Dissertation:
Risks of Open Wi-Fi Networks

Prepared by:

2 February 2014

Contents

Risks of Open Wi-Fi Networks. 3

Introduction. 3

Aims and Objectives. 4

Literature Review.. 7

Scope and Constraints. 20

Research Methodology. 23

Findings: Implementation and Evaluation. 27

Survey Findings. 27

Qualitative Research Findings. 29

WEP Cracking Results. 31

Available Solutions. 32

Conclusion. 33

References. 34

 

 

Risks of Open Wi-Fi Networks

Introduction

Wireless networks offer several advantages such as ease of connection, convenience, and reduced cost. People can perform computing tasks on the move and are not restricted by a physical infrastructure. At the same time, the open Wi-Fi network poses some serious risks. Privacy and security are among the major concerns of the open Wi-Fi network. The open Wi-Fi network was developed to provide a wireless network for the transmission of data over radio waves. Unfortunately, the network is not secured which makes the data capable of being intercepted by hackers and other unauthorized persons. The wireless nature of the network means that the hacker does not have to be a part of the organization that provides the network or be connected to the network by physical infrastructure. However, better and more efficient security protocol are being developed to increase the security of data being shared over these networks.

Security arrangements are particularly needed in areas where open Wi-Fi hotspots have been created where users can automatically log into the open Wi-Fi network and transmit data. There is a need for users to develop safe habits for sharing data over the open Wi-Fi network and to ensure that they are completely logged off when not using the network. The main challenges that organizations and users face in terms of network security include privacy, confidentiality, data and system integrity, and the continued provision of service to the users.

The present study discusses the most important security risks associated with the open Wi-Fi network. It mainly explores the extent to which users are aware of these risks and what steps they take to prevent these risks from materializing. The findings of primary and secondary research are integrated to present an overall picture of the situation which is then used to identify the main strategies of minimizing the risks. The paper concludes with a specific recommendation to reduce the security risks of the open Wi-Fi networks.

Aims and Objectives

The broad aims and objectives of this research project are to determine the main security risks of open Wi-Fi networks and the extent to which users of open Wi-Fi networks are aware of those risks. The study aims to review the main threats and the common ways in which those threats are realized by hackers and attackers using various devices and software. On the basis of the findings, the study aims to determine remedies to make open Wi-Fi networks less vulnerable to the identified risks. It aims to recommend the best solution to the problem based on available research and survey findings.

Open Wi-Fi networks are susceptible to a number of risks because of inherent vulnerabilities in the system (Berghel and Uecker, 2005). Weaknesses in the system protocols as well as network devices may pose the system to some inherent risks. These threats can be quite severe considering large companies use open Wi-Fi networks to connect employees within and outside the office. The objective of the current study is to review the most common and severe security risks to which users of open Wi-Fi networks are exposed. Home users as well as corporate users share large volumes of data regularly over the network and hence, this objective will help to make their data more secure from hackers and other intruders with malicious intentions.

In addition to reviewing the main risks and threats to open Wi-Fi networks, this study is also interested in finding out whether users are aware of these risks. Hackers as well as those who stumble upon data shared over open Wi-Fi networks can be prevented from misusing the data if the users adopt safe usage behaviours. As long as users are aware of the most common risks, they can be encouraged to adopt safe practices and working habits to ensure that their data and systems are protected. However, if the users are blissfully ignorant about the threats to their data, it becomes important to educate them about those risks and the damage they can cause to their data. This study will aim to determine the level to which users of open Wi-Fi networks are aware of such risks.

In order to have a better understanding of the main security risks and how they are perpetrated, it would be necessary to understand the basic working and principles of open Wi-Fi networks. Some of the features of open Wi-Fi networks that make them extremely convenient can also be a source of weakness and security threats to the users. Research suggests that the main security risks of open Wi-Fi networks exist because of underlying weaknesses in the structure and protocols on which the network is based (Berghel and Uecker, 2005). Hence, for a better understanding of the security risks and how they are executed, this study aims to identify the main structural factors of the open Wi-Fi network. This objective will enable the study to identify specific weaknesses in the network that can be addressed to minimize the security risks.

Based on the findings of the literature review, independent research and survey results, the study aims to identify specific remedies which can improve the security of the open Wi-Fi networks. Factors such as negligence and lack of awareness among users, slack attitudes and misplaced priorities of the network developers and weaknesses in the legislative areas will be addressed to recommend the most effective and economical remedies to solve the problem for the long term (Jacob, Hutchinson, and Abawajy, 2011). The remedies that have been adopted and implemented in the past will also be discussed in the paper to explore their effectiveness and weaknesses to inform policy in future.

The remedies recommended in this paper will be aimed at helping network administrators to make the open Wi-Fi networks more secure. For instance, by identifying weaknesses and vulnerabilities in the protocol or in the devices used to build the network, the study aims to inform network administrators of the most sensitive areas of the network to enable them to take appropriate action to patch up those areas and make the network security apparatus more robust and effective. It is expected that the discussion of findings and the recommendations in this study will educate network designers and administrators so that they can adapt to better and more effective security measures.

Besides enabling network managers to make the open Wi-Fi networks more secure, the study also aims to make open Wi-Fi users more responsible and aware of the risks to which they are exposed. As people log in to open Wi-Fi networks while commuting or while having a cup of coffee in a cafe, they may not realize that hackers and intruders may be sitting close to them and can gain access to their computer and data stored on it quite easily. The study aims to identify some simple habits which open Wi-Fi users can adopt to minimize the chances of their systems getting hacked.

One of the biggest threats of open Wi-Fi networks is that the data being transmitted over them can be intercepted by hackers. The data can then be used to locate the identity of the system devices which can further lead to criminal and unethical activities that could endanger the safety and security of the user (Choi et al., 2008). The study aims to find ways in which the theft of data can be reduced. During the course of the study, the various devices and software that can offer protection against data theft will be discussed so that they may be adopted by home users.

The study also aims to identify and explain the main methods that hackers use to invade networks and gain access to sensitive data. A number of devices and programs exist on the market as well as online for free download. This study will outline the strategies and tactics commonly adopted by hackers to identify open Wi-Fi hotspots. It will further discuss the techniques by which the hackers are able to identify the weaknesses of the networks and how they are able to divert data from the intended destination to their devices. A discussion of these strategies is included in this paper to acquaint the users and network managers with the modus operandi of hackers so that they may take the security of their networks and data more seriously.

The study will identify some of the commonly used software that enable hackers to pose as genuine users and misuse the data generated by genuine users on the network. It will also describe the manner in which network hackers are able to convert their laptops into access points and gain access to confidential data. The risks posed by such practices will be identified so that readers can take more precautions and engage in responsible practices while using open Wi-Fi networks. It is intended that this information will make home users and corporate users more conscientious and less susceptible to the threats posed by the system.

Finally, the aim of this study is to make specific recommendations about the best solution to the problem of open Wi-Fi security. Based on the findings of the survey and the literature review, it is intended that the recommendations will realistically enable open Wi-Fi users to make their data more secure by adopting safe practices such as logging out of their systems after use and using VPN tunnels where they are available. Through these recommendations, it is expected that hackers will become less capable of gaining unauthorized access to data being transmitted over the open Wi-Fi network.

Literature Review

Despite the great functionality of public WiFi networks, many users are oblivious or negligent of the risks and the threats such networks pose. Other than the alleged health risks, the security risks can put the informational assets of the home user and the corporate user at risk. Berghel and Uecker (2005) identify the main reason for the extreme vulnerability of public WiFi networks in their paper on Wi-Fi connectivity and their attending risks. The root of the problem can be traced to the original 802.11 standard which created protocols with inherent system vulnerabilities. Other developments of the Wi-Fi networks such as the RC4 symmetric and the stream cipher algorithm also failed to take care of the security loopholes inherent in the public Wi-Fi systems.

More importantly, Berghel and Uecker (2005) state that the Wired Equivalent Privacy (WEP) in also an unsecured structure as it is not encrypted. This exposes to the Wi-Fi users to security risks such as replay attacks, checksum forging and message integrity check forging. In the case of replay attacks, the attacker can intercept data while it is being transmitted over the network and cause it to be delayed or retransmitted to a different destination. The weaknesses can be exploited by network attackers to sniff data being transmitted and gain access to sensitive data (Berghel and Uecker, 2005). Furthermore, the IV selection designed by the IEEE also failed to improve the security of the WEP to any great extent. Hence, users of WiFi networks are constantly exposed to their networks and their informational assets being accessed and misused by attackers.

Large numbers of people are connected to public WiFi networks and use them for official and personal reasons. A report published in Accountancy Ireland (2013) discusses the results of a survey carried out with 1001 office employees in the United Kingdom to determine their WiFi usage patterns. The study found that all the people being surveyed use open WiFi connections at least once a week while the average frequency of use of WiFi networks was 15 times a week. The most common places where users accessed WiFi networks included trains, buses and subways (Accountancy Ireland, 2013). It was a common practice among the survey respondents to use open or public WiFi networks to view information about their company or their personal data.

Common tasks that were performed on the open WiFi network included simple tasks such as sending and receiving work related or personal email. In addition, users also used the open WiFi networks to work on official documents on their laptops. They also frequently logged into their official company servers to access information from the corporate database. While many of those surveyed were ignorant of the seriousness of the risk to which their data was exposed, the survey showed that the practices commonly engaged in could lead to increased susceptibility of their data being intercepted by network attackers (Accountancy Ireland, 2013). Another common risk that users were not aware of was packet sniffing where high volume transmission of data over an open WiFi network can make it easier for hackers to track the source of the data (Accountancy Ireland, 2013).

Du and Zhang (2006) identify some other risks to which users of open WiFi networks are exposed. First among these is the risk of unauthorized use of service. This is an increased risk in open WiFi networks because there are neither physical barriers nor encryption settings to prevent attackers from hacking into the network and accessing sensitive data. Most users are ignorant about whether they need to install firewalls and intrusion detection tools to secure their data (Du and Zhang, 2006).

As a number of open WiFi networks do not change the default settings provided by the vendor, there is a high chance of the network overlapping with other networks. As a result, the data of an organization can be captured by a competitor or an individual who can misuse the data. These individual are frequently called war drivers and use special antennae and programs to identify vulnerable systems through their geographical location (Du and Zhang, 2006).

Another common attack on open WiFi networks is frame spoofing. In this kind of an attack, the attacker is able to spoof data packets that are sent over the open or unencrypted WiFi networks (Du and Zhang, 2006). By using the source and destination address on the packets, the attacker can impersonate as the genuine user of the network and assume the identity of the original user. In more serious forms of frame spoofing, the hijacker can pretend to be an access point (AP) and intercept and change the message being sent over the network. Such types of attacks are called man in the middle (MITM) attacks (Du and Zhang, 2006).

Hole et al. (2008) explain the distinction between security vulnerabilities and threats effectively in their work on wireless networks in university campuses. The term vulnerability is used to refer to the weaknesses and loopholes in the system which endanger the integrity and security of the data. Some of the common security risks of open WiFi networks on university campuses include illegal downloads and terminal to terminal attacks (Hole et al., 2010). Illegally downloading music or pornographic content can damage the reputation and integrity of the institutions. Hence, there is a need to educate students and other users of campus WiFi about the ethics of using an open network.

Secondly, in terminal to terminal attacks, attacking any user terminal on the network becomes easier because the attacker does not have to manipulate a wired infrastructure (Hole et al., 2008). Many networks lack the necessary firewalls and security systems which expose not just terminal connected to wireless networks but also those that are connected to the wired infrastructure. Another major security risk is the setting up of rogue access points (Hole et al., 2008). These rogue access points allow attackers to gain access to the university’s databases without authentic permission or access rights.

Staying within the scope of university networks, the attackers can gain access to restricted information through spoofing. They can also introduce false information such as fake lectures or research articles. Anonymous attacks also become more likely with reduced security settings on the open Wi-Fi networks. Furthermore, user and data privacy can be compromised easily because university students are not cautious enough about protecting their computer screens from prying eyes (Hole et al., 2008).

Hacking is a very common security risk associated with open Wi-Fi networks. Goyal and Goyal (2008) explain how hackers are able to exploit the weaknesses and vulnerabilities of open Wi-Fi networks using a Wi-Fi detectors. Goyal and Goyal (2008) explain that the Wi-Fi detector enables hackers to detect and locate Wi-Fi networks or hotspots. It is a simple device that is operated by batteries and can also be available in the form of a flash drive. Thanks to this feature, the device can be connected to a laptop to turn it into a hacking instrument.

With the help of the Wi-Fi detector, the network users may not be aware that while they are sending and receiving data over the network, their signals are being detected by the hacker. In addition, the device also informs the hacker about the type of encryption that is being used on the network. The wireless standards and the strength of the signal are also communicated to the hacker. Hackers can use this information to access data on the system and use it to their advantage.

Even if the signal strength is not sufficient to the detected by the WiFi detector, hackers can use the Yagi antennae also known as repeaters to increase the signal range so that it can be detected and analyzed easily (Goyal and Goyal, 2008). What makes the situation more complex is the fact that these devices enable the hacker to work smoothly without leaving any indication of his activity. This limits the effectiveness of any post-intrusion audit to identify the hacker.

Some of the risks of open WiFi networks have been identified with reference to home users. These risks have been discussed in a report by the Butler Group (2008) and serve to show that users are susceptible to invasion of their systems even when they are within the security of their home. These risks affect not only when users connect to the WiFi networks for personal computing but also when they perform official duties from their laptops or home PCs. The most common of these risks is the risk of piggybacking. This occurs when neighbours can connect to each other’s WiFi networks and use the bandwidth without having to pay anything. The situation is more serious for those who work from home or telecommute.

The Butler Group (2008) report presents the results of a survey which showed that 37% of the respondents would only consider jobs with remote working options. However, the report suggests that where organizations allow employees to work remotely or from their homes, they fail to implement safety policies and mechanisms to ensure the safety of corporate data. Such employees regularly exchange emails and files with the corporate office over the open WiFi network which is vulnerable to activities such as sniffing and redirection. Even though some offices offer VPN connectivity, may users do not use it and still prefer the convenience of open WiFI networks. However, they inadvertently trade in security for convenience. Hence, there is a need to educate open WiFi users about the main security risks and the steps that can be taken to protect against those risks.

Goldsborough (2012) identifies some of the basic risks of open WiFi networks that tend to be ignored by users. The most common risks associated with the use of the Internet are amplified when open WiFi networks devoid f any meaningful protection or security are used. As a result, transactions made over the Internet using such networks can put confidential information such as bank account details, credit card information and social security numbers accessible to hackers and other online miscreants. Rogue Wi-Fi networks are also important sources of security breaches because the users are unable to distinguish between genuine and rogue access points.

Another problem for users of open WiFi networks is that the WEP system makes the networks less secure than the later WPA and WPA-2 systems. This susceptibility makes it easier for hackers and other prowlers on the network to engage in traffic snooping. Goldsborough (2012) explains that wireless packet analyzers can be used by snoopers to detect data packets as they are being sent over the system. The risk of data spoofing and the use of detection software has also been discussed earlier in the studies of Goyal and Goyal (2008), Berghel and Uecker (2005), and Du and Zhang (2006). Goldsborough (2012) also discusses the problem of neighbour piggybacking which has been explained in the Butler Group (2008) report.

Other problems discussed by Goldsborough (2012) include WiFi pollution in case a large number of connections are being used in a densely populated area such as an apartment block. This kind of pollution can make data accessible to several users as the individual networks overlap and make accidental data transmission across networks likely. Hence, users must be aware of the security risks associated with open Wi-Fi networks so that they can take appropriate security precautions.

Schwarz (2005) also discusses the problem of poor encryption and authentication as the main factors which make open Wi-Fi networks challenging for users. Because data is transmitted unprotected in a public space there is little to deter hackers and sniffers from gaining access to the data. At the same time, some of the security breaches may be committed inadvertently because individual networks may overlap thus making data stored on one computing device accessible to other devices on a different network. The fact that it is a wireless network does little to alleviate the situation because the hackers have fewer obstacles and security checks to breach as compared to a wired network. Schwartz (2005) draws an interesting analogy between a public WiFi network and a magnifying glass by saying that a wireless networks greatly magnifies the security risks and vulnerabilities inherent in a network. Like much of the literature discussed earlier in this section, Schwartz (2005) also points to the risks of neighbour piggybacking and rogue access points in open WiFI networks.

Knowledge and awareness of the risks of open WiFi networks is essential because it helps users and network providers to put in place adequate security systems and to practice safe network usage. While explaining some of the safe practices to be used on the open WiFi networks, Andres (2010) explains some of the risks of using open WiFi networks. While many users may be unaware of the fact, Andres (2010) explains that even when users are just browsing the Internet and not sharing emails or downloading files from corporate databases, they remain exposed to invasion and other security breaches over the open WiFi network.

Again, the wireless packet analyzers are the most common instruments used by hackers and those who breach network security to gain access to computing devices. One way in which the attackers can breach the network is by stealing the session cookie and using it to log in to the user’s email account. In such a case, the hacker does not even need to use the password as the users do not log out of their sessions. Some users are of the misconception that paid Wi-Fi hotspots are more secure than free Wi-Fi hotspots. Andres (2010) explains that this is not the reality. In fact, a lot of paid hotspots lack the required encryption that can secure the network against intrusion and attacks. As a result, any data or files shared by users over the FTP network can be sniffed and intercepted by network attackers.

Echoing some of the concerns expressed by Berghel and Uecker (2005) and Schwartz (2005), Rosenblatt (2013) points to the risk of inherent network risks of open Wi-Fi networks. However, Rosenblatt (2013) goes beyond the network level risks and explains how the devices and equipment used to set up the network may be equally guilty of contributing to the security risks of using open WiFi networks. According to Rosenblatt (2013), many routers used in building open WiFi networks possess security holes which allow hackers and attackers to get through and access data stored on member devices. What raises the level of concern is that manufacturers are not making a serious effort at creating patches to repair the security holes.

Another reason for this delay is that the security holes are complex and it is not an easy matter to fix them. Rosenblatt (2013) makes an emphatic call to users and network administrators to have the routers updated regularly so that the window of opportunity available to hackers can be made as small as possible. Nonetheless, this explains that the rate of technology development and updation of network protocols and devices should be accelerated if security standards are to be protected. Rosenblatt’s (2013) work shows that unless a serious effort is made to resolve these problems, users and their data may continue to remain at an increased risk. Furthermore, Rosenblatt (2013) also exhorts network users to be more responsible in practicing safe habits when using open WiFi networks such as by logging out of their networks after use.

Dyrnes and Thorsheim (2005) point to some more security risks to which many WiFi users are oblivious. Some of the common terms used by the authors include war-driving and its many derivatives such as war-walking and war-cycling. The authors explain that these risks are difficult to identify because the perpetrators of these breaches pose as innocuous passers-by or people driving around with a computer (Dyrnes and Thorsheim, 2005). Using WiFi detection software, the attackers can easily identify devices connected to open WiFi networks by driving around the area or even while walking around with a mobile computing device to which the WiFi detector is connected.

In addition to the challenges of detecting such war-driving or war-walking activity, other reasons that increase the security risks for open WiFi users is the fact that the vulnerabilities in the open WiFi model are frankly quite complex (Dyrnes and Thorsheim, 2005). The problem is further compounded by the inevitability of system errors and bugs coming up from time to time as well as the fact that WEP does not offer adequate protection and is widely used (Dyrnes and Thorsheim, 2005). Some consolation is offered to home users of open WiFi networks in that the volume of messages transmitted by them over the network is not sufficient to enable hackers to detect the source and destination addresses in a short period of time. However, corporate users generate huge traffic daily and are easy targets. Denial of service attacks and forging of management packets are other risks posed by attackers. In addition, attackers can also create de-authentication packets and send them over the network.

Choi et al (2008) also explicate on some more risks to which open WiFi network users are commonly exposed. Accidental association and malicious association are two examples. Whereas in accidental association, users on different WiFi networks can gain access to each other’s data because of accidental overlapping of individual networks, malicious associations are more intentional. These are established when system crackers or hackers use their laptops to pose as access points. This creates a deception as a result of which data from the computing devices is channelled to the hacker’s laptop instead of the genuine access point. The hacker is then able to use sniffing software to identify the source and destination codes and engage in destructive activities.

Another term commonly used for such fake access points is ‘soft access points or APs.’ Software for converting an ordinary laptop into a soft AP are easily available and work by making the wireless network card of the laptop function as an access point. There is a lot of damage that can be potentially done once the hacker is able to access data stored on network computers. Obtaining passwords, account details and other sensitive or confidential information becomes fairly easy. Moreover, the hacker can also initiate attacks on the network and destroy or corrupt data stored on the systems. Choi et al. (2008) also point to the risk posed by ad-hoc networks which are not linked by access points. Sniffing attacks can facilitate identity theft as well as MITM attacks causing a lot of damage to the system.

Hackers have become increasingly sophisticated and are using highly developed tools to infiltrate open WiFi networks. Ijeh et al. (2010) discuss some of these risks while underlining the need for administrators and users to be more vigilant about the security of their networks. Ijeh et al. (2010) discuss the vulnerabilities, threats and countermeasures to make wireless networks more secure and resistant to attacks. They cite key recovery attacks as one of the most common ways to break into the WEP system and gain access to data.

One of the major weaknesses of the WEP protocol is that it is impossible to exchange encryption keys without exposing the network to a security breach. Breaking the WEP key is extremely easy and attackers can do so quite efficiently. Confidentiality of data, data integrity and security are all compromised because of the weaknesses of the WEP protocol. Hackers and system infiltrators are also known to use interface identifiers. These tools enable hackers to trace the identities of message senders and receivers over time. Ijeh et a. (2010) suggest that security awareness and management (SAM) systems should be enhanced and a security policy should be framed and shared with all employees. At the same time, there should be processes through which security breaches are reported timely so that appropriate action can be taken and data security can be ensured. Other common threats such as viruses and malware infecting networks are also found in open WiFi networks. However, these risks can be overcome through better encryption and protection of network resources.

For a fuller explanation of war driving, we can turn to Jacob, Hutchinson, and Abawajy (2011) who explain war driving and the risks it causes to the security of open WiFi systems. The technique through which attackers exploit the weaknesses of the open WiFi system involved the use of special devices and programs to chalk out the locations of wireless access points in a certain locality. What is upsetting is that many attackers perceive war driving as a harmless, fun activity which undermines the seriousness of the threat it poses.

Another challenge is the legal status of war driving which is not considered as a crime and steps to control war driving are impeded by the ambiguous legal position of the activity. This occurs because legitimate uses of war driving also exist such as reconnaissance activities and penetration tests. What differentiates legitimate and illegitimate activities is what the information obtained through them is used for. Therefore, protecting a network against war driving could also end up preventing relatively useful applications of war driving. Therefore, open WiFi users should be aware of the threat of malicious war driving which could result in corporate data falling into the hands of unauthorized persons and being used for unethical or criminal purposes. Efforts to reduce risks posed by war driving are further hampered by the poor research that has been conducted on the issue. Jacob, Hutchinson, and Abawajy (2011) stress the need for more extensive research on war driving and finding other ways of obtaining the same data.

Parte and Pandya (2012) reflect many of the concerns shared by other scholars included in this discussion. They categorize the major risks of open WiFi networks into two categories—active attacks and passive attacks. Active attacks include risks such as Denial of Service attacks, malicious association, spoofing, accidental association and replay attacks. The common characteristic of the active attacks is that they offer the hacker the opportunity to damage the data stored on the system. In passive attacks, on the other hand, the hacker can eavesdrop on the information being transmitted but does not enjoy the ability to affect or distort data in any way.

One of the most common active attacks is the denial of service attack. To launch this attack, the hacker gains access to the network via a vulnerable access point and floods the bandwidth with a large volume of meaningless data such as server requests. As a result, the network becomes jammed and genuine requests from legitimate users cannot be fulfilled. Another common active attack is spoofing. Here, the intruder manages the setting of his laptop or wireless device so that it appears to be a genuine access point. Through this device, the intruder is then able to access data being transmitted on the network.

Parte and Pandya (2012) have included two types of network attacks under the category of passive attacks. In the first type of passive attack, the intruder is able to collect data being transmitted over the open WiFi network. What makes this type of attack passive is that the intruder does not obstruct the exchange of data which allows this intrusion to go undetected. In the second type of passive attack, the intruder gains access to a WiFi network by manipulating a security hole. This point has also been made by Rosenblatt (2013).

Some more security risks associated with open WiFi networks have been put forward by Urbas and Krone (2006). In their study of mobile and wireless technologies, Urbas and Krone (2006) identify intrusion, leeching and message modification as some of the likely risks of using open WiFi networks. In the absence of passwords, encryption and other methods of restricting access, intrusion becomes a common activity and could also result in information theft and unauthorized use of network bandwidth. This latter risk has been termed by Urbas and Krone (2006) as leeching where genuine registered users have to suffer because the bandwidth is regularly consumed by unauthorized users. Such intrusion can also open channels for the intruders to engage in unethical and criminal activities such as pornography and carrying out denial of service attacks.

Once they have gained access to the network, the intruders can modify the messages being shared over the network by deleting or altering their content. In some cases, the intruders can also launch dictionary attacks and replay attacks.

Scope and Constraints

This section describes the scope of this paper along with the constraints that were experienced and which limited the scope of this study. This paper addresses the main security risks of open Wi-Fi networks and the best solution to address those risks. Security risks are not the only type of risk associated with open Wi-Fi networks. There are a number of alleged health risks and other types of risks attributed to open Wi-Fi networks that are being researched. However, this study is focused on the security risks that endanger the safety and integrity of the data stored on the systems connected to the network.

This study covers both home users as well as corporate users. Home users include those people who use open Wi-Fi networks to perform personal tasks such as emailing to friends and family and browsing the Internet. They generate less traffic than corporate users but are often affected by hacking and other security breaches on open Wi-Fi networks. Home users are also less likely to have effective firewalls and other security measures to protect their systems. The most critical activity performed by home users of open Wi-Fi networks that exposes them to security risks is online banking. When users exchange information such as their bank account number, social security number or password while conducting online banking, the data can fall into the hands of hackers and data sniffers. The potential for misuse and criminal activity is immense. Online shopping also poses an equally serious security risk. During online shopping, home users share credit card information as well as personal details which can be intercepted by hackers and misused in a similar way. Therefore, this study covers the risks to which home users are exposed and identifies ways in which they can be protected against those risks.

This paper also addresses the concerns of corporate users of open Wi-Fi networks. Compared to home users, corporate users are at greater risk because the volume of online traffic they generate is considerable and much larger than that produced by home users. Despite the presence of firewalls and other security arrangements, corporate users are also victims of corporate snooping and hacking. This adversely affects their competitiveness and makes the organization increasingly vulnerable to external attacks. In addition, the finances and proprietary knowledge that they possess invites more sophisticated and avaricious hackers than home users. Therefore, the scope of this paper includes coverage of the risks to which corporate users of open Wi-Fi networks may be wittingly or unwittingly exposed. As a result, their data may fall into the hands of corporate spies or business rivals with the potential of damaging their business interests.

The solutions recommended in this report are also based on the secondary research about the devices and security patches being developed by network developers. Safe work practices and precautionary steps are also included so that users are also equipped with strategies and techniques to safeguard their sensitive and personal data.

One of the major constraints for this study was time. The shortage of time limited the scope of the study, in particular the survey as a large number of responses could not be collected. Generally, in a survey respondents are likely to give meaningful answers when they are given sufficient time. Because of time constraints the desired results could not be achieved and the response rate for the survey was below the expected and desired level. It is therefore suggested that at least a week should be provided to survey respondents which should include weekends so that they have enough time to complete and return the survey.

A second constraint was the availability of resources. As the study is based on a mixed approach comprising of both qualitative and quantitative aspects as well as primary and secondary sources, there were many challenges faced to balance the objectives. The primary research was restricted by the number of respondents who were available online. Secondly, the secondary research was also limited to journals and databases that could be accessed from the Internet. Hence, the scope of this study is limited to the study of information available online while print sources have not been used to inform this research.

The information about the methods and techniques employed by hackers to gain access to data shared on open Wi-Fi networks is entirely derived from secondary sources. The quality of the study could have been enhanced if first-hand information about hacking techniques and practices could have been obtained from the hackers directly. It was not possible to locate hackers and include them in the survey for primary data. As a result, the information in this area is restricted to what has been reported in the published research. It is suggested that future research on this topic should include input from hackers where possible.

A further limitation of this study is that the remedies recommended may last only as long as hackers are able to come up with alternatives. Hackers are extremely intelligent people and are able to find loopholes in security systems faster than network managers are able to detect and repair them. Therefore, the recommendations of this study will be limited in the time period over which they can be applied and remain effective. However, the solutions have been recommended on the basis of the most recent information available about the areas they address and the degree of protection they can provide. It is extremely important that research in this field take place continuously so that risks can be anticipated and averted before they become materialized.

Research Methodology

The study will make use of both primary and secondary data collected through various resources. Both types of data have their unique advantages and provide useful insights into the topic being studied. At the same time, they also pose some challenges in their collection and interpretation which requires a cost-benefit analysis about which type of data to go for. Primary data offers the advantage of being the most recent or current data about the topic. Methods of collecting primary data include conducting interviews, observational studies, focus groups, surveys and so on. The data collected through these methods is first-hand data and reflects the most current behaviours. However, it is costly and time-consuming to collect.

On the other hand, secondary data is data that has been published in other sources and is used for the current study. Secondary data offers the advantage that more of it can be collected within a certain time period. Furthermore, less effort is required to plan and organize the data collection effort. However, the researcher needs to ensure that the sources used for collecting secondary data are reliable and credible. The present study will use both primary and secondary data. The primary data will be used to ascertain the level of awareness among users about the security risks of open Wi-Fi networks whereas the secondary data will be used to review the common security risks and the best solutions available to minimize those risks.

Another important decision area in research methodology is the choice of the qualitative or quantitative approach. Each approach has its own advantages and disadvantages which depend on the nature of the topic and the resources available to collect and interpret data. The quantitative approach is used when the data to be collected is in numerical form and can be analyzed using quantitative methods of analysis. Regression, correlation and central tendency measures are often used to determine the relationship between different variables in a particular situation. Quantitative approaches are also used when the data collected is of a historical nature and there is a need to explore trends and changes in the data over time. This approach has utility in the present study which will be discussed later in this section. On the other hand, qualitative approaches are used when the data to be collected and interpreted is not capable of being quantified. Furthermore, the qualitative approach is used when it is necessary to identify common patterns and gain insight into underlying themes and structures.

The present study employs a mixed approach by using both the quantitative and qualitative approaches for the study. The quantitative approach is used to analyze and interpret the results of the survey that was carried out with users of open Wi-Fi networks in order to assess their awareness about the possible security risks. As the survey questionnaire was designed to make the responses capable of being analyzed through quantitative means, the quantitative approach is used to interpret the survey data. On the other hand, the qualitative approach is used to learn about the major problems and risks associated with the use of open Wi-Fi networks. The journals articles and research papers that are selected for this study have been analyzed using the qualitative approach to identify common factors and issues in relation to the research topic. In this way, the various aspects of the quantitative and qualitative approaches have been integrated in the present study to interpret the diverse data and arrive at an enriched understanding of the research problem. It is expected that the selected approach will enable the readers to gain a balanced and comprehensive perspective of the risks of open Wi-Fi networks.

A survey comprising of 15 questions was developed to be administered to selected users of open Wi-Fi networks. The survey mainly consisted of closed questions to make it easier for the questionnaires to be filled in and submitted in less time by the respondents. Twenty respondents were sent the questionnaires. The respondents were selected from the users at two well-known open Wi-Fi hotspots in the city. The consent of the respondents was sought after explaining the purpose and scope of the research to them. The questionnaire was emailed to the selected respondents who had given their consent. The respondents were requested to complete and send the questionnaire back to the researcher within a week. At the end of the period, only twelve completed questionnaires were returned which indicates a response rate of 60% which is not very encouraging given the small size of the survey sample. The results of the questionnaire are analyzed and presented in the subsequent section of this dissertation.

The quantitative data was analyzed using common methods of quantitative analysis. Measures of central tendency were used to determine the most representative and average responses to the questions. This method enabled the researcher to identify the dominant awareness levels among the sample. Because of the limited size of the sample and the low response rate, the results of the quantitative analysis could not be generalized to the entire population.

For the qualitative analysis, secondary sources were the main source of information. All of the sources were online resources mainly because of the paucity of time and restricted availability of print resources. It was attempted to make the best use of open source journals and databases in order to obtain relevant and contemporary insights about the security risks of open Wi-Fi networks. EBSCO was the main journal database that was used for this research and many journal articles quoted in the research review were obtained from this database. Similarly, a large number of journal articles were obtained from online searches that yielded productive results. The International Journal of Multimedia and Ubiquitous Engineering and the ISACA journal are some of the research journals that were used for the qualitative analysis. In addition, industry publications such as InfoWorld and a report published by the Australian Security and Intelligence Conference were also used to inform the research on this topic. Publications by the IEEE—the dominant research organization in electronic engineering—and PC World—a general trade publication also provided meaningful information about major threats and the solutions available for dealing with them.

Thematic analysis was the technique adopted for the analysis of the qualitative data. Thematic analysis enables the researcher to identify common factors and underlying themes in the information obtained by the qualitative approach. The approach can be used to interpret survey response data as well as the review of literature. In response to the major research questions, the answers or main findings are tabulated and then common factors or elements in the responses and information are identified. The information is categorized into relevant and appropriate segments such as age, usage, and so on. Thematic analysis in this study was used to find out the usage patterns of the users of open Wi-Fi networks and what type of security risks they are aware of. The method was also used to analyse the findings from the literature review in order to highlight the most common security risks and the most favoured solutions to those risks. The results of the thematic analysis are presented and interpreted in the following section of this dissertation.

Findings: Implementation and Evaluation

Survey Findings

Demographic Composition

The results of the survey instrument showed that most of the users of open Wi-Fi networks in the sample were men. Only 33 percent of the survey respondents were women, which shows that the use of open Wi-Fi is dominated by the male segment of the population. The survey findings also showed that the median age of the users was 35 years. The maximum age of the respondents was 40 years which shows that the population using open Wi-Fi networks tend to be young males compared to any other demographic segment. Almost all the respondents were residents of suburban areas and commuted to work or to university. This shows that the main purpose of being connected to open Wi-Fi networks was to maintain communication links with the place of work or place of education. These findings will be helpful in assessing the impact of high or low level of awareness about the security risks associated with these networks. It can then help to develop effective measures to ensure greater security.

Behavioural Composition

This section identifies the major usage patterns of the users of open Wi-Fi networks who responded to the survey. Around 60% of the respondents said that they used open Wi-Fi networks to perform work-related tasks. This included working on official projects outside the office either at the client’s office or in a restaurant or cafe. Almost all the respondents said that they used open Wi-Fi networks for browsing the Web for interesting information, news and financial information. The same segment also said that they used open Wi-Fi networks commonly for conducting online banking transactions and for online shopping. Open Wi-Fi networks were also used to keep in touch with friends and family through social networks. Around 35% of the respondents used a smartphone as the main device for accessing the open Wi-Fi network. The percentage of users who used their laptops for the same purpose included 65%. This shows that the laptop is the most common device used to connect to open Wi-Fi systems while a lot of work-related tasks are performed. The open Wi-Fi network is also widely used for personal use of the Internet.

Awareness of Risks

In general, the respondents showed a very basic awareness of the security risks associated with open Wi-Fi networks. This is a discouraging fact given that many of the users are professionals who use the networks most of the time as part of their job. Most of the respondents were aware of the risks of hacking but did not know that hacking became easier with open Wi-Fi networks. Almost none of the respondents knew that open Wi-Fi networks offered hardly any protection as they were not encrypted. The respondents were aware of privacy issues and that sensitive information such as credit card or social security numbers could be accessed by hackers. However, they did not show much concern about their data being intercepted by the people seated around them. All of this indicates a very low level of awareness which puts the users at a great risk of having their data security compromised. There is a need for educating the users about the major risks of open Wi-Fi networks, most importantly the fact that it alone does not offer any significant protection.

Awareness of Hacking Methods

Keeping in line with the findings of the previous section, the survey respondents demonstrated a very limited level of awareness about the hacking methods by which the security of their network is compromised. Only two of the respondents knew about messages being intercepted by hackers who used their laptops to function as an access point. Around half of the respondents stated their understanding that paid Wi-Fi also did not protect them against the risk of their data being intercepted. Again, half of the users had experienced denial of service attacks and man in the middle attacks and were able to attribute them to poor security settings of the network. Despite this understanding, only 10 percent of the respondents were aware of the term spoofing. The respondents had also not heard about the terms war driving or war walking but some of the respondents knew about the likelihood of neighbour piggybacking. These results indicate a poor level of understanding about the security risks and hacking methods used by intruders among the population.

Awareness of Protective Measures

The respondents displayed a low level of awareness about the distinction between WEP and WPA. They did not know that they should avoid Wi-Fi hotspots that use the broken WEP protocol as opposed to the safer and relatively more secure WPA protocol. One respondent who was the network administrator at his company knew that Wi-Fi protected access offered greater protection but said that his company had not communicated this to all employees. This may be one reason why there is a low level of knowledge among the users about the security risks.

It was a general habit among the users to use the same password for different websites. They were not aware of the risk that a hacker who cracked open their account on a particular website could use the password to hack multiple accounts and misuse the data. This points to a general level of negligence in the sample. Similarly, the users were generally unaware about the importance of using an encryption key or a password to make the network secure against hackers. The users were also ignorant about assigning separate IP addresses to their devices or using router filters to protect their data.

Qualitative Research Findings

Most Common Security Risks

The thematic analysis of the research shows that the most common security risk of open Wi-Fi networks is hacking which has been cited by most of the researchers. The most common vulnerability of the open Wi-Fi network is associated with the WEP protocol which has not yet been replaced by all open Wi-Fi providers and continues to expose users to security risks such as hacking. Another prominent security risk is spoofing where the data transmitted over the network is intercepted by the hacker who poses as a genuine access point. The data is then analyzed to determine source and destination addresses. This gives the hacker ample opportunity to pose as a genuine user and misuse the data as he wishes. Other risks that have been identified in the research include malpractices such as denial of service attacks, man in the middle attacks, and war driving. These are the main risks that should be addressed and resolved.

Most Common Invasion Methods

The thematic analysis of the research shows that spoofing is one of the most common methods used to invade the network and attack system devices. In spoofing, the attacker gains access to the open Wi-Fi network by posing as a genuine user. He is then able to sniff data packets using a number of easily accessible software. All of this happens without the user’s knowledge. The hacker gains access to the user’s sensitive data and uses it to commit frauds and crimes. Other attacks such as man in the middle attacks are committed by the hijacker who sets up his device as a genuine access point and goes beyond simply sniffing the data. In fact, the hacker alters or changes the data to cause mischief and consternation to the user. In a denial of service attack, the hijacker blocks the bandwidth by generating multiple requests to the server which blocks the service for the genuine user.

Software Used for Hacking

The security risks posed by hackers are very serious, especially because a number of software tools are available online that help hackers to find out the passwords of open Wi-Fi networks. One such example is Wireless Hack V2.1 (Download Hack, 2013). The software can be downloaded for free by any hacker. The hacker can easily access the website and click on the Download button to start the download process. Once the software has been installed on the laptop, the hacker has to insert the SSD code for the network and press the Get Password button. The password can be generated in no time at all.

Another valuable resource for network hackers is Kali Linux which offers a wealth of hacking tools for no cost at all. In addition, the popular video sharing website YouTube has innumerable tutorials on how to hack networks and individual systems. Among the tools popularly used for exploiting the weaknesses of the WEP protocol, Aircrack-ng is an entire suite of tools that help hackers to crack the WEP and even the more modern WPA-PSK protocols. This software suite further enables hackers to intercept data packets and is therefore widely used by those who engage in spoofing.

A tool used to send de-authentication packets is Airjack. Aptly named because of its role in hijacking the airwaves of open Wi-Fi networks, this suite facilitates hackers in launching denial of service and man in the middle attacks. In order to further facilitate spoofers, the AirSnort package enables hackers to find out the encryption key for a system after passively gathering information from a large number of data packets. Cain and Able is another software tool that is adept at intercepting data packets being sent over the open Wi-Fi network. CommView for Wi-Fi is another software tool that is quite convenient and effective for professional hackers. The features provided in this package enable hackers to capture and analyze data packets as they are being transmitted over the network. The hacker simply uses a wireless adapter to set up as an access point and use the channel to capture and analyze the data packets intercepted by it.

WEP Cracking Results

In order to find out how easy it is to crack a WEP protocol and gain access to an open Wi-Fi network, I decided to undertake such an activity on my own for the sake of research. I used my laptop to enter a cafe in the business district where a number of people were using the open Wi-Fi. I bought a cup of coffee and got the Wi-Fi password from the staff. After logging on to the system, I activated the spoofing software and my laptop began to receive data packets from the computers around me. There was a clear lack of meaningful security which showed that computers connected to the open Wi-Fi are extremely vulnerable and it takes almost no effort to hack into a system.

Available Solutions

There are several solutions available to offer protection to the open Wi-Fi network. Security software such as network firewalls and antivirus software should be installed and updated regularly in order to prevent intrusions and malicious files from being placed on the computers. A virtual private network (VPN) is an effective alternative to connect to the Internet when sensitive or confidential data has o be transmitted. Users can opt to start secure email sessions as opposed to a public network. This prevents data to be stored in the cache memory of public computers such as those at airport terminals. Bank transactions and other sensitive transactions should not be conducted by open Wi-Fi networks and should be deferred until the user can get access to a secure network. If the Wi-Fi network is being accessed by a telephone device, the user should always log off when the network is not required to be used.

The best solution of the above is to employ a VPN network whenever it becomes necessary to use the Internet. This is possible in collaboration with the organization and is ideal for work-related tasks. VPN or virtual private network offers a secured wireless network connection. The common way for most home users is to install a VPN shield which encrypts the data being transmitted in such a way that it is only transmitted over a secured network. This makes it difficult for hackers or spammers to gain access to the data by spoofing or other similar methods. It is functional wherever open Wi-Fi networks are available and ensures security of data to a great extent. It also offers protection against malware and blocks the browsing history from being viewed by others.

Conclusion

The research shows that users generally possess a very low level of awareness about the risks of open Wi-Fi systems despite being heavy users of those networks. This raises an important concern about the extent to which data shared and transmitted over these networks is safe and secured. Open Wi-Fi hotspots are ubiquitous and are commonly used by people. This exposes their data to the risk of being intercepted, hacked and subsequently misused for criminal or unethical activities. Both home users and corporate users should be concerned over this trend. Hacking, spoofing, denial of service attacks are some of the most common attacks. They have also become easier because of the availability of hacking and spoofing programs online. As a result, there is an urgent need to develop effective solutions that can minimize the risks posed by the weaknesses of the open Wi-Fi networks. The main weakness is the antiquated and unencrypted WEP protocol which continues to be used in open Wi-Fi hotspots today. A number of solutions have been developed to increase the security of these networks such as network firewalls and antivirus packages. Of these, the most effective, convenient and meaningful solution is the virtual private network (VPN) which enables users to enjoy the benefits of open Wi-Fi networks without compromising on the security of their systems.

 

 

 

 

Works Cited

Accountancy Ireland, 2013. Commuters putting company data at risk on public Wi-Fi. Accountancy Ireland, [online] 45(5), p. 88-94. Available at: EBSCO Search [Accessed 26 January 2014].

Andrés, S., 2010. How to stay safe on public Wi-Fi. PC World, [online], 28(7). Available at: EBSCO Search [Accessed 26 January 2014].

Anthony C. Ijeh, A. C., Brimicombe, A. J., Preston, D. S., and Imafidon, C. O., 2010. Security measures in wired and wireless networks. [online]. Available at: http://www.bcs.org/upload/pdf/ewic_iict09_s4paper2.pdf [Accessed 26 January 2014].

Berghel, H., and Uecker, J., 2005. WiFi attack vectors. Communications of the OCM, [online] Available at: EBSCO Search [Accessed 26 January 2014].

Butler Group, 2008. WiFi Security: GetSafeOnline warns of ‘piggybacking’ dangers. [online] Available at: EBSCO Search [Accessed 26 January 2014].

Choi, M. K., Robles, R. J., Hong, C. H., and Kim, T. H., 2008. Wireless network security: Vulnerabilities, threats and countermeasures. International Journal of Multimedia and Ubiquitous Engineering, [online], 3(3). Available at: http://www.sersc.org/journals/IJMUE/vol3_no3_2008/8.pdf [Accessed 26 January 2014].

Du, H., and Zhang, C., 2006. Risks and control of Wi-Fi network systems. ISACA Journal, [online] Available at: http://www.isaca.org/Journal/Past-Issues/2006/Volume-4/Pages/Risks-and-Risk-Control-of-Wi-Fi-Network-Systems1.aspx [Accessed 26 January 2014].

Goldsborough, R., 2012. The highs and lows of WiFi. Teacher Librarian, [online], 39(3). Available at: EBSCO Search [Accessed 26 January 2014].

Goyal, R. M., and Goyal, A., 2008. Securing Wi-Fi Network. [online] Available at: http://infosecawareness.in/downloads/handbooks/wifi-security-ebook.pdf [Accessed 26 January 2014].

Hole, K. J., Dyrnes, E., and Thorsheim, P., 2005. Securing Wi-Fi networks. [online]. Available at: http://www.nowires.org/Papers-PDF/WiFiSec.pdf [Accessed 26 January 2014].

Hole,K. J., Netland, L. H., Klingsheim, A. N., Helleseth, H., and Henriksen, J. B., 2008. Open wireless networks on university campuses. IEEE Security and Privacy, [online] Available at: http://www.nowires.org/Papers-PDF/OpenNets.pdf [Accessed 26 January 2014].

Jacob, L., Hutchinson, D., and Abawajy, J., 2011. Wi-Fi security: wireless with confidence. [online]. Available at: http://ro.ecu.edu.au/cgi/viewcontent.cgi?article=1018&context=asi [Accessed 26 January 2014].

Parte, S., and Pandya, S., 2012. A Comprehensive Study of Wi-Fi Security – Challenges and solutions. International Journal of Scientific & Engineering Research, [online]. 3(8). Available at: http://www.ijser.org/researchpaper%5CA-Comprehensive-Study-of-WiFi-Security-Challenges-and-solutions.pdf [Accessed 26 January 2014].

Rosenblatt, S., 2013. Wi-Fi routers: More security risks than ever. [online]. Available at: http://news.cnet.com/8301-1009_3-57596851-83/wi-fi-routers-more-security-risks-than-ever/ [Accessed 26 January 2014].

Schwartz, E., 2005. Wi-Fi security wakes up to reality. InfoWorld, [online], 27(20). Available at: EBSCO Search [Accessed 26 January 2014].

Urbas, G., and Krone, T., 2006. Mobile and wireless technologies: Security and risk factors. Trends & Issues in Crime and Criminal Justice, [online]. 329. Available at: http://www.aic.gov.au/documents/E/9/9/%7BE99293FF-9E0F-4522-8E54-0598720C45B2%7Dtandi329.pdf [Accessed 26 January 2014].