In an age when people do more and more things on their smartphones, getting to a free Wi-Fi hotspot feels like finding an oasis in the middle of the desert. Who wouldn’t prefer to hop on a free network and browse the hell of the Internet without having to worry about a data limit? Well, just like anything else that’s free, wi-fi comes with a fine print. And its reads “data leaks.”

wifi pak.png

The thing about W-Fi is that it is relatively easy to tamper with. When it comes to smartphones it is even easier. Android ones, for example, are set up to broadcast the names of all memorized Wi-Fi networks, when trying to connect to a new one. So, when your phone is in the range of a router, your device’s W-Fi chip sends a message to the router asking “are you network X, Y, Z” and so on – X, Y, and Z being the names of networks your phone knows.

Even just network names can give away a lot

If it’s your home network that you have memorized and its name is, well, “Home”, this is very non-sensational information for an attacker to intercept. However, let’s assume you’ve been to places and have made your phone remember details about free hotspots in hotels, restaurants, stores and whatever else you might have visited. Network names like “Holiday Inn Myrtle Beach”, “Starbucks 5th ave” could help paint a good picture about your habits.

Knowing the names of those networks could be very useful for anyone who is able to set up fake hotspots. As we recently wrote, modifying a Wi-Fi hotspot to work as an IMSI-catcher device is relatively easy and very effective. Usually, you can avoid such attacks by only accessing trusted networks. But what happens when the network you access only looks like your trusted one, but isn’t? All the data you broadcast over it will practically be at the hands of the attacker.

What can you do to protect yourself?

  • Avoid open networks like plague. If a network doesn’t require a password to log on, it’s a safe bet it’s at least packed with malware. But it could also be a malicious network set up with the sole purpose of fishing for data.
  • Don’t memorize credentials. Because of the attack pattern described above, it actually not a good idea to have your phone remember networks. When are you going to stay at that hotel in Myrtle Beach again anyway?
  • Don’t use hotel Wi-Fi. Bear in mind that unlike other services, using the Wi-Fi at a classier hotel is actually more dangerous. The guests willing to pay more for a room also happen to be the people with the more valuable information – and there’s more likely to be cybercriminals lurking around because of that.
  • Don’t view sensitive information. If you need to some banking, it may not be the best idea to do it while enjoying a cup of hazelnut-flavored latte in your local coffee place – your data will be visible to whoever operates the network. When it comes to sensitive information, do it only over a 100% secure connection.
  • Create your own hotspot with your phone. Going with your data plan might turn out to be the safer option when you have privacy concerns. Contemporary smartphones offer the option to create a hotspot and share your cellualr data with other devices.
  • Encrypt your communications. Sometimes you won’t be able to follow the above pieces of advice. So, when you absolutely have to use a Wi-Fi network that you don’t really trust, make sure the information you send out will be useless to adversaries, even if intercepted. To do so, use apps that offer encrypted instant messaging, email or voice over IP (VoIP).
  • Use a secure device. Using specialized encryption apps on a phone that also has internet browsing and Google Services actually makes no difference – your phone would be already compromised by the various tracking tools they employ. For truly secure communications, use an encrypted device with no location tracking, over a secure network