Are Secured Hotspots Safe?

Virtually any somewhat tech savvy person is now aware of the dangers when using free open (no password required) wireless hotspots, like the ones found at your local green and white logoed coffee shop that was founded in Seattle. Since these networks do not require a password, also known as a Pre-Shared Key (PSK), to join the client device to the wireless access point (AP) there is also no encryption being used on the communication between the two devices. This means that the data is being transmitted in the clear and visible to anyone who wants to see it. The traffic can be viewed live or captured with something like my CowPi to run analyst tools on later.

Because of this fact, many establishments that provide free Wi-Fi to their clientele have started to use PSK’s for authentication. The use of a PSK provides two functions for the vendor. First, it requires the user to enter the business to obtain the password rather than using it from another business’s location or anywhere else where they are in range of the network. The second reason is that the use of a PSK also means that the traffic from the client device to AP are now encrypted. This means if someone was to try and view the traffic or capture it for future analysis, they would not be able to see the victim’s communications because of the encryption.

Data encrypted in transit with a PSK (note the packet number)

Does this mean it is safe to use public Wi-Fi if a PSK is being used? The answer is no, if the attacker knows what the PSK is, for example, goes into the coffee shop sees it on the board then they’re able to use that PSK to decrypt all the traffic that they have previously captured. There are a few different tools to do this but one of the simplest is Wireshark.  I’ll save the details of this process for another post, but as you can see from the following screenshots, the packets containing a website login were encrypted while traveling between the client and the AP can easily be read when the PSK is supplied.

The packet is now encrypted and you can now see the content

Granted, every day more sites are switching to HTTPS, but there are still many sites that still have not. Without the use of TLS (Transport Layer Security), commonly represented as HTTPS, login credentials and other sensitive information are transmitted in the clear. This danger is not limited to just login credentials, there are still many users with laptops and smartphones configured to use insecure email protocols like POP and IMAP without TLS, leaving those communications in the clear too.

So, what do you need to do to protect yourself while using hotspots that are using a PSK? The advice is the exact same as for open (unsecured) ones. First and foremost is to not do anything that contains sensitive information, such as banking, work emails, etc. Checking the weather and watching cat videos is fine. Second, would be to use your mobile data instead. And lastly, if you do need to use it for something other than cat videos, I’d recommend using some sort of VPN service. I personally suggest that if you have a corporate VPN to use that, and if not, there are plenty of 3rd party VPN services that you can subscribe to.