OFFICIAL SECURITY BLOG

We’ve moved! You can now read the latest and greatest on Mac adware and malware at Malwarebytes.

Staying safe on public wifi

Published May 21st, 2015 at 12:54 PM EDT , modified May 21st, 2015 at 12:54 PM EDT

Everyone has to use public wifi now and then. It is somewhat common knowledge that this is unsafe, but most people aren’t entirely sure what to do about that, other than not visiting sensitive sites, like their bank site. Fortunately, there are some good tricks to keeping your Mac and your data safe on public wifi.

The dangers of public wifi are fairly easy to understand. There are a few basic risks. The first is that anyone connected to the same public wifi network can “sniff your packets.” (No, that’s not something dirty, stop grinning like that!) This means that they can capture and view any data that is sent over the network. So all the data you’re sending and receiving can be viewed, unless it is encrypted in some way.

Encryption helps, but not all data is encrypted by default. E-mail messages, for example, are sent and received in clear text (ie, not encrypted). Even some passwords are sent in clear text! Secure sites (ie, sites having addresses starting with “https://”) encrypt all data, but depending on the site, there could be vulnerabilities in specific sites that could allow an attacker to impersonate you and gain access to your account on that site.

Worse is what is called a “man-in-the-middle” attack. This happens when an attacker occupies a privileged position on the network. (This generally means they own the network.) This can happen if you join a network set up by a hacker to lure people in with the promise of free wifi. The network could even be given an enticing name, like “Starbucks Hi-Speed”, which could imply an ownership of the network by Starbucks when it’s really being run by a hacker.

In such a case, the network could actually redirect you to malicious sites. For example, if you try to log in to PayPal while on such a network, you might actually end up on a phishing site designed to look just like PayPal, and to steal your PayPal login information when you enter them. Next thing you know, your PayPal account has a bunch of strange charges on it.

In addition, having your Mac connected to a network full of strangers exposes you to other risks. If you have file sharing turned on, for example, someone else on the network could potentially gain access to your Mac and browse through your files. There are many server processes built into Mac OS X, all designed to accept incoming connections from other computers. Most are off by default or harmless, but many people won’t know what might have gotten turned on or when there might be some kind of vulnerability that could be exploited by a hacker on the same public wifi.

So what can be done about all this? Here’s what I advise doing whenever on public wifi:

Turn off Bluetooth

bluetoothTo prevent any attempts to connect to your computer via Bluetooth, rather than wifi, while out in public, turn off Bluetooth. This may not be feasible if you are using a wireless mouse with your MacBook, but if you’re not using Bluetooth, turn it off. This can be done very easily in the Bluetooth pane of System Preferences. There’s even an option there to display a Bluetooth item in the menu bar, from which you can turn Bluetooth on and off without delving into System Preferences.

Use a VPN

A VPN, or “virtual private network,” is a way to, in essence, connect to a network that’s not really there. A good VPN will encrypt all communications between your computer and the VPN, protecting them from snooping in transit through insecure public wifi. (Of course, this requires that you trust the VPN, otherwise your substituting one untrusted network for another.)

Businesses will sometimes provide a VPN to employees, and universities to staff and students, as a method for allowing remote access to internal servers. (For example, consider a university library with content only available to people connecting from a university network. A university VPN would allow people using it to access that content remotely, because the VPN gives access to the university network.)

If you have access to such a VPN, check with the folks providing it to make sure it encrypts traffic. If it does, use that. If you don’t have one, or if you’re provided one with no encryption, look for another option. I’ve been using IPVanish recently with good results, and like it in particular because it’s fairly easy to set up without installing any software. (Mac OS X has support for VPN connections built in.) This is not to say that I have done any exhaustive comparisons and found IPVanish to be the best. There are plenty of other options, and some may even be better for all I know.

Be careful of free VPN services, though. Nothing is truly free in this world, and many of the “free” VPNs will inject advertising into web pages you visit.

Without a VPN 🙁

With a good VPN, you can go to your bank site with impunity on any public wifi. However, if you can’t use a VPN for whatever reason, you’ll need to take some other precautions.

Turn on the firewall

Most of the time, the firewall on your Mac is completely useless. It doesn’t protect you against anything on a trusted network, and just annoys you when asking for permission to allow a connection. On public wifi, however, it becomes useful at preventing anyone from connecting to your Mac; but only if you configure it properly!

firewallGo to System Preferences and click the Security & Privacy icon. (If you don’t see that, or if you’re using an older version of Mac OS X where it has a different name, enter “firewall” in the search box in the top right corner of the System Preferences window to find the right preference pane.)

Once you’ve found the firewall settings, turn on the firewall. In order to do that, you may need to unlock it, by clicking the lock icon in the lower left corner of the window and entering your admin account password.

firewall optionsAfter you have turned on the firewall, click the Firewall Options button. A “sheet” window will drop down. The first option there should be “Block all incoming connections” – check that box. This will prevent all incoming connections, which will mean that certain things will stop working. File sharing, for example, will be unavailable until the firewall is turned back off.

Once you’ve got it configured, just turn the firewall on any time you have to use public wifi, and turn it back off again when you’re back on a trusted network, like your wifi at home.

Avoid sensitive sites

Since you can’t prevent packet sniffing without a VPN, you’ll need to be selective about the sites you visit. Don’t connect to anything that would be disastrous if it got hacked, whether it’s a secure site or not. If at all possible, make sure you have two-factor authentication turned on for any accounts you’re using on public wifi. (Two-factor authentication generally uses something besides just a password – such as a special code texted to your cell phone – to verify that you are who you say you are.)

Encrypt e-mail passwords

Some older mail servers may not encrypt your passwords by default. In other words, your password will be sent in clear text, plainly visible to any packet-sniffing hackers on the same public wifi. Ensure that your e-mail client (such as Mail) is set to use SSL when connecting to the mail server. This will ensure that the password is transmitted securely. Check with your mail provider for configuration instructions. If they don’t support SSL, don’t check mail on that account from an insecure network. In fact, don’t even open the Mail app at all!

Nothing, of course, can ever guarantee you total security online. But if you take these basic precautions, you should be far more secure while using public wifi. Keep in mind, also, that hackers tend to go after “low-hanging fruit.” Like the old joke that you don’t have to run faster than the bear, you only have to run faster than the other guy, making yourself a harder target than the person in the next seat will mean you’re far less likely to be targeted in the first place.

Tags: , ,

18 Comments

  • El Aura says:

    What does the list of applications in the firewall settings with an “Allow incoming connections” mean? Doesn’t this list imply that no other applications can receive incoming connections?

    • Thomas says:

      Not necessarily. Note the check box on recent versions of Mac OS X to automatically allow any signed software to accept incoming connections. Most of the software on your computer is signed.

      Don’t bother with that. As stated in the article, just block everything while on public wifi, if you can’t use a VPN.

      • El Aura says:

        I was aware of that second checkbox, I should have explicitly added to my question as to what happens if it is unchecked?

        Somewhat off-topic, I am more concerned about my iOS devices as it is my iPhone that gets most used on public WiFi. Of course VPN works there as well but it’s yet another thing to switch on every time. Even if I use the public WiFi only for downloading podcasts or RSS feeds, emails might be downloaded in the background and other apps might transmit unencrypted data in the background as well.

        • Thomas says:

          As long as blocking of all incoming connections is turned on, the states of the other boxes there are irrelevant. If you don’t enable blocking of all incoming connections, there’s no point in using the firewall at all, in my opinion.

          As for iOS, the same things apply, it’s just a matter of finding all the settings. The only significant difference is that there is no firewall on iOS.

          • El Aura says:

            So when does this list have any effect? If I enable the “Block all incoming conncection”, does this list then exempt the listed applications?

          • Thomas says:

            No, if you enable “Block all incoming connections,” it will do exactly that. There will not be any exemptions. This is precisely the behavior you want. Otherwise, the firewall is something that is only useful for servers.

          • El Aura says:

            So, you are saying there is no configuration where this list has any influence on the behaviour of the computer and this list is just there for decorative purposes?

          • Thomas says:

            No, that’s not at all what I’m saying.

      • kimberley says:

        Hi, I know this is not the correct link to post for help. But thought I would use your latest article, so you will hopefully see my question.

        I downloaded bittorent last night. Chrome, search bar, history, dropbox has vanished.
        I have version 10.6.8 and have tried to manually delete plug-in’s and files like Genio.
        I removed and re-installed Chrome, but will not launch.
        Safari is slow and has letters and numbers is address bar.
        Can’t access Youtube either

        Please help (female, non-tech)

        Thanks
        Kimberley

    • El Aura says:

      Maybe I’m a bit slow but under which circumstances exactly does this list then make a difference?

      • Thomas says:

        That list controls what is allowed to connect when you don’t have it set to block all incoming connections. It is not relevant when all incoming connections are blocked, because that overrides it.

  • iEscape says:

    [quote]I’ve been using IPVanish recently with good results, and like it in particular because it’s fairly easy to set up without installing any software.[/quote]

    How can we check whether a VPN service is reliable?
    I use VPN Unlimited since a month, is that a good one?

    • Thomas says:

      You just need to seek out feedback from other users or unbiased reviews. I don’t know a lot about which VPNs are good and which aren’t – my only personal experiences have been with a university VPN and IPVanish – so I can’t comment on VPN Unlimited.

  • Ofelia says:

    The first is that anyone connected to the same public wifi network can “sniff your packets.” (No, that’s not something dirty, stop grinning like that!)
    For that you win. Also, the advice 😀

  • leftblank15 says:

    I have detected extraneous “hidden” Bluetooth devices on my Mac, and wonder if they are really turned-off when I turn the Bluetooth off .
    Sometimes weird networks appear in my Finder, when I press command-shift-K, but oft-times nothing is there .

    • Thomas says:

      That just means that there are other networks and Bluetooth devices in range of your Mac, and it’s detecting them and displaying them in case you want to connect to them.

      • leftblank15 says:

        Really — I run Bluetooth Reporter, with the Bluetooth turned “off”, and I STILL find other people’s networks (and it reports them as hidden devices) ?

  • Sacha says:

    Thanks for the info!

This post is more than 90 days old and has been locked. No further comments are allowed.