Staying safe on unknown networks isn’t too difficult, as long as you keep security in mind. I often hear hoteliers advising “secure WiFi”. I even took some IT training with a Company (who shall remain nameless) some years back advising using their “secure WPA2 network” for sensitive transmission. The statement is ambiguous in any case, but there is little security to the user in being connected to an encrypted wireless network, where the network operator and the other network users are untrusted. Let’s look at some risks:
Regular Ethernet Cabled Network Risks:
- Interception of your data in transmission through a tap/RF emissions
- Interception of your data through network manipulation by malicious user on the network (DHCP spoofing, ARP spoofing, etc)
- Interception of your data at the router controlled by the local system admin, or any other router along the way between any number of admins along the route to your destination.
The risks of open WiFi and WEP secured WiFi are the same as above, save that no tap is needed. The medium is the air, and anyone with access to the medium can intercept and manipulate traffic.
WPA/WPA2 is a slightly more interesting case. Passive sniffing is out – the access point negotiates different keys per connected client. Therefore one client sniffing the network will observe encrypted data only. That said, network attacks such as DHCP spoofing and ARP spoofing work just fine.
WPA2 is secure today, with a strong password, should you trust all other network users and the network operator. If the WPA2 key is handed out at hotel reception – other network users are not trusted. There are additional mitigations that can be placed to secure WPA2 networks to a higher standard such as client isolation (no client can communicate with another client on the network, only with the access point) and various traffic filtering. Even still, do you trust the hotel system admins not to be sniffing or logging your data?
Without you, as a user, having to audit the network policy and test to see if isolation and other mitigation techniques, how can you ensure security whilst travelling across different networks?
Use a virtual private network (VPN) with encryption. Don’t forget that a VPN doesn’t imply any level of security by default and is simply used to make diverse networks appear and function as a single logical unit. Remember, you don’t need to be connecting in to a traditional “network” such as an office per se to use a VPN.
In my case, I fire up a VPN connection to a virtual machine hosted in a datacenter that I trust. Part of my connection script replaces my existing default gateway with that of the VPN server. Let’s assume I’m on an untrusted network with an IP of 192.168.1.5/24 and a router IP of 192.168.1.1. After connecting to my external server, say 126.96.36.199, my default gateway of 192.168.1.1 is removed. An entry to route traffic to 188.8.131.52 through 192.168.1.1 is added allowing my machine to communicate with my VPN server.
On my VPN, I’m given a private IP of 10.0.8.2 while the VPN server is 10.0.8.1. I can now set 10.0.8.1 as my new default gateway.
Checking my external facing IP by visiting http://checkip.dyndns.org reveals that my public IP is now that of my VPN server rather than that of my hotel’s WiFi connection. Assuming a reasonably sane and strong encryption, all traffic is securely transported between my device and my hosted VPN server regardless of malicious parties along the way. Lets say that I’m communicating with facebook.com – I trust the route between my hosted server and facebook.com far more than I trust the route between my laptop on a public hotel network and facebook.com
A caveat! My VPN security must also be up to scratch. I check certificates and cryptographically verify the identity of my VPN partner (ensuring I’m not being tricked into connecting to a malicious VPN server). I am now “secure” (usual list of additional caveats apply)
My traffic leaves my VPN server as it was originally intended, before the encapsulation and de-encapsulation over VPN. If I’m browsing the web using regular unencrypted HTTP, then that’s how the traffic leaves my VPN server. If I’m using secure encrypted SMTP to send outbound mail, then it leaves the VPN server that way.