In this post, we are going to talk about using public Wi-Fi hot spots and doing it securely. So on public hotspots, the owner of the Hotspot is a man in the middle so can both observe and inject into any traffic you send unencrypted. Other users on the network can try to observe your traffic, inject packets into your traffic to attack you, and attack you directly via open ports. The hotspot you connect to might not even be the real one you think you’re connecting to and be replaced by an evil twin so there are many known risks. So let’s go through some mitigations and see how many of these you would have come up with yourself
Avoid using public wifi hotspots if possible which reduces the risk to zero. If you can use Ethernet instead of Wi-Fi that is a preference no fewer types of attack but generally we know that these things are not very convenient but the first step is to always avoid if you can since wifi is vulnerable to packet sniffers.
Switch off when not in use
Switch off or disable all of your wireless technology unless you’re using it. It’s safer and they actually save your battery and this includes Wi-Fi also Bluetooth, 3G they don’t need to be on if you’re not using them and it’s safer if you can only connect to hotspots you have some level of trust in, again this may not always be possible. Try to use hotspots that follow the security standards laid out in the section on Wi-Fi security and make sure they’re using WPA2 and if they’re using WEP anybody could be on it.
Without fail as an absolute minimum always use at least SSL NTFS encryption even if you’re not sending sensitive data without end to end encryption packets can be injected to attack you, to attack your browser unless you have an outstanding excuse then use an encrypted tunnel for all your traffic everything that is sent from your operating system.
Normally this is done with a VPN because the VPN will tunnel all traffic from your operating system but if you know what you’re doing you could also use SSH, JonDonym, Tor, they’re all fine but remember if you don’t set it up so the whole operating system is sending traffic encrypted you could have things in the background like maybe checking email for example that isn’t going over the encrypted tunnel so do make sure everything from the operating system has an extra layer of encryption to protect you.VPNs are recommended as an encryption solution.
Disable services on ports that aren’t needed
Disable or switch off services running on your local ports that aren’t needed. This is just a general step of hardening for any operating system and to also help block access to those services or maybe you don’t want to switch them off or you just want to block them. You can use a host based firewall with an implicit deny to all inbound traffic unless it’s for some reason required but generally because you are on a wifi hotspot it’s very unlikely that any inbound traffic is going to be required so maybe have a firewall profile when you are on public hotspots and on public networks.
And finally if you can, use a physical form of isolation with a portable router/firewall. This means getting yourself a hardware router/firewall and connecting via an ethernet cable which is safer instead of connecting your laptop or device to the hotspot which can prevent man in the middle attacks. This provides a layer of physical separation and you connect to this device instead so this device can be used to form an encrypted tunnel and as a firewall.