When out and about we consider Wi-Fi to be an essential and as a result of this businesses are seeking to meet the need. Cafes, hotels, shops and shopping centres, as well as conference venues to name but a few are now generally providing free Wi-Fi. It’s not a difficult process for them; pay a service provider and buy a few wireless access points and you are up and running, and the general public will connect and use without a thought.
And herein lies the issue as I became aware during a recent visit to a hotel. During the visit I was provided with a Wi-Fi key in my hotel room so I could access the free Wi-Fi however for some reason something did not quite feel right. After a few minutes of basic checking I found that the routers management console was accessible via the Wi-Fi connection as opposed to requiring a wired connection. A rather basic security precaution had not been taken in disabling Wi-Fi access to the console however the worst part was yet to come. It turned out that the default username and password for the router was still enabled and as such anyone could gain access and reconfigure the router and Wi-Fi network to meet their needs. For me this represents a grave and serious lapse in the security setup. Although it had been easy for the hotel to set up its free Wi-Fi provision, they had failed to set it up securely, in a way which I would have considered to have been “properly” set up.
The above highlights the risks associated with free Wi-Fi. Someone could easily setup a man in the middle attack using the lax security of this Wi-Fi network. People would then access and use the Wi-Fi unaware of the fact that a threat actor was gathering or monitoring their data. Truly nothing is free in this world, and in this case the free Wi-Fi may be free of cost but it certainly isn’t free of risk. And in this risk there may be a future financial cost in fraud or identify theft based on the data harvested.
I do not think this one hotel is unique in its poor Wi-Fi network security. I suspect that among the many establishments offering free Wi-Fi there will be many where the security is equally poor and that this will be especially common among smaller organisations where an IT department is likely to either be limited or not to exist.
As end users it is our responsibility to look after our own data security when out and about. We cannot assume that others such as the providers of free Wi-Fi are doing this for us, especially where there is no is financial contribution paid to them towards the costs associated with doing so. And for those providing free Wi-Fi I would ask that they engage a suitable professional in order to ensure their setup is at least provided with the basic security precautions. If you aren’t willing to do this then you shouldn’t provide the service!
I also think there is an educational aspect to all this; Are we adequately discussing the risks and required precautions with the students in our schools. I would suggest we need to do so with some urgency.