Are Public Wifi and Phone Chargers Actually Safe? (msn.com) 85
The Washington Post's "Tech Friend" newsletter suggests some "tech fears you can stop worrying about." And it starts by reasuring readers, "You're fine using the WiFi in a coffee shop, hotel or airport.
"Yes, it is safe," said Chester Wisniewski, a digital security specialist with the firm Sophos. Five or 10 years ago, it wasn't secure to use the shared WiFi in a coffee shop or another place outside your home. But now, most websites and apps scramble whatever you do online. That makes it tough for crooks to snoop on you when you're connected to public WiFi. It's not impossible, but criminals have easier targets.
Even Wisniewski, whose job involves sensitive information, said he connected to the WiFi at the airport and hotel on a recent business trip. He plans to use the WiFi at a conference in Las Vegas attended by the world's best computer hackers. Wisniewski generally does not use an extra layer of security called a VPN, although your company might require it. He avoids using WiFi in China.
You should be wary of public WiFi if you know you're a target of government surveillance or other snooping. But you are probably not Edward Snowden or Brad Pitt... For nearly all of us and nearly all of the time, you can use public WiFi without stress.
The newsletter also suggests we stop worrying about public phone chargers. ("Security experts told me that 'juice jacking' is extremely unlikely... Don't worry about the phone chargers unless you know you're being targeted by criminals or spies.")
Beyond that, "Focus your energy on digital security measures that really matter" — things like using strong and unique passwords for online accounts. ("This is a pain. Do it anyway.") And it calls two-factor authentication possibly the single best thing you can do to protect yourself online.
Even Wisniewski, whose job involves sensitive information, said he connected to the WiFi at the airport and hotel on a recent business trip. He plans to use the WiFi at a conference in Las Vegas attended by the world's best computer hackers. Wisniewski generally does not use an extra layer of security called a VPN, although your company might require it. He avoids using WiFi in China.
You should be wary of public WiFi if you know you're a target of government surveillance or other snooping. But you are probably not Edward Snowden or Brad Pitt... For nearly all of us and nearly all of the time, you can use public WiFi without stress.
The newsletter also suggests we stop worrying about public phone chargers. ("Security experts told me that 'juice jacking' is extremely unlikely... Don't worry about the phone chargers unless you know you're being targeted by criminals or spies.")
Beyond that, "Focus your energy on digital security measures that really matter" — things like using strong and unique passwords for online accounts. ("This is a pain. Do it anyway.") And it calls two-factor authentication possibly the single best thing you can do to protect yourself online.
Easy answer: No (Score:3)
And we don't even need Betteridge's law of headlines for that answer.
Re: (Score:2)
But, but, but... "Security experts" told him not to worry about jacking strange and unknown things directly into his hardware and to fear the online passwords instead.
"Security experts" can't be wrong. They're experts!
Re: (Score:2)
Yes; a good article from Ars Technica pointing out that those scare stories circulating recently about malware on public USB phone charging stations have no evidence behind them that this has ever actually happened: https://arstechnica.com/inform... [arstechnica.com]
The FBI just likes to pass along scare stories, and that was the scare story of the week.
Re: (Score:2)
I automatically ignore any article uses the word "scramble" when talking about encryption.
You should be wary of public WiFi if you know you're a target of government surveillance or other snooping. But you are probably not Edward Snowden or Brad Pitt
"Probably"? LOL!
If everything is working then they can't spy on Brad either. They'd have to fiddle with his computer to break things first.
Re: (Score:2)
Ditto. If TFA was written for 10th graders (downgrade from 8th graders, the previous default level for easily understood writing, and 10th grade is generous), then sure, write 'scrambled' and let them continue down the path of faux knowledge. Or perhaps be more precise.
At least TFS did not show any obvious, to me, spellcheck substitutions that lead one to believe the author either does not know or does not care, and certainly does not proofread their work.
Bleagh.
Re:Easy answer: No (Score:5, Insightful)
I automatically ignore any article uses the word "scramble" when talking about encryption.
Why? It's a perfectly useful term to use when your target audience isn't technically sophisticated. It doesn't imply anything different than what is actually happening.
Re: (Score:1)
Why? It's a perfectly useful term to use when your target audience isn't technically sophisticated. It doesn't imply anything different than what is actually happening.
You think the target audience knows what an analog "scrambler" is more than they know what the word "encrypted" means?
The 1960s was a long time ago...
Re: (Score:2)
Except that lots of people who were alive in the 60's are alive now. "Scramble" is fine. If you tell me how it fails to convey the message, I'm willing to listen, but it just seems like the only offense is to one's esthetic sensibilities.
Re: (Score:2)
Let's draw a Venn diagram of "People born in the 1950s" and "People who use WiFi in coffee shops"...
Re: (Score:2)
Let's put it this way.
1 - Explain to me a scenario in which you're talking about encryption, you use the word scramble, and the listener fails to understand what you mean.
2 - If you can do step 1, describe to me the person you're talking to, and explain why you're talking to them about encryption.
It's such a weird thing to be bent out of shape over. It can't possibly be misconstrued.
Re: (Score:3)
The risk of charging a device from an unknown USB port is extremely low, but it's also very easy and cheap to mitigate that risk.
The benefit of VPNs are less clear. If you pay for a good one like Mullvad then of course use it. If you intend to rely on a free one, you might as well not bother. These days most connections to websites and mail servers are encrypted anyway.
Real answer: It depends on your risk aversion (Score:2)
Safety is not a concept that can be answered as a yes or no question. Betteridge has no impact on this discussion.
Re: (Score:2)
Okay, I had to look that up:
https://www.google.com/search?... [google.com]
Learn something new every day, yes we do!
Re: (Score:2)
Easy answers are rarely correct answers. I'm not saying you're wrong, but it would be nice to have a bit more substance to your answer.
Are Public Wifi and Phone Chargers Actually Safe? (Score:4, Interesting)
Re:Are Public Wifi and Phone Chargers Actually Saf (Score:4, Insightful)
Instead of using a public USB charger, use your own USB wall wart and plug it directly into a mains socket.
A no-data cable might protect you from being compromised, but a public charger can still damage your device by overvolting it.
Re: (Score:2)
Most likely the public places where you need to charge do not provide a mains socket, only an USB socket
Re:Are Public Wifi and Phone Chargers Actually Saf (Score:5, Insightful)
Carry a USB battery, charge that with the public charger, and charge your phone with the battery
Re: (Score:2)
But not at the same time, plx!!
Most portable battery packs are not suited for that.
Re: (Score:2)
I thought you were supposed to be from Kentucky
I lived there for a few years, but I'm not "from there."
we call 'em "electrical outlets" or even "wall sockets" here in the States.
Sorry. I've spent much of my life living and working in Asia (Japan, China, and currently the Philippines), where I'm exposed to a lot of Britishisms and Aussieisms.
Re: (Score:2)
It is physically not possible to pass any data and thus is not hackable. Those cut corner function down USB cables are godsend for hacking prevention using public charges.
"Cutting corners" is a term for actions done in the easiest or least-expensive way, generally to boost profit. If they are leaving the data connections out as a security feature, that's not cutting corners, as it's being done as a conscious design decision for a product feature.
Re: (Score:2)
Re: (Score:3)
Public Wifi of course is not safe. Avoid using them at all cost.
Define "not safe". Why are you relying on the network to secure you rather than actually securing your own device from the network?
"Avoiding at all costs" is a simple way of saying "I don't know how to manage or control my device properly".
There are so many cheap to hell USB cables that do not have data wire.
They are also limited in charging speeds, not something particularly enticing if I am put into a position where I actually need to use a public charging spot. They aren't the answer. We need something more intelligent for that.
Re: (Score:3)
Public Wifi of course is not safe. Avoid using them at all cost.
Define "not safe". Why are you relying on the network to secure you rather than actually securing your own device from the network?
"Avoiding at all costs" is a simple way of saying "I don't know how to manage or control my device properly".
This. Poster needs to install packet sniffer Wireshark on their computer and take a look at what is happening on their presumably safe and secure home network. If they are that concerned about security, the protective software they should put on their home computer or laptop will protect them from the WiFi at McDonald's as well.
Re: (Score:2)
Simply disconnecting the data wires does not protect against over-voltage though. Even if not done maliciously, some chargers can fail in a way that causes excessive output voltage.
You can build one yourself with protection diodes that will divert higher voltages to ground, and protect against negative voltages/reverse polarity. It's a bit chunkier though. I've seen you can get little aluminium extruded "enclosures" (really just tubes) designed for USB Power Delivery boards, and I was thinking of making my
Re: (Score:3)
Public Wifi of course is not safe
Can you please elaborate? Saying something is "of course" anything, avoids putting actual thought into an answer. Many things that we have "of course" assumed to be true, turn out not to be true. Do you know *why* wifi is "of course" not safe?
He avoids using WiFi in China. (Score:2)
Re: (Score:2, Funny)
Why does he avoid using WiFi in China? Isn't it safe?
No, unlike the patriotic WiFi in the USA that is always safe.
Re: He avoids using WiFi in China. (Score:2)
It's not straight forward to use, since you usually need to get it authorised through an sms with your phone. As such, traffic is blatantly tracked. There's no hiding it at all.
Sometimes it is other methods, like in an hotel when you need to give your name and room number.
The fuck is wrong with you phone people? (Score:2)
Are you joking? (Score:2)
The newsletter also suggests we stop worrying about public phone chargers. ..
Don't worry about the phone chargers unless you know you're being targeted by criminals or spies."
Can you see & smell the sarkasm or do I need to point out that criminals and spies are the only two species you need to worry about when it comes to juice jacking?
You're fine (Score:2)
"You're fine using the WiFi in a coffee shop, hotel or airport. "
The NSA told him that.
Re: (Score:3)
"You're fine using the WiFi in a coffee shop, hotel or airport. "
The NSA told him that.
The NSA can't even stop terrorists boarding planes when his own father taddled on him. The NSA these days are simply swamped under the the weight of the data they have. There's basically no risk they pose to you at a public WiFi shop. If they do, they are likely already standing behind you.
Stop fearing your own shadow.
Edward Snowden... (Score:1)
or Brad Pitt? Are those two considered equivalent somehow?
Re: (Score:3, Insightful)
sorry, but your question is far from smart.
If they were equivalent, that guy wouldn't have used both of them...
Instead, they're pretty different as each of them represents a type of potential target.
Be smart ... (Score:4, Interesting)
Be smart, use a USB condom: https://www.zdnet.com/article/... [zdnet.com]
Re:The author's tech background is nil (Score:5, Informative)
10+ years as Principal Research Scientist at a leading cybersecurity firm - and "nil technical background"?
You are joking, right?
Re: The author's tech background is nil (Score:2)
Re: (Score:2)
All the people who don't publish papers have NIL technical background?
Either you are a troll or work with a strange definition of "technical background" where deep knowledge of a particular tech industry, proven e.g. by hundreds of articles, speeches, and presentations don't count...
Re: (Score:3)
...oh, and to address your notion that a "research scientist" should publish papers: Not in cybersecurity. There, "research" means mostly analyzing malware and TTPs (tactics, techniques and procedures). The outputs are not meant for writing papers; instead, they serve as a basis for improving their products and/or services. They often don't get published at all; if so, it's articles, not papers.
In research departments of cybersecurity firms around the world, you'd find hundreds and hundreds of extremely sma
Does it matter? - for most of us, No. Sort of. (Score:2)
Why on earth go to the extremes and effort of setting up fake WiFi networks or hacking into them, unless you _know_ there's a specific target you are going for?
Sure, if you connect to some random WiFi network that doesn't need any credentials to login, more fool you - but even then, why would bad actors want to people in such a minimal way, unless it's specifically targeted?
They wouldn't.
Almost all apps that carry important data have end-to-end encryption, so the bad actor would more than likely setup a fak
Re: (Score:2)
Why spoof WiFi when not targeting one user? Because one might be targeting a bunch of users.
Imagine setting up a "XYZ Free WiFi" AP next to store XYZ, and using a captive portal to collect credentials, phish, or serve malware. Monitor or hijack DNS requests for whatever reason. If users surf to a page that doesn't use HSTS, force a downgrade to MITM'ed HTTP and really go to town.
Those are all reasons that one should use a VPN unless one trusts the WiFi provider.
Re: (Score:2)
Imagine setting up a "XYZ Free WiFi" AP next to store XYZ, and using a captive portal to collect credentials, phish, or serve malware. Monitor or hijack DNS requests for whatever reason. If users surf to a page that doesn't use HSTS, force a downgrade to MITM'ed HTTP and really go to town.
Have you actually tried this in the last decade? TLS by default makes it _really_ hard to do that.
Re: (Score:2)
Have you tried reading in the last decade? I mentioned ways to get around TLS.
Chrome Mobile in particular is really bad about this. It will try something (HTTP/3? QUIC?) on every website first, but if the network connection is bad, it pops up a "connection is insecure" warning rather than retrying the connection. This trains users to click through that, because most of the time it's a false alarm.
Re: (Score:2)
I haven't tried it with Chrome Mobile yet, but with Firefox on the Desktop I once was in a training session where we could try it. The session kinda failed since Firefox just wouldn't connect with _no_ option of switching back to HTTP.
Mobile phones expose several much more dangerous attack surfaces. One is "Appstores" where applications are filtered by business decisions (and not things like data protection). The other one is the mobile baseband processor, which typically has direct access to the applicatio
Re: (Score:2)
My detailed knowledge is admittedly only iPhones and some of it is up to a decade old, but the "baseband processor" on an iPhone (back when I knew how it worked in great detail) has a subset of the privileges that the application proces
Re: (Score:2)
TLS by default does make it a lot harder, but by no means impossible. Sure if your attack starts by insisting someone install a new root cert you definitely lose some people because OSs on purpose make that flow hard, and fill it with dire warnings that some people will read...but if you had enough potential people to attack a small percent of them is still real "value".
Re: (Score:2)
Imagine setting up a "XYZ Free WiFi" AP next to store XYZ, and using a captive portal to collect credentials, phish, or serve malware. Monitor or hijack DNS requests for whatever reason. If users surf to a page that doesn't use HSTS, force a downgrade to MITM'ed HTTP and really go to town.
Those are all reasons that one should use a VPN unless one trusts the WiFi provider.
This has always been one of my pet peeves WRT "security" so often it isn't about addressing problems but merely playing shell games that hide problems behind ever increasing layers of complexity.
Redirect feature of captive portals used to work reliably, now if not for explicit captive portal detection in browser they would be useless thanks to rise and pervasive use of E2E security.
There is no way to "force a downgrade" without explicit sign-off of the end user. The same exact opportunities for compromise
Re: (Score:2)
Because people are stupid and don't know how technology works.
I have this "free" WiFi here. Great! Let's connect to it. I browse about ... ok, all the pages have this weird "this connection is not secure" bullshit warning page... but when I click "I accept", it's encrypted. So it's fine, right? I mean, sure, the browser is pretending it's not but I can see the connection is encrypted, so nobody can steal my passwords...
Re: (Score:2)
Because general targets can also be valuable. So as an attacker I may not care about "bb_matt", but I do care about "anyone that interacts with a banking site I know how to man in the middle". As an attacker I especially care if I have some sort of scam or attack that works for a small number of limited value transactions but against a large number
For USB phone charging (Score:2)
For WiFi just don't connect, and use cellular data
Re: (Score:2)
You can buy iPhone "power only no data" cables (or use a USB "adaptor" that only passes power and a regular iPhone cable). Apple doesn't sell them because they have historically been considered inferior products as opposed to "on purpose for security we don't support sync, only power!". iPhone's also have the "Hey do you trust this device? YES/NO" ale
Re: (Score:2)
(2) people might not realize that is they press the "no don't trust!" they still get power.
My old iPhone 4S did not charge under such conditions.
And unfortunately unplugging it and replugging it, did not trigger the question again.
Public Wifi probably safer so than USB (Score:2)
Pubic Wifi is a wireless protocol. People tend to understand that that means that the code quality has to obey certain minimal standards. After all you are dealing with untrustable input there. Also people are actively looking for security issues in that field.
On the other hand, USB never was designed for security. The data feature of it is mildly obscure so while it gets some use, few people look at it, and many people disregard attacks over it as unimportant. After all you deliberately made a connection,
Re: (Score:2)
It use to be common to be able to get power banks that could be charged and also provide a charge at the same time. That has become way less common, but they use to be my favorite for general charging as well as taking with me to charge things while on a trip. My current method is to use
They're as safe as the device you connect to them (Score:2)
Simple answer is of course public networks are not safe. What is safe is smart phones and tablets that have been security hardened run against such networks without leaving ports open and so on. Even so, activity could be vulnerable to snooping & interference especially if it is unencrypted. So the ultra paranoid should probably use a VPN on top of the network to hide their traffic. And of course if you were using a laptop running a desktop OS then you could be vulnerable depending on the operating syst
Use a crypto blockchain is what I tell everbody (Score:2)
The world would be so much better when everyone would be using the cryptophonic blockchain to secure their shit.
Look at my ugly monkeys! Nobody can touch them because they are blockchained to this crypto thing and even I don't own the picture.
But they are worth a lot of coins now, even if my 5 year old niece could probably have draw a better looking chimp.
What does "safe" mean in this context? (Score:2)
Strong passwords? (Score:3)
The author insists that you're not a target for these attacks unless you're someone famous, then goes on to say you still need strong passwords. Having a strong password means it's harder to brute force crack, but no one is going to bother with that for most (non-famous) people for the same reason.
When was the last time someone you know had a password actually brute forced? That's not the loss vector for passwords these days, it's data breaches. You can have the most secure password ever for your, e.g. banking app, but when the bank gets hacked and your passwords ends up on some leaked user database, your password strength is irrelevant. Those breaches may be a consequence of someone within the company having a weak password, but not the end users.
2FA is a far more effective security measure than any "strong" password. And have a variety of passwords, not one used for 20 different accounts.
Re: (Score:2)
Actually, to quote:
"Don't worry about the phone chargers unless you know you're being targeted by criminals or spies."
And many of us realize that those exclusions do not exclude the government. Any government.
It's ugly out there. Have 'they' broken hidden partitions yet? Oh right, of course. Sheesh. Run everything off a USB stick you can hammer out.
Re: (Score:2)
The data breaches frequently only leak encrypted pass
_Anything_ public isn't safe (Score:2)
STRONG PSWDs for WEAK PROGRAMMING !! (Score:3)
Strong passwords are only advisable/required where the cost of wrong guesses is low. If the pwd hashes are weak/available, then the cost is just a few hundred CPU cycles. Tiny. If the cost is lockout after 3 wrong (like ATMs eating cards), it is huge. Ditto for being shot by a sentry. I favor progressive login delays, limited to avoid DoS. Anyone who fails to consider the cost of wrong guesses does not understand passwds.
Depends on DNS (Score:2)
The safety of Wifi depends on how honest the DNS service is. If it's actually connecting you to the real websites, then you're getting HTTPS and everything is good. If it's not, you could be typing in "www.example.com" and get an HTTP site instead of the HTTPS site, and it could be literally anything. Phony website that imitates the real site and does not redirect you to HTTPS, but gladly accepts your passwords.
Not a yes or no question (Score:2)
Public chargers and public wifi are "low risk". Safety isn't a yes or no concept. It is related to the importance of your data and the likelihood of it being exposed through these activities.
As I'm not plotting to overthrow the government's financial system by exposing Satoshi's wallet key in a public location WiFi and public chargers are incredibly low risk. If you are planning on doing this on the other hand, firstly congratulations on your wealth, and secondly, don't.
Easily disproved (Score:2)
It's a good thing that remote exploits have never been used against other computers that have joined the same subnet, which means that VPN's default tendency to disallow traffic outside of the encrypted tunnel is probably pointless, right?
No they are not (Score:1)
Sorta... (Score:2)
My two centavos:
If there is a USB port sticking out somewhere or a cord to attach one's phone, most of the time it is okay. However, I prefer packing my own parachute, mainly because a lot of USB charging devices give unknown voltages or may be just cheaply designed, while a genuine Samsung or Apple charger with a decent cable is a known good quantity.
This is a personal preference, and I do take a couple Anker power supplies (including an Anker 733 power supply and battery combo), just because I know that
public charging (Score:2)
If you're using a USB public charger and not using a power-only cord, you're insane.
If you don't have a KNOWN power-only USB cord* then get one. Priceless for world travelers as - unfortunately - USBs are in fact the most universal charging point format since countries still have their own power-plug formats.
*another thing that would have been pretty handy for that ol' USB standards board to maybe consider making visually obvious.
Re: (Score:2)
If you're using a USB public charger and not using a power-only cord, you're insane.
Or we're running Linux. Or a recent version of android.
I've never understood this "insecure by design" mentality which blames the power cord for a problem with the software.
3rd party VPNs are not any safer (Score:3)
Using a VPN instead of connecting to Wifi directly just says that you trust your VPN more than you trust the WiFi provider.
Which you might consider how much you trust your VPN.
Safe! (Score:2)
Yeah, it's safe. As long as you trust the WiFi operator to not be doing things that are 100% under their control on their own network without you knowing about it.
For everything else, there's VPN tunneling to get to a network egress you trust. This is why I have a wireguard agent running on my router at home - when I'm on someone else's wifi, I connect to that and pass nothing but encrypted packets over their network back to mine, where it can then exit and go through my still-untrusted-but-allegedly-held
In related news .... (Score:1)
Wifi no, charging depends (Score:2)
Charging can be safe if you use a power-only cable. Of course, you'd have to verify that you have and are currently using a power-only cable.
Single best move, use a containerized OS! (Score:2)
Risk is variable (Score:2)
Is it safe to use the wifi at Starbucks? Sure.
Is it safe to use the wifi at BlackHat? Sure, just throw your computer away after.
Pretty much the same as food (Score:2)
If you find some food in an alley, you would not eat it, right? If you buy it in a legitimate-looking establishment, no problem, even if it is street-food. Same goes for phone charging ports or plugging in USB devices.
Wifi is a bit different. If you are reasonably careful, anything that delivers your packets can be used securely. That does unfortunately mean you have to do a VPN-tunnel (home, office, Tor or to a commercial provider) or other form of secure login like SSH, because the public certificate syst