Getting connected to the Internet for various activities (getting updates from email, news, social media, weather, checking maps, traffic condition etc.) becomes an expected living habit due to mature technology and well established infrastructure. This need is even more when travelling around.
Free or paid Internet access is available anywhere in library, hotel, airport, café, shopping malls and even inflight. Therefore WiFi cybersecurity is a concern.
I have heard criticism from a cybersecurity practitioner on a single workstation (specific business function) in getting system updates via corporate guest WiFi is insecure and the connection should be switched to a 4G/5G data plan but there is no reason behind.
This appears as an irrational advice. By default, Internet isn’t secure whether it’s WiFi or data plan. The recommendation should provide reason why it is insecure and mostly importantly practical measure to secure.
If we look at this further, the insecurity from WiFi is likely due to:
- The infrastructure does not impose guest isolation, i.e. guest device in the network can communicate (or attack intentionally or unintentionally) other devices within the same network, then the connected device is insecure
- Your device might have folders shared in the network and if the setting is improper then the connected device is insecure
- There might have web proxy at the infrastructure deployed with TLS interception and decryption for deep packet inspection. Then, sensitive information will be exposed and insecure
Then, how do we secure?
- The best defense is do not use public WiFi but practically this doesn’t work
- Then next, use a different device (empty, i.e. without personal or sensitive info stored), and again this won’t work in majority
- Last but not the least:
- Use a different network location profile for untrusted network such as disabling discovery, prohibiting folder permission, using random MAC address, imposing host based firewall if available
- Check the padlock in web browser if the digital certificate is issued by unknown Certificate Authority (the web proxy itself) against the web site being accessed
The top challenge is that mobile phones are handicapped to execute the above measures; and once connected, apps behind the scene will connect outside and you have no control over them.