There are various cyber threats targeting your iPhone, including phishing attacks that lead to malicious websites, targeted emails that contain high-risk attachments, and even texts designed to crash your computer. In locking down its hardware and software, Apple does a fantastic job. But if you don't take basic precautions on your own, there isn't anything that Apple can do. And with one Wi-Fi feature that you need to disable on your computer, that's certainly the case.
By now, airports, shopping centers, coffee shops, supermarkets, and hotels should all be well aware of the risks of public Wi-Fi. Convenient and generally secure, saving our data plans and ensuring that when away from home, we can use our phones normally. But if you connect your iPhone to a hotel, coffee shop, Wi-Fi airport, or restaurant, the risks are likely to be much, much worse than they need to be.
Yet again this month, as Americans gradually operate away from workplaces and sometimes homes, the FBI has warned users to beware of the dangers of public Wi-Fi. Hotels now advertising distraction-free spaces for those working from home have been highlighted by the FBI. Through developing their own malicious network with a similar name to the hotel's network, criminals may execute a 'evil twin attack.' "Instead of the hotel, visitors can then accidentally connect to the criminal's network." But attacks can be much simpler than this.
When you connect to public Wi-Fi, to select a connection, you depend on the network's service set identifier, its SSID. This is also the name of the restaurant, coffee shop or bar, which is supposed to make things simple. Your iPhone will then connect to that Wi-Fi again and again automatically, each time you return to the venue, intended for convenience. But the easy convenience is a big security risk you have to handle.
"Many devices are designed to connect to established hotspots automatically," warns security researcher Sean Wright. In order to communicate, victims don't need to do something. They just have to be within range. In order to provide legitimacy, there are corporate Wi-Fi solutions that use certificates, but I have not seen any of these hotspots use them.
This security risk is so extreme that it can be taken to the stage of satire. Public Wi-fi will still be at risk, "says Ian Thornton-Trump, Cyjax CISO." "I saw a Starbucks and a Subway Wi-Fi connection point once, flying 35,000 feet from Newark to Vegas."
"I would stop any public network auto-joining," Wright says. You're never sure who's behind it. It also makes spoofing them all too easy because they are public and available. What he suggests is that with the same SSID, an attacker can set up their own Wi-Fi hotspot. It's as simple as that. And when in range, your phone will happily connect if you have previously linked to the legal network with that SSID.
Worse, the iPhone is actively looking for familiar Wi-Fi networks, "sending out probes for hotspots to which it wants to link," says Wright, "so that[an attacker] can stand-up hotspots with those SSIDs, a Wi-Fi Pineapple-built capability," malicious routers designed to intercept traffic. But there is, in fact, no need for special equipment. Nothing more than a cell phone is needed. "I was in the hotel lobby," says Wright, "and in a matter of minutes, I set up my 'free' hotspot and had five devices attached."
"ESET's Jake Moore says," With more remote work than ever, it may be tempting to use a coffee shop for a change of scenery. But free Wi-Fi can not always be what you want it to be. When it comes to communicating without worrying about security risks, many people forget that public Wi-Fi can be unsafe and become complacent.
And if we use these public Wi-Fi networks when operating under coronavirus restrictions away from workplaces, then we risk damaging the networks and data of our employers, not just our own. "Connecting personal or business devices to the wireless network of a hotel," says the FBI, "can allow malicious actors to compromise the device of the individual and then access the guest's employer's business network."
"While unlikely," Moore says, "if a threat actor controls the Wi-Fi that the target is connected to, it is possible to obtain information from a computer." Moore urges users to stick to cellular connections. But when working, it isn't always realistic. "When you are in desperate need to use an unknown hotspot, a VPN will help," he says.
Nicola Whiting, Chief Strategy Officer at Titania, echoes this appeal to use a VPN if you have to use hotspots. "Protect it if you link it. If you're willing to spend $10 or more on eating and drinking out, and you know you're going to use public Wi-Fi, many of us can spend some time and money ensuring you have in-built security, even though it's a risk."
This is wise advice. But if you have a VPN, make sure it's a reputable, paid-for one. Free VPNs are sometimes worse than no VPN at all, including those supported by ads. Just because an app claims it's a safe VPN doesn't mean anything. Good VPNs will also allow you to locate trustworthy Wi-Fi networks, such as home and work, and all the others will enable the VPN to load automatically. This is perfect.
All that said, you should not enter public hotspots automatically. "Go to" Wi-Fi, "in your iPhone settings, and make sure that" Ask to Join Networks "is set to" Ask, "and that" Auto-Join Hotspot "is set to" Ask to Join. "This will prevent your iPhone from connecting to new or known networks or personal hotspots without you realizing it, giving you the chance to exercise caution before clicking" Yes.
Much more importantly, next to any public network you connect to, you can click on the blue-circled 'i' and disable the 'Auto-Join' function. You don't need to click on "Forget This Network," but if you are unlikely to be back, you can do that. You monitor where and when your iPhone connects in this way. When you are in a cafe or sitting in an aisle seat at 35,000 feet, this will keep you from connecting to the Wi-Fi of a coffee shop.
If you do these two things, when you need to use public Wi-Fi, you choose auto-join for any public network you connect to and use a reputable VPN, then you would have taken appropriate steps to keep your computer safe. That said, prudent security advice is to absolutely avoid public Wi-Fi. However, if you do, the FBI advises, "make sure to confirm the network name and the exact login procedures." Your purpose is to keep them from unintentionally connecting to the Wi-Fi of a fraudster that they are attempting to make look legitimate.
