Local News Matters weekly newsletter

Start your week with a little inspiration. Sign up for our informative, community-based newsletter, delivered on Mondays with news about the Bay Area.

DOWNTOWN SAN JOSE resident Luke Allen does not have unlimited data on his smartphone, and his internet connection is limited.

As with many other downtown residents and occasional visitors, the city offers a service to address the problem: a free high-speed public Wi-Fi connection. Allen can connect to the public network to navigate on the web for free. 

But not all that glitters is gold.

Experts say public connections expose users to serious cybersecurity risks — hacking attacks, malware and theft of personal sensitive information. 

Even if the users avoid access to sensitive sites while using a public unsecured network, their personal information is vulnerable. A determined hacker can gain entry to a device and then move around the contents at will.

“Accessing a public Wi-Fi often exposes the user,” said Fabio Di Troia, assistant professor in computer science and cybersecurity at San Jose State University (SJSU.) “With public connections, the probabilities of facing device infections are higher.”

According to the data company Statista, the number of public Wi-Fi hotspots globally increased from 94 million in 2016 to 549 million in 2022. 

San Jose, in line with this trend, developed its own public Wi-Fi project capable of providing internet access to residents, visitors and small businesses. 

In October 2021 and in collaboration with Facebook and Cambium Networks, San Jose launched a high-speed public Wi-Fi covering strategic corridors of the downtown area.

“When COVID started two years ago, the emergency response team from the Digital Inclusion program worked to address the needs of low-income families and students who cannot access the internet,” said Sudheer Vangati, former manager for the public Wi-Fi project and now manager for the San Jose’s Cybersecurity and Business Solutions projects. 

Vangati said people who, before the pandemic, were used to accessing the internet from community centers and libraries, needed to have the same opportunity even if those spaces were closed or not accessible. 

Public and unsecured

The new service proved to be exceptionally popular. Vangati said that the city Of San Jose recorded over a million sessions between Jan. 1 and March 22 of this year. Public connection has been provided to thousands of users. 

However, the San Jose downtown high-speed public Wi-Fi, as with many other public networks, does not require any kind of identification. 

Although users are free to join the network and connect to the internet, the absence of security procedures exposes them to the risks.

“It is a fact that public networks are generally unsecure for the users,” said Di Troia. “Hacking attacks on public networks are easier because the user’s traffic is not protected at all, and it is virtually viewable by everybody.” 

Despite being an advocate for public Wi-Fi, Vangati is aware of its risks and warned that a hack can occur any time. 

“There is always a risk associated with using public Wi-Fi,” he said. 

Vangati said that, for example, users should avoid accessing bank accounts when connected to the public network “unless the bank has a multifactor authentication mechanism in place.” 

“It is a fact that public networks are generally unsecure for the users,” said Di Troia. “Hacking attacks on public networks are easier because the user’s traffic is not protected at all, and it is virtually viewable by everybody.”

Fabio Di Troia, San Jose State cybersecurity professor

The risks associated with public Wi-Fi have received growing attention in recent years. 

In July 2021, the National Security Agency (NSA) published a Cybersecurity Information Sheet containing guidelines for users and highlighting the dangers that can occur while using a public network.

One of the first points laid out by the NSA document is that information and data, when sent through an unsecured public network, are vulnerable to theft and manipulation. 

For this reason, it is essential that users keep in mind the possible risks while accessing public Wi-Fi. 

No place is safe

Allen, the downtown resident, said he is aware of the dangers connected with the public network. He doesn’t got to websites or apps that have his personal information. 

“I never access sensitive data such as my bank account or personal email when I am using public Wi-Fi,” said Allen. “I also avoid using purchase services.”

Even a common online marketplace like Amazon can be a dangerous website if accessed from a public connection. 

“Usually credit card passwords are connected to these websites and apps,” Allen said. “If a hacker could access my information, it would be possible to extrapolate data and passwords in order to use my credit card without physically having it.” 

Although informed users such as Allen are capable of avoiding many cybersecurity risks associated with public connections, not everybody is cautious. 

A map of downtown San Jose shows areas where people can access the city’s free public Wi-Fi internet connection. (Image courtesy of San Jose Public Library)

According to a study conducted between November and December 2017 and published in 2018 by the University College London, which examined why and how people use unsecure public Wi-Fi, many users just aren’t that worried about being hacked — even though they know public Wi-Fi networks are vulnerable.

Nourdean Shraim, a freshman student majoring in biomedical engineering at San Jose State University, said that he is aware of the risks but is not overly concerned.

“I am the type of person to just say if hackers want my data, then go ahead,“ said Shraim. 

The London college study reported that 50 percent of the 116 participants continued using the unsecured Wi-Fi network despite comprehending the risks connected to its access. 

The pool analyzed by the college’s team accessed the public network with personal devices.

Personal data including the content of text messages, images and videos were sent into the public network.

Those data and information were eventually viewable and accessible by a “third party” because of the complete absence of any kind of protection.

Hotspot or hacker’s evil twin?

Encrypted connections and VPN softwares are essential for the users to protect their data while navigating the web through a public unsecured network. 

Shraim said that encryption effectively helps to reduce the risks faced by users. 

“In some cases the private information is not directly displayed,” said Shraim. “This means that not anyone can access what I do.” 

But danger lurks even for users who avoid accessing personal information. 

Public connections can be used by hackers to mislead users. Public network duplication is one of the problems reported by the NSA.

“If a public Wi-Fi does not require identification prior to access, a hacker may duplicate the hotspot using the same hotspot’s name,” said Di Troia. “The user does not notice any difference accessing the hotspot, but instead of being connected to the public Wi-Fi of San Jose, the device is directly connected with the hacker’s laptop.”

“Evil twin” is the name attributed by the NSA to indicate the process of hotspot duplication. 

There is no way to be sure your personal information is private while on a public Wi-Fi network. Hackers sometimes create fake access points known as “evil twins” to trick users and gain access to passwords and account data. (Image via Freepik)

According to Di Troia, once the user accesses the fake access point or the “evil twin,” it is extremely easy to “infect the device to obtain access to the user’s sensitive data.”

“When the user’s device is infected, I have a full view of its screen,” said Di Troia. “I can look at anything that is content in the device starting with the gallery and finishing with passwords to access personal accounts.”

There are, however, specific precautions that can deter hackers. 

Although specific software can “encrypt” the users’s connection, protecting sensitive and personal data stored on the devices, the best way to protect that data and information is to use an empty device when on public Wi-Fi.

“Having a device which does not contain any kind of sensitive data is certainly a good precaution,” said Di Troia. “A user is basically safe when accessing a public connection with an empty device.” 

The SJSU computer science and cybersecurity professor explained that some people keep personal data such as corporation passwords, banking information and insurance reports in a separate, private device. 

“They never access public connections with these devices,” said Di Troia. “It might sound a little extreme and maniacal, but they actually avoid any kind of risk.” 

Virtual Private Networks

Keeping a separate empty device to access public connections is useful but not always practical or affordable. For this reason, the NSA Cybersecurity Information Sheet promotes the use of a Virtual Private Networks (VPN) when accessing public networks. 

 A VPN works as a “shell” protecting the user’s web traffic while navigating the web. 

“VPN connections are useful in terms of safety when accessing a public network,” said Di Troia. “In some way, a VPN grants an encrypted connection that protects the user’s web traffic from hackers and malwares.” 

Luke Allen said that he daily uses a VPN connection while accessing the San Jose downtown high-speed public Wi-Fi. 

“I pay monthly for the VPN service,” said Allen. “It is less than $10 a month, and it grants good protection while accessing public networks or any unsecure website.” 

The San Jose high-speed public Wi-Fi is a new service, but public Wi-Fi has been present for years in schools, libraries and airports.

And one factor in the NSA’s alarm is that hacking itself has gotten cheaper in recent years,

In the past, Professor Di Troia said, the cost of preparing a hacking operation could run into thousands of dollar. Not so now.

“Building up a hacking operation today is not expensive at all,” said Professor Di Troia. “The hardware can be purchased online for a maximum of $30.”