Quick question: Would you walk down a street alone knowing that nine of every 10 other pedestrians are at least acting suspiciously, like they want to steal something from you?
That's what you are doing, electronically speaking, when you use free Wi-Fi.
Last summer, engineers from Authentium paid a visit to O'Hare Airport in Chicago. The results should raise red flags for business travelers and IT departments.
An Authentium exec told us in a recent interview that the engineers determined more than 90 percent of the networks they found were ad-hoc in nature, meaning that they emanated from another computer and not from an access point. Perhaps even more startling was the finding that more than 80 percent of these ad hoc systems advertised free Wi-Fi access services.
Certainly not all, probably not most, of these networks were run by crooks. A small coffee shop could set up a Wi-Fi service from the owner's PC, for example.
But it's a good bet that a bunch of the networks were not on the level. That's the bad news. The worse news is that the nature of wireless makes it likely that unsuspecting travelers will tap into these bogus networks. Once there, they are vulnerable to man-in-the-middle and other types of attacks.
Laptops are configured to do two things that compromise security. First, they ask users if they want to log on to a discovered network. If the network has a name such as "Bill's Completely Free Wi-Fi," at least some safety-last types will opt in.
Secondly, machines automatically log onto networks that they have used before. In this example, if a user logs onto a bogus network on the way out through O'Hare, her machine will be predisposed to log back into that network during the trip back home.
Clearly, IT departments must show special vigilance. Security must be passive: Users simply should not be involved, or at least be required to commit some knowledgeable validation.
Public spaces are the Wild West of wireless networking. Setting an employee loose in this environment with a mobile device carrying sensitive info and linked to mission-critical databases is a risky proposition at best. Letting employees wander around without a guaranteed security threshold is folly.