How to Stay Safe on Public Wi-Fi
Friday, April 16, 2010; 12:19 AM
Picture this: You're at a café with your laptop and latte in hand, getting ready to review new sales leads and the quarterly financial projections. First you hop on the free Wi-Fi that the shop's management provides. Then you connect your laptop to a projector so that the entire café can take a look, and finally you hand out some printed copies of your confidential product specifications to the other patrons so that they can follow along.
That may sound ridiculous, but if you're using public-access Wi-Fi without taking the proper precautions, you might as well be asking your coffee compatriots to partake in confidential company information.
Nothing Is Private on Open Wi-Fi
Today, most tech users know how (and why) to secure their home wireless routers. Windows 7 and Vista now pop up a dialog box to warn you when you're connecting to unencrypted wireless networks.
In a coffee shop, an airport lounge, or a library, however, people frequently connect without thinking twice--and though using an unencrypted connection to check a baseball score or a flight status might be acceptable, reading e-mail or performing any Web activity that requires a login is akin to using your speakerphone in the middle of a crowd.
So why don't all businesses encrypt their Wi-Fi networks? The answer lies in the difficult key distribution system in the IEEE 802.11 design specification: To encrypt traffic, the network owner or manager needs to select a password, also known as a "network key." The arrangement requires one password per network, shared among all users whether the owner has selected the less secure, outdated WEP or the more secure WPA or WPA2.
At home, all you have to do is set it up once, tell your family the password, and surf worry-free from a poolside lounge chair. In a coffee shop, the barista would have to tell each patron the password (or the 26-character hexadecimal WEP key) and perhaps even troubleshoot their connection--definitely not a chore that your typical java slinger would relish. In that situation, nothing beats a blank password for ease of use.
Even if the network is encrypted, however, you're still not completely safe. Once your computer knows the password, your communication is safe only from people who aren't on the network; all the other diners in the café can see your traffic because they are using the same password.
Your Personal Business Is Your Competitors' Business
But what if you think that your data isn't important enough for someone to snoop on? Perhaps you're just browsing Websites, not logging in to any e-mail systems or Web applications that require passwords. You should be safe then, right? Not necessarily.
Imagine you're on airport Wi-Fi while you're returning from an industry trade show. Instead of checking the hundreds of e-mail messages waiting for you (unlikely, right?), you decide to browse your competitors' Websites, looking for ideas. Or maybe you elect to research potential acquisition targets.
In the background, however, your e-mail client detects an Internet connection and starts to download your e-mail. A colleague back at headquarters sees your instant-messenger status change to 'online' and sends you a panicked plea: "Huge problem @ factory. Possible recall. Call Bob ASAP!"
Armed with nothing more than wireless packet analyzer software, a fellow conference attendee in the same seating area may be able to glean competitive intelligence based solely on the Websites that you visit and your (probably unencrypted) instant messages--not to mention the personal e-mail from the recruiter indicating you're ready to jump ship, or the notes reflecting your relationship problems with your significant other. In short, the "other guy" is reading your messages before you are, and you didn't even do anything.