Free Wi-Fi may seem like a convenient way to alter your digital fingerprint and avoid tipping off investigative targets, but the risks outweigh any rewards

So you understand that your network connection is part of your digital fingerprint passed to the websites you visit. Great. Clever sleuth that you are, you’re going to cruise on down to your local Starbucks, hotel, library, etc., and use their guest Wi-Fi to break any affiliation with your organization. 

Let’s go through the laundry list of why that’s a bad idea:

Security risks

Public Wi-Fi has reached ubiquitous levels. It’s super convenient and there are times when its use is acceptable, even considering the security risks we’re about to explore. But if you’re conducting sensitive online research (for law enforcement investigations, cyberthreat intelligence, research into financial fraud, etc.), you could be exposing yourself to risks that could spoil your investigation.

If you’re conducting sensitive online research, malware should be particularly concerning. With malicious payloads like spyware and keyloggers, your activity could be tracked even after you disconnect from the Wi-Fi network.

Man-in-the-middle attacks, rogue access points and evil twins

A man-in-the-middle (MITM) attack, sometimes referred to as an eavesdropping attack, is when a hacker inserts themselves between two communicating parties to obtain some form of information. Public Wi-Fi presents a ripe opportunity for these types of attacks.

The most common way for a hacker to initiate a MITM attack is by setting up their own hotspot — or “rogue access point” — with a name very similar to the that of the actual public hotspot you intend to click on: for example, the rogue hotspot is “Stabrucks_Free_WiFi” when the real name is “Starbucks_Free_WiFi.” The rogue hotspot may even have a better signal strength and is optimized for your laptop, making it the more attractive of the two. Unless you’re proofreading network names, you may not even catch the difference or inadvertently click on the wrong one. 

To set up a rogue access point, all the attacker has to do is configure their laptop or device to act as a soft access point with an innocuous name as in the example above, creating a bridge between the victim and the real access point (there are even kits for amateurs to do this now). From the vantage of the victim, though, everything looks fine — they’re connected to the Internet and it’s business as usual. But every bit of information, including passwords and access codes, is captured by the attacker. If the information is unencrypted, it is immediately compromised. Even encrypted information is transmitted and, depending on the level and complexity of encryption, may be easily decoded.

A variant on the rogue access point set up is an “evil twin attack.” Computers and cell phones generally store previously accessed networks so that they can automatically connect next time you are near the network. The bad actor can capture and broadcast an identical network name and trick the victim’s machine into connecting to the evil twin, while appearing to be connected to the legitimate hub instead. Then, as in a rogue access point attack, all of the user’s information flows directly into the attacker’s device. Setting up an evil twin attack is low-cost and requires minimal technical knowledge.

For sensitive online research, these methods of MITM attacks really put the “sensitive” part in jeopardy.

Sniffing

Unencrypted information passed over public airwaves can be captured and reassembled into usable information like passwords or cookies. Encryption helps, but some forms of encryption (especially older protocols like WEP) are so easy to crack at this point that they present only a minimal barrier to hackers. 

Mounting a sniffing attack requires almost no technical expertise on the part of the bad guys. Browser plug-ins and apps from popular app stores can turn a laptop or cell phone into a sniffer and a more powerful dedicated sniffing device can be purchased at a low cost at almost any electronics store.

Malware infections

Public Wi-Fi networks are particularly risky for malware distribution. If you’re on a public Wi-Fi network and have file sharing allowed, anybody else on that network could share malicious content with your device. Hackers can also plant malware on the access point itself.

If you’re conducting sensitive online research, malware should be particularly concerning. With malicious payloads like spyware and keyloggers, your activity could be tracked even after you disconnect from the Wi-Fi network.

But I used a VPN!

While VPNs can help to mask your IP address and provide an encrypted “tunnel” while you’re on a public Wi-Fi network, it does nothing for the security risks. 

You can read about the many ways VPN is an imperfect solution for conducting sensitive online research here, here and here, on top of the security concerns.

The important thing to remember is if you’re conducting sensitive online research, you need to treat it with the delicacy it requires — give it special attention and care. This doesn’t mean that you need to erect an entire “dirty network” in a lead-lined safe room (more on that here). But it does mean that any online risk that already exists is amplified. The stakes are higher, and adversaries and bad actors know this.

To protect against security risks, maintain anonymity and get your work done, you need:

  • Isolated browsing environment: Using a remote, cloud-based browser, you can be sure that all web code is executing off your device, eliminating the risk of malware infection.
  • Non-attributable network: SaaS solutions can provide researchers access to a non-attributable network (i.e., one that is unaffiliated with their organization). Unlike a VPN, these are dedicated points of presence in actual physical locations around the world. These points allow researchers to present a regionally appropriate IP address for the site they’re visiting and blend in with the crowd — a critical tradecraft consideration. 
  • Digital fingerprint manipulation: It’s not just your IP address that gets passed to websites you visit. Dozens of details including your time zone, language, keyboard settings, operating system, browser, etc. are passed. To avoid arousing suspicion, researchers need to understand what to change these details to and have the control to manipulate them.
  • Workflow: Make sure that any collected information can be captured according to tradecraft requirements (e.g., out-of-band translation), analyzed efficiently and stored and shared securely with collaborators.

To learn how Silo for Research powers secure and anonymous investigations from any computer on any network, check out our webpage here or request access to our free trial here.

Tags
Anonymous research Phishing/malware VPN