Security news that informs and inspires

Duo Labs Answers: Is Public Wi-Fi Safe?


From coffee shops to airports to hotels and work conferences, free public Wi-Fi is everywhere, easy and accessible. But is it safe to use?

Not quite - in a video from Duo’s security research team, Duo Labs, we discuss the dangers of both a victim and a hacker on the same public Wi-Fi network with Sr. Security Researcher Mark Loveless and Security Researcher Chris Czub.

According to them, a hacker could easily profile a user by sniffing their browsing traffic and learning about their banking, social networks, who they work for and where they live, etc. A hacker can also figure out their laptop model and check to see if they’re looking for updates. The hacker could leverage an updater bug to inject a fake update to the user to exploit the bug and send an update that installs malware on a user’s laptop.

By using a sniffer, a hacker could determine your patch levels, usernames and passwords, and authentication cookies on any computer on the network. With that information, a hacker could research and find vulnerabilities targeting your computer, operating system, and applications. Or, they could log into your accounts and monitor or steal any personal information.

Protect Yourself on Public Wi-Fi

So, how can you protect yourself if you connect to public Wi-Fi? Duo offers a few tips:

Use Encryption

When you’re browsing online, whether it’s on social sites, email, etc., only use sites with HTTPS in the address bar. HTTPS is a protocol for secure communication over the Internet, encrypting communications between a client and server to protect against sniffing by third parties. HTTPS signals the browser to use SSL/TLS to protect your traffic.

Conversely, HTTP is not encrypted and can be susceptible to man-in-the-middle attacks that allow attackers to get access to your data and accounts. Also, use a virtual private network (VPN) to create an encrypted connection while you’re on public Wi-Fi in order to protect access to applications with sensitive data, such as your company’s applications.

Enable WPA2

WPA2-PSK, or Wi-Fi Protected Access 2 Pre-Shared Key (PSK) encryption can provide more network security for a small business - this requires a password you have to enter to connect to the network. Non-password protected Wi-Fi networks transmit data completely unencrypted, allowing an attacker to hijack your web session if you log into an unencrypted website. Get more information about how it works in Juniper’s TechLibrary.

Use Common Sense

Save your online banking for later, when you’re at home or on a private network - logging into your bank account could expose your password. Same goes for shopping online or accessing any website that may reveal personal information, like medical, insurance, or otherwise.

Protect Logins With Two-Factor Authentication

One way to stop the success of remote hacking is to use two-factor authentication to protect your online accounts from man-in-the-middle attacks while using public Wi-Fi.

The most common type of two factor is TOTP (Time-based One-Time Password). After entering your password, a 6-digit passcode is sent to your phone that you must enter to verify your identity. However, this method of two factor can still be phished - if an attacker has your password and code, they have a 30-second window during which they can log into your account.

A more secure method of two factor is Duo Push. As an out-of-band authentication method, Duo’s backend server communicates with your phone directly, and it can’t be phished as easily as TOTP. A push notification is sent over your phone’s encrypted network and must be approved before your identity is verified for access.

Don’t Reuse Passwords

If you use the same password to protect everything from your bank account to your Spotify playlists, then you could be at risk. An attacker can easily cross-reference one of your passwords for login to a seemingly non-sensitive application with other website logins, and gain access to your more sensitive logins, like your bank account.

Uninstall Flash

Adobe Flash is known for many critical vulnerabilities that attackers use to download malware on your computer. Attackers might send exploit kits as email attachments, or inject code into legitimate websites or online ads in order to redirect visitors to a landing page that executes malware. With hundreds of known vulnerabilities to exploit, an outdated or unpatched version of Flash may make you a more susceptible victim.

Update Software on All Devices

Keep your operating system up-to-date and patched to the latest version on all of your devices, including your smartphone, tablets, laptops and PCs. Many known vulnerabilities target older, unpatched versions of software in order to gain access or control of your computer. Updating to the latest versions available as soon as a vendor releases the update is one way to protect your devices.

Watch a dramatic recreation of public Wi-Fi hacking and get tips from our Duo Labs team:

Reach out to our security research team, @duo_labs!