My 8/05/07 Missoulian Column: The insecurity of Wi-Fi
What happens when you sit down in a coffee shop and start reading websites and checking your email with your laptop and the free wireless internet access? The wireless adapter in your computer connects to the coffee shop’s Wi-Fi network transmitter and trades what are called “packets,” the little chunks of data that are the backbone of the internet. Those packets contain all the data that makes up the websites you read and the email you read. Millions of packets fly back and forth by the second, sight unseen.
Free Wi-Fi seems to be everywhere these days – cafes, airport lounges and hotels – and it’s convenient. But that convenience hides a potentially serious problem; with a simple program on a laptop, someone can intercept as many of those packets as they want and much of the time see which websites you visit and read your email. How can they do that?
The reason they can is because of the nature of that free Wi-Fi: no password is required. It’s too much trouble for someone at the cafe or hotel to hand out access passwords and show everyone how to type them into their laptop in order to use the Wi-Fi., change the passwords and generally administer the network.
The way someone intercepts your packets is because that Wi-Fi password you’re not using is the key that sets up the encryption scheme that encodes all the data in the packets. If the information in the packets is encrypted, someone can intercept packets, but decoding them is another matter (but it’s possible; more about that later). If there’s no Wi-Fi password to encrypt, your email, documents and most everything else is sent “in the clear,” and it’s perfectly readable after capturing with that simple program.
(Some coffee places give you a Wi-Fi password when you pay, good for an hour or so. Those are usually not encryption passwords; they’re just passwords that give you a certain amount of time on their Wi-Fi.)
People eavesdrop on your internet access with a program called a packet sniffer. Strange name, but that’s what it does: it grabs packets out of the air. Packet sniffers got their start as tools for network analysis, programs the network engineers wrote and used to find and fix network problems. With the popularity of wireless, sniffers were rewritten for use in solving wireless problems. Of course, these tools can be used to purposes other than intended.
Should you be concerned with your Wi-Fi security? Well, maybe. Are you an attorney or businessman sending documents and sensitive emails with public Wi-Fi? You should be aware of the risks I’m describing. Do you care if someone might be listening in and knows what websites you visit and reads your email? No? People know everything about you anyway? Well, that’s fine. But you should still know the potential exists.
I don’t think very many people are using packet sniffers around Missoula. From the looks of a few “geeky” people I’ve seen at Wi-Fi hotspots, I think it happens once in a while. The question is: do you want to be safe or sorry?
In some cases, you are already safe from eavesdropping: if the website you’re using has an address that begins with “https” and your browser shows the symbol of a lock or says you at a secure site, you’re safe. That extra “s” in the “http” stands for “secure,” and it means that any data leaving your laptop to that website is encrypted in code before it leaves your laptop. Someone can see the data and capture it, but can’t do much with it, as that type of encryption is very stout, as it’s the backbone of on-line banking and ecommerce and is very strong. Almost all banking websites and most shopping sites are secure. Check and see: is that website plain “http?” Or “https” and secure?
When it comes to email, the situation is more subtle. On some web browser-based email sites, like Gmail and Yahoo!, sometimes only your login and password are encrypted while the actual email is not. Sometimes can switch on the secure login.
The difference between web-based mail and lots of the email programs on your laptop – like Outlook, Eudora, Apple Mail – is they all send their logins, passwords and email in the clear, and are vulnerable to packet sniffing.
There are different ways to protect yourself when using public Wi-Fi. Don’t use the email program your laptop; do your email at home, unless you learn how to change the settings in your email program to use a secure link and hide your data. Use web-based email with caution. Instant Messaging, by the way, is wide open; everything is sent in the clear.
To be safe, don’t do banking over public Wi-Fi, even though you’re reasonably safe on a secure site, and statistically speaking, you are more in danger of someone going through your trash for your bank statements than your web browser being intercepted.
One solution for safely using Wi-Fi is what’s called a VPN, which stands for Virtual Private Network. That’s what it sounds like: a VPN is your own private electronic tunnel for all your data. Someone using a packet sniffer can see that a tunnel is there, but can’t see inside it, and as a result, all of your data is safe. Setting up a VPN for yourself is a bit complicated, but doable, and there are services that provide VPN’s inexpensively. (more on VPN’s later).
I’ve simplified some of this explanation, but the gist is beware: someone could be listening in at the cafe, the airport or in your hotel at the business convention.
Next week: what about Wi-FI at your home or business? Why some forms of home and business Wi-Fi encryption are not safe anymore, and how to fix it.