make for easy pickings, says Don Duncan, a security engineer with NuData Security.

The past 12 months, full of cyberattacks, showed just vulnerable we all are. Yahoo, for example, revealed the worst data breach in history after hackers grabbed the names, phone numbers and birth dates from 500 million user accounts. Ransomware made headlines when people demanded $3.4 million to unlock a Los Angeles hospital's computer and tried to extort $73,000 from San Francisco's Municipal Transit Agency. And over the summer, electronic intruders made off with emails sent by members of the Democratic National Committee and Hillary Clinton's election campaign.

Think of public Wi-Fi as hackers' on-ramp to the rest of us, giving them free rein to collect our usernames and passwords and read our texts and emails. It's why Evan's fake terms and conditions might be the most honest out there, since hackers can do just about everything on his list.

Take it from Amihai Neiderman, of Tel Aviv, Israel, who spent a day devising an attack that let him intercept the traffic of anyone connecting to the city's free Wi-Fi network.

"Every piece of data, I could potentially read it," he said. That research, which Neiderman did in his free time, helped him land a job with Equus, a company that helps governments hack individuals through Wi-Fi portals as part of their investigations.

On guard

Enlarge Image

Evan Robertson, now 11, presented his findings at the R00tz Asylum conference in Las Vegas in August. Evan got shoppers to accept Wi-Fi terms and conditions that would have let him send email from their accounts, among other things.

Courtesy of Stephanie Robertson

We get it. You're still going to use your phone at the mall, whether it's to look up product reviews, scout for the best sale prices or transfer a bit more money into a checking account. Even so, there are things you can and should do to stay safe. Here's what experts we spoke to recommend:

    * Recognize that the word "free" can be a trap. Cybersecurity firm Skycure analyzed fraudulent Wi-Fi networks around the US and found 10 percent of them had the word "free" in their names.

    * Know what's nearby. Before you click on that network named "Apple_Store," look around to see if there's really an Apple Store close by. It could be a hacker pretending to be a legitimate network.

    * Drop off when things get weird. Disconnect from the network if your phone starts showing error messages or keeps crashing.

    * Pay attention to the top of the web page. Always look for a green lock symbol, which shows you're on an encrypted connection. That symbol means any login information or messages you send over the internet will be unreadable by anyone intercepting it over a public Wi-Fi network.

    * Use a VPN. It's an extra step, but it will encrypt all your data before it even leaves your phone.

    * Think about what's at stake. Some things just shouldn't be done over a public Wi-Fi network. Hold off logging into your bank's mobile app, for instance, until you have more secure connection later.

    And finally, don't forget for one minute that public Wi-Fi is dangerous.

    "The most foolproof way to protect yourself is to turn everything off, but that is not always accessible," says Marc Laliberte, a research analyst at WatchGuard Technologies. "It's just not as safe as plugging into your wired home network."