The internet has become a critical part of the our day-to-day activities as it went from being exclusive to becoming cheap and accessible. Governments and ISPs have even started working together to provide free public internet to their people. Many shops, hotels, cinemas and such public places provide free internet access to attract more customers and present it as a basic commodity.

While the free internet access is useful to us we still need to realize that it can be a nightmare to our personal security. If you cannot believe what I just said I'm going to show you how the attacker attacks you. It's not just the good guys using these free internet. Anyone with malicious intent could do serious damage to your privacy when all you wanted was to post a selfie on your favorite social media.

Risks of using Public WiFis

Many businesses, parks, bus stops, airports, and even banks now provide the public with free WiFi services. So what could be the dangers of using this freely available service?

Since public WiFi is free for all, attackers can attack on these networks to steal your data. They can redirect you to the website of their choice and then force you to download malicious programs and applications.

They can project a fake SSID similar to the business WiFi AP (Access Point) to conduct various MitM (Man-in-the-middle) attacks – similar to someone eavesdropping on a conversation. With this, they will access sensitive data, which can lead to identity theft, data breach, etc.

Free WiFi providers also require customers to install digital certificates on their devices. This gives them full access to what you are browsing, even if you are using a site with HTTPS. So always be careful, and trust the organization before installing anything they provide on your device.

Intro to WiFi Pineapple

Image from WiFi Pineapple Dashboard

How complicated do you think achieving the stuff mentioned above is? Using public WiFi for evil purposes should be difficult, right?

Well, not exactly. The WiFi Pineapple is a tool created by Hak5 to penetration testing and audit an organization's network security. It allows organizations to "hack" into their networks to identify weaknesses and vulnerabilities.

It's available for anyone to buy for only ~$100, which makes it even more accessible. It even has a very intuitive UI, which means the barrier to entry is even lower. This device basically does all the grunt work. Even a newbie with minimum knowledge can do serious damage.

WiFi Pineapple mostly utilizes open-source tools that are free for all to use and modify. This means anyone with a decent PC (or even a Raspberry Pi) can create their own version of this device for a less price. Even you can create your own version of the pineapple.

Creating such a device is not in the scope of this blog, but it might be the topic for the next blog.

How To Be Safe

The best way to be safe is to avoid using public WiFi as much as possible. But it might be impossible to avoid using it completely. Even though there is no such thing as guaranteed security, I have listed some steps you can adopt to be safe to some extent.

  • Use a VPN: Using a VPN is one of the best things you can do to be safe when using the public internet. A VPN will encrypt your data on transfer, so even if the attacker gets hold of your data, all they will see is a gibberish mess without a decryption key.
  • Look for a lock symbol (🔒) on the address bar of a site before entering any sensitive information, i.e. login details, bank details, credit/debit card numbers etc. Try not to use public WiFi for financial or sensitive work.
  • Always be alert when browsing. Immediately close any connection if you see unusual activities like automatic redirecting, downloaded files, unusual load times, etc.
  • Do not reuse your passwords for different services. We know it's tedious to create and remember a new password for every service you use, but it's necessary. To make it easier, there are password managers (Bitwarden, LastPass, 1Password, etc.), which can create and remember strong passwords for you, so you don't have to manually do it. This will help you minimise the risk of your accounts getting compromised.
  • Some WiFi might require you to sign up for accounts. Use a disposable email and password to create such accounts. Many websites offer such services, tempmail being one of them.

In the end..

Just because something is convenient doesn't mean you should use it. We all love free things, but we should also be attentive to what we sacrifice for that convenience. Always be cautious and vigilant when you are on the internet.

I hope this article shaped your understanding to stay safer than before. Subscribe to stay updated on my security articles.