Caveats for VPN users in public Wi-Fi hotspot networks
Using non-secured public Wi-Fi hotspots can leave you vulnerable to identity theft, data theft, snooping, impersonation and malware infection. That's why so many people rely on public virtual private network services, but VPNs are no panacea. Here are five potential gotchas.
1. Vulnerability to Wi-Fi based attacks: Since VPN services can be enabled only after a user is connected to public Wi-Fi and allowed to access the Internet, there is a sufficient window for the hackers to attack public Wi-Fi users. Also, VPN services do not provide protection against Layer 2 attacks, such as ARP poisoning, which can cause denial of service (DoS) for the attacked user, potentially preventing them from connecting to his/her VPN. The prevention can further be exploited by a motivated attacker to force users to disable the use of VPN altogether, leaving users vulnerable to other breaches.
2. Vulnerability to VPN-based attacks: VPN services, although intended to secure all communications, are found to have protocol and implementation level vulnerability. For instance, certain SSL-based VPN services are prone to man-in-the-middle attacks, which can be easily set up by a hacker on a public Wi-Fi network using readily available software and equipment. Also, with the MS-CHAPv2 exploit, demonstrated at the recent DefCon 20 conference, the insecurity of VPN services based on PPTP using MS-CHAPv2 was exposed to the extent that freely available tools and cracking sites are available to crack such services. Since, most VPN service providers use PPTP, the security of hotspot users relying on their services is questionable.
3. Additional cost: Although certain free VPN services are available for public Wi-Fi users, these may not offer expected Internet reliability/quality and often impose time and/or bandwidth limitations. Hence, for quality and reliability, users need to subscribe to paid VPN services, with the costs varying by vendor and the quality and support available. The cost and periodic renewals can be a potential burden for users.
4. Hindrance to online experience: With VPN services all online traffic originating or targeted at a user's mobile device is sent thru the VPN tunnel to a central VPN server, the other endpoint of the tunnel. Therefore, the VPN server acts as a proxy for serving all Internet applications, including browsing, online media, email and chats, etc. But the overhead can cause significant latency and jitter, hampering the online experience. This can be annoying at times, forcing users to access public Wi-Fi without the VPN thereby risking security breaches.
6. Configuration and operational issues: Some VPN technologies available today require special settings/capabilities (like opening of certain ports, firewall tweaks, VPN pass-through, etc.) to work properly for hotspot users. However, such special settings/capabilities can differ from hotspot to hotspot, rendering the VPN service useless at certain spots. Also, when users are at home or in the office, they do not require full-fledged public VPN services, meaning they need to manually start or stop the service according to their location. That means they may forget to turn the VPN back on when accessing a public Wi-Fi service, making them susceptible to a host of attacks. Further, since the support of some VPN technologies is limited to certain operating system only, users opting for a public VPN service need to ensure that the service is suitable to all mobile devices they would use in public Wi-Fi hotspots.
While use of a VPN service increases your privacy and provides data protection, it is something of an inconvenience and adds cost and complexity, which ironically defeats the convenience, ease and cost-effectiveness of public Wi-Fi hotspots.
Sohail Ahmad is a researcher, developer and security expert with eight years of experience in wireless, particularly Wi-Fi domain. During these years, he researched Wi-Fi vulnerabilities, contributed to open source Wi-Fi driver development project, released security tools and published various research papers in ACM and IEEE conferences such as WiSec and Comsware. He hold a master's degree in computer science from Indian Institute of Technology Roorkee (IITR), India.
Read more about anti-malware in Network World's Anti-malware section.