The risks of free Wi-Fi: Connecting, sharing and stealing through small business' networks

This story is the eighth in a statewide series about cyber security and small businesses, supported by the Michigan Small Business Development Center. [Read the rest of the series here.]

Wi-Fi signals saturate our atmosphere with information. They transmit our most important data, yet are as ubiquitous as radio. Not unlike a radio signal, the information you broadcast via Wi-Fi can be picked up by someone tuned to the right frequency—or simply on the same network. Even if you're not checking your bank balance, or shopping online, vital information can be exposed when you use an unencrypted connection.

According to communication security expert Shaun Murphy, a former government security consultant and the founder of Sndr, a free messaging and file-sharing app, "Anyone with a laptop or small embedded device can hijack or spoof a public Wi-Fi access point in a matter of seconds, capture some data and then leave with no possibility of being detected. With that said, it's almost impossible to know when and where these attacks happen and at what frequency but we do know it happens quite often in heavy tourist areas."

Living in West Michigan, we may not think ourselves as vulnerable to cyber crime like this every day. In fact, this story was researched and written on a laptop connected to several unencrypted networks, including coffee shops where a Wi-Fi password is provided with the purchase of a drink, the free Wi-Fi and a public network at the Grand Rapids Public Library and the public network provided by iServ at Rosa Parks Circle. In reality, there's little chance of noticing if any data on that laptop was compromised.

"Any Wi-Fi that is not locked down with modern technology is susceptible to a malicious party hijacking connections," Murphy says.

This caveat applies to individuals and businesses alike. Shops that connect any business-related equipment or devices to the same Wi-Fi network as their customers are opening themselves up to risk.

Many businesses split their connection into multiple networks to keep their activity secure and separate from customers' casual use. This is the case at Global Infusion, a coffee shop and cultural gifts store in Grand Rapids' East Hills neighborhood, and at a majority of the small businesses in the region that offer customers Wi-Fi.

Co-owner Beth Grilley says Global Infusion once operated on a single network, with business transactions and customers browsing on the same bandwidth. It wasn't until the company switched ISPs a few years ago that they added the second "guest" network, at the urging of their provider. Gilley admits cyber crime isn't a subject that's brought up a lot at Global Infusion—it's not the same environment as a downtown public access point—but the added level of security makes sense.

The inherent threat of cyber crime isn't only in the possibility of data being stolen from a device or account, but also being introduced to it.

"Not only can free Wi-Fi point intercept traffic and capture user names, passwords, etc., but they can also modify information coming back to you to inject malware or change competitor's online prices," Murphy says.

Tricia Glaser uses free wifi at the Grand Rapids Public Library.Grand Rapids Public Library Information Systems Manager Bill Ott has been with the library since before a Wi-Fi access point was implemented in 2001. He's seen it evolve to both support and throttle different types of usage.

"We've always kept public traffic on different virtual networks, separate from any staff traffic carrying user data," Ott says. "Since we invite the public in to use our own equipment, we've always had an eye on data security. For wireless, initially we just allowed any and all outgoing traffic, but began blocking ports as malware began spreading itself through SMTP. Over time, we ended up having to block any BitTorrent traffic as users started sharing copyrighted content."

Now, the library allows HTTP and the more secure HTTPS traffic to prevent abuse, Ott says. That's important to note, as it's an easy way to ensure security when transmitting sensitive data via Wi-Fi. The procedure for exchanging information on the internet, HyperText Transfer Protocol (HTTP), can be encrypted with code on a Secure Sockets Layer, by way of an SSL certificate. The resulting HTTPS transmissions are only understandable by the sender and intended recipient.

"Pretty much anything today can and should be using SSL to encrypt traffic containing any kind of personal information," Ott says. "Browsers today are very good at identifying site certificates and alerting the user to issues with encryption." 

Many common sites where personal information may be involved are already using HTTPS authentication and offer that level of security, but it's no substitute for prudence, Ott says. It's important to know what you're connecting to, in terms of both websites and networks. In urban areas, wireless networks abound, and finding the appropriate one can involve a search.
 
"A quick glance, and I see that within the range of our wireless network, across eight buildings, we see 148 other networks broadcasting," Ott says from GRPL's 11 Library St. location. "There have been a number of times that we've received reports of problems with our connections, when in fact, the user was not connected to our network at all."

If popularity is any indication of the importance of online security. a search of currently streaming Netflix titles turns up over a dozen films and series dealing with cyber crime and technological security. At the same time, we have more ways and devices then ever that access the internet.

There are several ways, even paid services, that can increase security when transmitting data, but the idea most echoed between Murphy and Ott is one of common sense: When using a public Wi-Fi signal, don't transmit data you want to keep private.

This story is a part of a statewide series about cyber security and small businesses edited by Lauren Fay Carlson. Support for this series is provided by the Small Business Development Center, which has just launched a free online security assessment tool and resources at www.SmallBusinessBigThreat.com to help small businesses measure their cyber security preparedness. 

Photography by Adam Bird
Signup for Email Alerts