hacker-sec-logo./Hacker-Sec
Back

Public and Untrusted WiFi Networks

  • Risk should neither be ignored nor dismissed. A key part of responsible cybersecurity practice is acknowledging and owning the risks within your purview—while maintaining a balanced, non-alarmist perspective. As cybersecurity professionals, it is important to acknowledge that connecting to public or untrusted WiFi networks introduces risks that can often outweigh the convenience. While personal VPN services can help mitigate exposure on such networks, they should be viewed as part of a layered defense strategy rather than a complete solution.
  • Although public networks are sometimes labeled as "safe" or considered to present only a "minimal" risk, they can still enable unauthorized access to data and communication streams. Potential risks include:
  • Man-in-the-Middle (MitM) Attacks
  • Metadata and Traffic Harvesting
  • Rogue Access Points
  • Reliance on third-party security hygiene and configurations

What Happens When You Connect to WiFi?

  • When connecting to WiFi, your device typically communicates with a Wireless Access Point (WAP), which manages wireless authentication and forwards traffic to the broader internet through a private IP and Network Address Translation (NAT). This facilitates communication for services such as email, mobile apps, and notifications.
  • A common counterpoint to WiFi security concerns is that “most websites use HTTPS/TLS encryption.” While this is technically accurate, it does not fully address all risks (see “What about TLS/HTTPS?”).
  • It’s also worth noting that during events like DEF CON and Black Hat in 2024, the Las Vegas Metropolitan Police Department issued a cyber awareness advisory. Their guidance included disabling WiFi and Bluetooth, restarting devices daily, and avoiding contactless payments — highlighting that real-world threats are taken seriously even by law enforcement.
  • Should users be cautious when connecting to shared or public networks? Absolutely — but fear shouldn't paralyze. With awareness and appropriate precautions, risk can be managed effectively. Personally, I avoid connecting to public networks when possible. If I must, I apply proper security measures to protect my devices and data.

What About TLS/HTTPS?

  • Reputable organizations encrypt web services using HTTPS/TLS to protect the integrity and confidentiality of user data. However, certain circumstances can still render these protections ineffective.
  • For example, in 2015, the Government of Kazakhstan introduced a national root certificate that, if installed, allowed interception and decryption of HTTPS traffic — a move that raised global concerns among privacy advocates and tech firms.
  • End users are sometimes prompted to install Certificate Authority (CA) certificates without a clear understanding of the implications, effectively allowing decryption of what would otherwise be encrypted traffic.
  • Installing unknown or untrusted CA certificates is never recommended unless required by policy or law.
  • Threat actors can exploit captive portals or rogue access points to prompt users to install malicious CA certificates, enabling interception of TLS traffic. This risk is heightened when the user lacks technical awareness of these mechanisms.
  • Even on legitimate public networks, visibility into security controls is limited. Is the network segmented? Are devices monitored? Has the WAP been compromised? Often, these questions remain unanswered, and without internal knowledge, end users cannot fully assess the trustworthiness of the network infrastructure.

What Can Still Be Exposed Without Access to Encrypted Data?

  • Unencrypted Protocols: While uncommon in modern systems, legacy protocols such as HTTP, FTP, Telnet, and DNS can still be in use — especially in older infrastructure or by misconfigured systems. These can expose sensitive data in plaintext.
  • Metadata and Traffic Patterns: Even without access to content, actors can gather MAC addresses (if not randomized), analyze destination domains, and infer behavior based on timing and volume of traffic — potentially identifying high-value targets.
  • Session Hijacking: If session tokens or cookies are not transmitted securely, attackers may be able to impersonate users across services by capturing these artifacts.

Mobile Device Security Hardening for Untrusted WiFi Networks

While not an end-all, be-all set of steps, deploying best practices can mitigate specific risks. You are responsible for your digital hygeine, and this is not an exhaustive list of steps.

  • Use a Reputable VPN:
    • iOS: Download a trusted VPN from the App Store (e.g., Mullvad, ProtonVPN, NordVPN). Go to Settings > General > VPN & Device Management to configure.
    • Android: Download from the Play Store, then go to Settings > Network & internet > VPN to manage connections.
  • Disable Auto-Connect to WiFi:
    • iOS: After connecting to a network, go to Settings > Wi-Fi > [Network Name] and toggle off Auto-Join.
    • Android: Long-press on the network in Wi-Fi Settings, select Forget or disable Auto-connect if available.
  • Enable MAC Address Randomization:
    • iOS: Settings > Wi-Fi > [Network Name] → Toggle Private Wi-Fi Address ON.
    • Android: Settings > Network & internet > Wi-Fi > [Network] → Tap gear icon → Privacy → Set to Use randomized MAC.
  • Disable WiFi and Bluetooth When Not in Use:
    • iOS & Android: Swipe down the control center and toggle off WiFi and Bluetooth manually when not needed.
  • Use Secure DNS (DoH/DoT):
    • iOS: Use a DNS app like NextDNS or configure profiles using Apple Configurator or DNS-over-HTTPS providers.
    • Android: Settings > Network & internet > Private DNS → Choose Private DNS provider hostname (e.g., doh.mullvad.net or dns.nextdns.io).
  • Keep OS and Applications Updated:
    • iOS: Settings > General > Software Update
    • Android: Settings > System > System update
  • Limit App Permissions:
    • iOS: Settings > Privacy & Security → Review each category and disable permissions for unnecessary apps.
    • Android: Settings > Privacy > Permission manager → Review and restrict as needed.
  • Avoid Accessing Sensitive Services:
    • Avoid logging into banking apps, company portals, or other sensitive services unless on a trusted, secured network.
  • Use Multi-Factor Authentication (MFA):
    • Enable MFA for all apps/accounts. Use apps like Microsoft Authenticator, Authy, or Duo instead of SMS-based codes.
  • Disable File Sharing Features:
    • iOS: Settings > General > AirDrop → Set to Receiving Off or Contacts Only.
    • Android: Settings > Google > Devices & sharing > Nearby Share → Turn off or set to Hidden.
  • Use Mobile Security or EDR Tools:
    • Install a trusted security app (e.g., Microsoft Defender, Lookout, Bitdefender Mobile Security) and enable real-time protection.
  • Log Out After Sessions:
    • Manually log out of websites and apps after use to prevent session persistence.
  • Restart Device After Disconnecting:
    • iOS & Android: Hold power button → Restart the device. Helps clear memory and temporary processes.

Disclaimer

  • The information provided in this article is for general informational and educational purposes only and does not constitute professional cybersecurity advice, legal counsel, or a definitive security guarantee. While every effort has been made to ensure the accuracy and reliability of the information presented, the author assumes no responsibility or liability for any errors, omissions, or outcomes resulting from the use of this content.
  • Readers are solely responsible for their own actions and decisions when applying any security practices described herein. Situational risk, organizational requirements, and legal obligations may vary—please consult with a qualified cybersecurity professional or legal advisor for guidance tailored to your specific needs.
  • References to third-party products, tools, or services do not constitute an endorsement or warranty. Use of any mentioned software or service is at your own risk.
  • By using or relying on this information, you agree that the author shall not be held liable for any direct, indirect, incidental, or consequential damages arising from its use.

References

  • https://www.fox5vegas.com/2024/08/08/las-vegas-police-issues-cyber-advisory-with-cybersecurity-hacker-conventions-town/
  • https://en.wikipedia.org/wiki/Kazakhstan_man-in-the-middle_attack

Always make sure you are practicing legally and ethically on (equipment/systems) that you own personally or have authorization to access for the cited purpose, and never perform activities that may be considered inappropriate, unauthorized, and/or illegal. You are responsible for your own actions. I take no responsibility for actions that you undertake. This information is intended for individuals who are acting legally and ethically within an authorized capacity. Seek legal counsel and do not use this site if your understanding of this statement is not clear.LICENSE