We’ve all done it. You’re on the road, at an airport or hotel, and you need to go online. You connect your device to a public wi-fi network and access your flight details or check your inbox. Job done. It’s convenient and often free, but public wi-fi poses a serious security risk.

At play are two issues, says Matthew Warren, Professor of Cyber Security at Deakin University. One issue is encryption. “You don’t know if the information is necessarily encrypted, so you could actually be sending your information in plain text, which can be intercepted without your knowledge,” he says. 

The second issue is the risk of connecting to a bogus network set up by cyber criminals to appear as legitimate public wi-fi. While such networks “do act as wi-fi hubs, they’re also harvesting all of the data that’s being sent through it,” says Warren. This stolen data can be used in a variety of nefarious ways.

“You don’t know if the information is necessarily encrypted, so you could actually be sending your information in plain text, which can be intercepted without your knowledge,” – Matthew Warren, Professor of Cyber Security at Deakin University.

“Each attacker has different motivations,” he continues. “Is it that they want to try to steal information or financial data from you? Is it that they want to be an imposter and act as you in communications to try to gain information from another? Or is it that you’re simply part of a network of already compromised accounts that they have prepared to infect your system with botnets so you’d be part of a denial-of-service attack?”

The rise of mobile malware

One risk of using public wi-fi is having your device infected with malware, malicious software designed to inflict harm. Aside from ransomware, mobile malware is one of the fastest-growing cybersecurity threats in the world today. Android devices are particularly at risk.

“Apple smartphones tend to be very secure, because they exist within a closed environment. Apple owns the operating system and the app store, whereas Android is
a consortium, so no-one actually owns it,” says Warren.

“The problem with Android is that there are many ways you can get apps onto your smartphone or tablet, not just through Google Play.” Many senior managers who use Android devices to send corporate emails and view sensitive business information are unaware of the inherent security risks, says Warren.

While you can download anti-malware software onto your Android device, if it is already compromised then such security measures could be rendered ineffective, particularly by the presence of malware like a keylogger that records anything you type. 

Patch policy

The tools deployed by cyber criminals are always changing along with the development of new technology. One way to mitigate the cybersecurity risk an organisation faces is the introduction of ‘Patch Friday’, a company-wide policy requiring weekly updates
for operating systems.

The name comes from ‘Patch Tuesday’, Microsoft’s practice of releasing security updates, or patches, for its software products on a Tuesday. “Make sure apps are up to date, your operating systems are the latest configuration, and that Java and Flash are also the latest configurations,” says Warren. “Many organisations and many users don’t have automatic patches or patch systems in place, and this is where they get caught out.” 

In May 2017, the WannaCry ransomware attack infected 300,000 devices in 150 countries. Cyber criminals demanded US$300 paid in bitcoin to unlock computers. Although only a couple hundred people paid up – according to news reports the hackers made just US$60,000 – the attack caused chaos in the systems it hit, including the National Health Service in the UK and Spanish telco Telefónica. It was an avoidable catastrophe, however.

Microsoft had released a critical security patch in March after a hacker group alerted it to a weakness in its defences.  Less than two months later, another ransomware attack dubbed ‘GoldenEye’ disabled goverment and commercial operating systems globally. There was also a demand for US$300 in bitcoin, and it could have been avoided with a simple patch.

Fact File

Digital privacy checklist

  • Use a virtual private network (VPN)

  • When surfing the net use a secure web browser

  • Update systems regularly to counter the threat of new malware

  • Avoid using public wi-fi

  • If you use Android, install anti-malware software

  • Enable all available security features

  • Avoid using the same password for multiple accounts

  • When travelling, use a mobile broadband service