How safe is public WiFi?

An Internet security company has made public results of an experiment where users signed away their first-born child or favorite pet in return for free wireless Internet access.

The experiment was meant to highlight the dangers of surfing on public networks - for which the company just so happens to offer a security tool.

But clever marketing tricks aside, how safe is public WiFi, anyway?

DW has been asking experts why - after 15 years of use - public WiFi is still so insecure for users - and what's likely to happen in the future.

Poisoned hotspot

Sean Sullivan, a security advisor with F-Secure - the Internet security company that sponsored the experiment - describes how it went down.

"We built a hotspot using a mobile broadband modem, a hotspot, an eight-hour battery, and a Raspberry Pi [computer]," Sullivan says. "It was all strung together with rubber bands."

The researchers brought the cobbled-together hotspot into the city of London, and set up a freely accessible wireless network with the name of - appropriately enough - "free wi-fi."

Users were asked to check a set of terms and conditions, which included a so-called Herod clause: "in return for free wi-fi access the recipient agrees to assign their first-born child to us for the duration of eternity."

Six users agreed to the terms - although the company later pointed out, "it is contrary to public policy to sell children in return for free services, so the clause would not be enforceable in a court of law."

The experiment continued, without terms and conditions, with 250 users logging on, and 33 actively using the free WiFi.

Among the data harvested (though not saved, says F-Secure) was an email username and password in plain text - "That's the key to the kingdom," Sullivan says.

Insecure teenager

On September 9, 2014, WiFi officially turned 15 years old.

But how can it be so insecure, after a decade and a half of use?

"WiFi was never designed to cover a cityscape," says Sullivan.

It was designed, he says, for registers at the back of a department store to be able to communicate without drilling cable holes in the marble counters.

But what it has become is the standard for getting online in public.

Even officially sponsored networks are not much more secure, says Bernd Strehhuber, director of INKA, an organization that made widespread, free public WiFi a reality in Karlsruhe, Germany.

Public hotspots are by nature unsecured, Strehhuber says, to allow the user to log on. And it's very difficult to verify legitimacy of a hotspot provider, he adds.

"You just see the SSID [service set identifier - or network name] in the air, and you have to more or less trust that it is an access point belonging to the organization it claims to be," says Strehhuber.

F-Secure's Sean Sullivan says market forces have a lot to do with the lack of security features for WiFi.

"We're dealing with markets that have a saturated customer base, there is no 'frontier' and no new customers," Sullivan says.

"It's really a matter of companies trying to win customers from other companies - and that becomes a tough environment to innovate the solutions you might really like," he says.

Keeping it safe

Developers of the KA-WLAN public wireless network in Karlsruhe designed it to lock out unencrypted POP3 and IMAP ports, such as the ones that allowed F-Secure to access the email username and password in London, Strehhuber explains.

"But that's just a drop in the bucket," he says, as users share data on many ports.

And the onus, says Strehhuber, is on the user to insure the protection of his or her data.

They should make efforts to only check email on secure connections, such as on https and other encrypted channels.

But unfortunately barriers remain: "Encryption mechanisms are there - but they are complicated, cumbersome, and difficult to understand," says Strehhuber.

Installing a virtual private network (VPN) can provide a very high level of security for surfing on open networks. That's the idea that F-Secure hopes to promote with its experiment.

But Troels Oerting, head of the European Cybercrime Center, points out that the cost of a VPN can be an obstacle for users.

"I actually think that most mobile providers should give away VPNs for free," Oerting told DW.

This "public responsibility" could even be regulated through European Union legislation, says Oerting. Or providers like T-Mobile and Orange could bundle it in their services as a competition incentive.

Hacking public WiFi 'very possible'

As an alternative to WiFi, transferring data over mobile networks is relatively safe, say Sullivan - and this will likely become the future standard as 4G network coverage increases.

But until then, it's up to users to protect their data.

Strehhuber says user awareness could be raised through events, such as an upcoming Karlsuhe anti-Prism party.

It's a more transparent version of F-Secure's London experiment, where users can observe themselves getting actively sniffed during "live hacking" sessions, and learn how to protect themselves.

But despite the light air around such experiments, data security on WiFi networks is "not a joke," says Oerting. "Unfortunately, it's very possible [you'll] get hacked on public WiFi networks."