Sophos Cloud Optix
Most people who use public Wi-Fi couldn’t care less about security, according to the recent 2014 Communications Market Report from Ofcom – the UK’s Office of Communications/regulatory authority for telecommunications.
Researchers reported that more than three-quarters (77%) of people, when asked if they agreed with this statement:
I am concerned about security when accessing Wi-Fi outside the home
… said, “Nope!”
While 75% are blissfully out of agreement with this one:
There are certain things that I wouldn’t access/do on the internet when connected to public WiFi
… which means that most people aren’t afraid to do some or all of these things while on Wi-Fi away from home:
- Streaming/downloading films, TV programmes, video clips, music, etc.
- Playing games online
- Downloading apps
- Shopping online
- Online banking
- Contacting people via apps including Skype, WhatsApp, or Viber
- Social networking
- Emailing
In addition, most (72%) of those who access public Wi-Fi disagreed with this statement:
Public Wi-Fi is less secure than my internet connection at home
…which isn’t actually all that surprising, given that 67% don’t even bother to password-protect their home Wi-Fi.
It’s a grievous error to trust Wi-Fi to the degree that these numbers reflect.
The research shows that most people still don’t understand the potential dangers of public and/or free Wi-Fi, despite doom and gloom headlines about the dangers, which include these:
- A US trio who attacked companies by wardriving – i.e., driving around, scanning for poorly protected wireless networks. Between that and breaking in to install keyloggers, they bilked companies of a total of $3 million (£1.8 million).
- An unsecured Wi-Fi home connection that led to a heavily-armed police SWAT team raiding the wrong home, including breaking down the door of a house, smashing windows and tossing a flashbang stun grenade into a living room.
- Facebook accounts of five US politicians being hijacked after they accessed a free, open, wireless Wi-Fi network.
And those are just a tiny selection of the cherries on that bountiful Wi-Fi tree.
Of course, there is also the problem of protecting privacy on public Wi-Fi.
In just the past year, we learned that businesses are using Wi-Fi to build shopper profiles on us, and in-flight WiFi providers have been helping feds spy on us.
Surprisingly enough, given how many times we copy and paste the same “public Wi-Fi is dangerous for your privacy” advice, the ink toner cartridge in the internet doesn’t appear to be running low.
So let’s do it again!
Here are some privacy tips for blocking snoopers when you connect to public Wi-Fi:
- Get out of the habit of remembering Wi-Fi networks. If your computer automatically joins networks based only on their names, you may end up connected to imposter networks you didn’t realise were there.
- Turn off Wi-Fi and Bluetooth when you’re not using them. You can also use “flight mode” (although you won’t be able to receive calls in flight mode).
- Consider using a Virtual Private Network (VPN) when you are on the road. This ‘tunnels’ all your traffic back to your home network, strongly encrypted, from wherever you are. It’s slightly less convenient but much safer, because it makes it harder for a rogue Wi-Fi access point to work out what you are up to.
- Download the free Sophos UTM Home Edition. It comes with a VPN for both iOS and Android.
- Your apps such as Facebook, Twitter and Instagram use geo-tagging. Turn geo-tagging off if you don’t want to give away your location.
If you already care about security, good for you.
Now, it’s time to convince the rest of us that this stuff matters!
And why not use this as an opportunity to revisit your Wi-Fi network security at home (or at your friend-or-family’s place).
Watch our video, “Busting Wireless Security Myths“.
(Enjoy this video? You can check out more on the SophosLabs YouTube channel and subscribe if you like).
Image of couple using laptop courtesy of Shutterstock.
The Virtual Private Network, to which you refer, seems to apply to computers. And Sophos’ UTM Home Edition will apparently overwrite the operating system of your spare home computer.
My Apple smartphone has no access to the internet, but I listen to a local radio station via the station’s app and via a free local unsecured WiFi connection.
I am an old computer dummy, so please excuse the dumb question I’m about to ask: How might I listen to the station via a secure WiFi connection?
Yes, the Sophos UTM requires either a virtual machine (a “software computer” such as VMWare or VirtualBox), or a dedicated computer (where it does indeed overwrite whatever operating system is on there with its own).
Once you have set up a UTM, however, it can act as your VPN *server*. You then load the free VPN *client* software onto your {Android, iPhone, Mac, Windows, Linux} devices and computers, and connect via the UTM.
Simply put, the Sophos VPN can’t work without the UTM, but it can be used by and from mobile devices as well as from regular computers.
Because the VPN sends all your network traffic back to the UTM, which then acts as your “connection broker” to the internet, your UTM must be hooked up to the internet, e.g. via your home ADSL or cable connection, if you have one.
The idea is that you use insecure Wi-Fi only for the purpose of “calling home” over an encrypted link to your UTM, which handles the traffic from there.
In other words, your remote connections are in theory no less secure (but, admittedly, also no more secure) than anything you do at home.
It’s not quite a complicated as I seem to have made it sound 🙂
But, to clarify, you do need to find a spare computer for the Sophos UTM, set up the VPN component, and leave it permanently hooked up via your home internet connection.
That’s not for everyone – so if you want a VPN without any infrastructure at home, you’ll probably find local ISPs who will provide you with VPN connectivity for a modest fee “via the cloud” – you just load their client-side software on your devices and computers, and they deal with the other end of things.
HtH.
There are two components to the Virtual Private Network, the server that ‘runs’ the VPN and any number of clients that use the VPN.
The UTM Home acts as a server and your phone, and your other computers, tablets etc are clients.
The clients connect to the server over the internet but the connections between the clients and the server are encrypted.
By connecting to the VPN your phone is joining your home network and behaving like a device located in your home.
So…
Your phone joins the public WiFi network, which is itself connected to the internet. Your phone establishes an encrypted connection to your UTM at home via the internet.
The connection between your radio station app (or any other app on your phone) goes via the VPN to your home and then to the radio station feed via your home internet connection.
Using a vpn is a fantastic idea, but a lot of them have to be connected manually. Even those that auto-connect still take a second or two to establish the connection. In the intervening time, it may already be too late – your credentials may have already been sent over the wifi. Now, assuming ssl or other encryption standards are being used properly (ie encrypting an smtp connection for your email), then this is less critical. Still, whenever I need to hop on a public network, I close out every instant messaging program, email client, and facebook tab I have open before joining it. If I’m on an unencrypted network, I don’t do anything that requires my password. Even if I have a vpn, I don’t send credentials over it unless A: I’ve thoroughly tested the config and know for sure that my data is encrypted at the vpn level, and B: all of my traffic is routing through the vpn
Can you explain in more detail why I should not access my bank over public wifi, or more generally, any service protected by https?
Generally speaking, HTTPS is like a one-time VPN, giving you a secure tunnel between your browser and, say, your bank. So, in theory, it’s OK to use someone else’s Wi-Fi connection to set up HTTPS connections. There’s just a lot more that can go wrong that if you are using a network connection you control yourself.
That includes:
1. The Wi-Fi access point can’t be trusted. So it could easily feed you bogus DNS replies (sending you to imposter sites), and even feed you bogus HTTPS certificates. The risk of a fraudulently signed certificate that your browser automatically trusts is admittedly very low, but not zero. And mounting a man-in-the-middle attack to make use of a fraudulent certificate is trivial if you control the Wi-Fi access point.
2. Your DNS requests are visible to the access point and anyone else connected to it. The amount of personal information that leaks is admittedly fairly low, but not zero. For example, it will tell other people where you bank, what other things you tend do while you are banking, perhaps even what bills you were just paying. (For example, if you connected to your municipality website for a bit, then immediately to your banking website, a reasonable inference would be that today’s the day you pay your council rates.)
3. Anything else you do that happens to relate in some way to your banking activities (e.g. the council website visit mentioned above) that isn’t over HTTPS is yet more “join the dots” assistance to a crook. And the crook doesn’t have interested in you right then and there – he can suck up the data and mine it later, of course.
In short, the problem with individual HTTPS transactions *in the midst of traffic that isn’t kept private* is that those HTTPS connections end up with a lot of context around them.
Connecting to a VPN and then directing your all traffic over it gives away nothing other than that you use a VPN (and where it is hosted).
Thank you for the detailed explanation. Very helpful when evaluating the claims.
I always, always, always use a VPN when I am accessing a free public wifi. I recently noted that in Starbucks in Canada, I couldnt use my VPN for some reason. I emailed Starbucks to get a response and their generic response was that their WiFi network is “safe” and I dont need to use my VPN. I stopped using Starbucks WiFi from that day on. So people, dont compromise on security, use a VPN always.
Amazingly, there are lots of people who are not even aware of the risks of using public Wi-Fi, not just unconcerned. People are not enough educated.
I should probably take up wardriving again…
“Download the free Sophos UTM Home Edition. It comes with a VPN for both iOS and Android.” What about Windows phone???????
Cut the crap with the sarcastic titles to these articles. “Most people think public Wi-Fi is safe. Seriously?” Do you really believe you understand the mind of the public? Are you proud of your writing and reporting skills? Just because there are a gazillion websites that need content does not justify poor reporting. Stop it.
I think, perhaps, we are sometimes surprised at what you call “the mind of the public.”
Oh, and cut the swearing. Just because there are a gazillion websites that are full of rudeness, vitriol and offensive language isn’t a reason for you to do it. Stop it.
OK, I hear the danger. I’m an ordinary member of the public (reasonably well-educated) and so I decided I want to know how to set up a VPN when I’m travelling. I Google ‘how to set up a VPN’ and I’m treated to pages of step-by-step indecipherable gibberish using terms I’ve never heard of, and dire warnings about what may happen to my computer if I get it wrong.
I say this every time I comment here: if you tech people seriously want to make security work (and not just make it something you just might do if you reprogramme computers for a hobby), then you have to make it simple and accessible.
You might consider trying out the free Sophos UTM Home Edition. You will need a spare computer on which to install it. You may need a bit of help from an IT-savvy friend. But once you have it working, you may find that setting up your own “secure tunnel” is a bit easier than you thought at first.
http://www.sophos.com/en-us/products/free-tools/sophos-utm-home-edition.aspx
It’s certainly accessible. (Free download.) It’s _reasonably_ simple, but I’ll be honest and say it’s not as simple as “press this button.” But maybe we can meet in the middle? Like driving a car, or baking a cake, it’s much easier the second time you try 🙂
The VPN I use (PIA) requires no setup. I recommend it.