Security Over Wifi: How Much Privacy Do You Really Have?

by Sandra Shaw (2017 cohort)

Try going a week without your phone, laptop or anything that is able to connect to the internet. If you already have, then you might be familiar with the feeling of being somewhat detached from the rest of the world, as if everyone else knows something you don’t. It’s a sobering feeling. So, it’s not hard to see how attached we are to the internet these days: sending emails and text messages, searching up a term on Google, checking Facebook and other social media to see what our friends and colleagues are up to, logging into Google Drive to access documents…

The two most common ways that allow us to proceed with our daily digital rituals is either through WiFi connection or mobile data. We might resort to using our 3G, 4G, or LTE data whenever we are not able to connect to WiFi. But whenever possible, it seems that the opportunity to use WiFi instead of taking up gigabytes of data (especially when watching online videos or downloading files!) on our mobile plan is a better alternative—two out of every three people would prefer to use WiFi rather than their mobile network in order to access the internet (“2016 Global Mobile Consumer Survey”, 2016). Although encryption has become very advanced and widespread, we live in a predisposed period where the convenience of using any kind of WiFi supersedes undetected consequences.

Thus, in our increasingly digital world where our dependence on the internet only grows, it becomes imperative for us to

1. know the security holes that certain WiFi connections may have
2. take the necessary precautions when you use WiFi or the internet to make sure that your device will not be susceptible to hackers
3. know exactly how much at risk you really are

in order to protect your privacy as you roam the vast and intricate interweb.

How does WiFi work?

In order to see how WiFi can be compromised, we first have to understand how WiFi networks allows our devices to peruse the internet in the first place. There are three main points of focus that make WiFi work: a transmitter, a receiver, and a wireless router. The transmitter is a device that transforms information (an email, a webpage) into electromagnetic waves that travel at the speed of light. The receiver catches those waves and transforms them back into electric signals that “recreate” the information we are used to seeing on our screens (Woodford, 2017). Woodford says it’s like an invisible game of throw-and-catch. A WiFi router does the work of “throw-and-catch” to and from the internet (Woodford, 2017). Before we had wireless routers, devices had to be physically connected with wires to be connected to each other and the internet. But now, wireless routers do the same thing only through radio waves, eliminating the need for those cables. Thus, wireless routers are considered the access point our devices use in order to connect to the internet.

To be clear, WiFi and the internet are not the same thing, though people may use them interchangeably. The internet is “a way for one computer to talk to another,” like a specific “language.” It also acts as a web of information that “ties [those devices] together” (Heutmaker, 2014). WiFi, as we have just seen, is just the radio signal that connects your device to the internet.

What kind of security does WiFi offer?

Private WiFi will have one form of WEP, WPA, or WPA2 security. Public WiFi that does not require a password uses none of the security measures stated above. In 1997, a type of security called Wired Equivalent Privacy (WEP) was created. It was part of a bigger networking standard, the IEEE 802.11, and provided a general level of security for wireless networks (Beal, 2007). WEP does so by encrypting the data that travels as radio waves through the air from the transmitter to the receiver.

WEP works by using the Rivest Cipher 4 (RC4) created by Ron Rivest, one of the founders of RSA encryption. Essentially, a key is created through a combination of esoteric methods. For our sake, imagine that this key is a random string of 0’s and 1’s. A “pseudo-random generator” scrambles up the key so that each byte of the plaintext data being encrypted is different (Jacobs, 2008). The plaintext will be translated into binary digits, which is also a string of 0’s and 1’s. For example, the letter “A” in the ASCII encoding standard for electronic communication will always correspond to the number 65, which is 1000001 in binary.  Using the rules seen in Figure 1, adding the key and the plaintext together will result in a new string of numbers that will translate into gibberish if someone tries to read it—the ciphertext.

The plaintext will be translated into binary digits, which is also a string of 0’s and 1’s. For example, the letter “A” in the ASCII encoding standard for electronic communication corresponds to the number 65, which is 1000001 in binary. Using the rules seen in Figure 1, adding the key and plaintext together will result in a new string of numbers that will translate into nothing that is readable—the ciphertext. As we can see in Figure 2, adding the ciphertext and the key together can get back the original plaintext. Thus, this is a symmetric cipher.

Magic bullet? Not really.

In 2001, major weaknesses were identified with WEP (Jacobs, 2008). One major problem was that WEP used static encryption keys, a key that is used multiple times over a long period of time. This makes WEP’s encryption fairly easy to break since it is easier to deduce valuable information with a large quantity of data. Computer scientists at a German University proved that they could hack into a WEP network in just three seconds after collecting ten seconds of data (Beal, 2007). Therefore, in 2003 a stronger security called WiFi Protected Access (WPA) was created. WPA improved the level of encryption by generating a longer key. It also used the temporal key integrity protocol (TKIP) which creates unique keys for each packet of data being sent through the network, so no key is used multiple times, which was the weakness of WEP. WPA2 is simply a finalized version of WPA, since WPA was released in its early stages (Jacobs, 2008).

What about the internet itself?

We can’t talk about WiFi without mentioning the internet; you should be aware of both your WiFi and internet situation. After all, the internet is where everything happens. HTTP, Hypertext Transfer Protocol, is the standard to which browsers format and transport their messages. HTTP does not encrypt any of this information, meaning that if it was intercepted, people would see the plaintext of whatever webpage you are browsing on. In 1994, HTTPS—with the “S” standing for secure—was picked up by multiple websites (Bobby, 2017). Today, it would be rare to see a popular webpage not secured by HTTPS. In fact, Tip Top Security estimates that “more than 50% of all websites are HTTPS.” The reason why HTTPS is so secure is that the SSL certificate is a way of encrypting information where the key to encrypt information is not the same as the key to decrypt it.

Even with these securities, though, hackers can still trick you to enter your personal information without you realizing. Phishing is something hackers use to gather your usernames, passwords, and credit card numbers by presenting to you a fake replica of an actual website. It’s likely that your information will be “sold” on the Dark Web to other people who will use that information to try to be you and perhaps make purchases. Maybe big purchases, such as transferring money. Similarly, WiFi can also get “spoofed,” where hackers set up a fake log in page that looks real. One technology invented by John Simek can pretend to be real, trusted WiFi sources which then secretly capture your keystrokes (Davis, 2013).

Why should you care about what WiFi and websites you use?

Now that we have exposed ourselves to how hackers can easily use unsecured WiFi to their advantage, we need to think about why it’s important to protect our privacy while using WiFi to access the internet. According to the Infographic Journal, about 25% of people used their credit card to make a purchase while 60% of people logged into a personal account on public WiFi (Wallace, 2013). As a college student, your mind may be on a lot of things, and taking the necessary steps to protect your information should be one of them.

Taking these next small steps to make sure you’re browsing the internet securely can save you some big trouble should you choose to disregard how using unsecure, public WiFi can compromise information you think you’re keeping to yourself. Being well informed about how much of your information can be seen by other people who have malicious intent can help prevent fraud and protect your private information—emails, credit card information, passwords, and more.

The Verdict on WiFi

Before using any kind of WiFi, check their encryption standard. If they use WEP, that indicates a red flag—even though WEP security might sound strong and secure, think of the reason why WPA was needed: WPA was created because hackers were able to bypass WEP security pretty easily. And if hackers could achieve that in 2001 (Jacobs, 2008) then imagine how much easier it would be with 2017 technology. Now if the network doesn’t use any type of security, that’s an even bigger red flag. A secure network would have WPA2 level security, since as of now that’s the highest caliber.

You can usually find this information in your advanced WiFi settings on your computer (phones don’t really have that option). On Apple Mac users, going to system preferences, network, and then advanced settings will show you your entire history of all of the WiFi you have previously connected to in addition to their security level. In case you’re wondering, vuNet employs WPA2 security. As I have found on my history, the public WiFi you find at places similar to Panera, Holiday Inn, Sephora, or Sacramento International Airport will have no security implemented, even if it looks like they did through their Terms of Agreement page.

Even though this does limit your WiFi options since public WiFi is everywhere, going over your data plan by a few gigabytes and paying a few extra dollars is trivial compared to the consequences if someone were to happen to acquire your credit card number or your password to your email.

WiFi or VPN?

A network connection that many encourage is called VPN, or virtual private network. VPNs encrypt data sent to the private network and is like operating a “network-within-a-network” (Matthews, 2017). It’s not the same thing as private WiFi, though. Imagine that private WiFi is owned and used by a particular household or company. It’s private and localized to one physical location. By contrast, VPNs are private networks just connected through a larger network that reaches more people. But as Matthews says, the only thing it doesn’t offer is anonymity. Activity can always be traced back to your device.

Websites themselves

Now that you’ve selected appropriate network connection, it’s time to pay attention to webpage security. Definitely check that you are actually on the real version of the website you are trying to reach, so that phishers trying to use fake webpages will not get your username or password. If you are ever on a site dealing with personal information definitely make sure that the website URL starts with https instead of just http. Of course, there still are sites that haven’t switched over to https. If going to an http site is a necessity then it would be a good idea to be cognizant of the information that you are entering in; assume that anyone can see it.

Another way would be to check that the lock icon to the very left of the site URL bar is green, locked, and says the word “secure” next to it, which means that the webpage itself employs its own asymmetric encryption with SSL. And if you’re wondering whether anyone is able to easily break an SSL certificate or on the way to conquer asymmetric encryption, only a select few have. They’re called the NSA (Green, 2013).

To conclude…

If using WiFi is still a big concern to you, you always have the option of not using WiFi at all. But in 2017, breaking good encryption is a pretty tough endeavor on the personal level, provided that you choose to use solid encryption stated above. The main breaches of security we hear of are with sites that store mass numbers of client information, which we have seen with Equifax earlier this year. That’s on their end. Nevertheless, we should always be vigilant and careful with how we wield the growing pervasiveness of WiFi networks to our advantage.

Works Cited

Beal, V. (2007, June 15). The Differences Between WEP and WPA. Retrieved from https://www.webopedia.com/DidYouKnow/Computer_Science/WEP_WPA_wireless_security.asp.

Bobby. (2017, September 10). How Does HTTPS Work? SSL/TLS Explained. Retrieved from https://tiptopsecurity.com/how-does-https-work-ssl-tls-explained/.

Davis, R. F. (2013). Not So Sweet: This Pineapple can Intercept Wi-Fi Traffic. ABA Journal, 99(6), 32. Retrieved from http://www.jstor.org.proxy.library.vanderbilt.edu/stable/23425440?Search=yes&resultItemClick=true&searchText=wifi&searchText=security&searchUri=%2Faction%2FdoBasicSearch%3FQuery%3Dwifi%2Bsecurity&seq=1#page_scan_tab_contents.

Green, M. (2013, December 3). How does the NSA break SSL? Retrieved from https://blog.cryptographyengineering.com/2013/12/03/how-does-nsa-break-ssl/.

Heutmaker, B. (2014, August 21). What’s the Difference Between WiFi and the Internet? Retrieved from http://www.citymac.com/blog/2014/08/21/whats-the-difference-between-wifi-and-the-internet.

Jacobs, B. (2008, February). Wireless security—How WEP encryption works. Retrieved from http://searchnetworking.techtarget.com/tip/Wireless-security-How-WEP-encryption-works.

Jacobs, B. (2008, March). Wireless security protocols—How WPA and WPA2 work. Retrieved from http://searchnetworking.techtarget.com/tip/Wireless-security-protocols-How-WPA-and-WPA2-work.

Matthews, L. (N.d.). What A VPN Is, And Why You Should Use It To Protect Your Privacy. Retrieved from https://www.forbes.com/sites/leemathews/2017/01/27/what-is-a-vpn-and-why-should-you-use-one/#4546ed8e4b8f.

Wallace, I. (2013, August 21). Is Public WiFi Safe? Retrieved from http://infographicjournal.com/is-public-wifi-safe/.

Woodford, C. (2017, June 6). Wireless Internet. Retrieved from http://www.explainthatstuff.com/wirelessinternet.html.

(2016). 2016 Global Mobile Consumer Survey: US Edition. The market-creating power of mobile. Retrieved from https://www2.deloitte.com/content/dam/Deloitte/us/Documents/technology-media-telecommunications/us-global-mobile-consumer-survey-2016-executive-summary.pdf.