Beware Free Wi-Fi: Government Urges Workers to Avoid Public Networks

The Biden administration would like you to get a vaccine and wear a mask. Oh, and one more thing: It has just proclaimed that it’s time for government employees and contractors to get off public Wi-Fi, where they can pick up another kind of virus.

In a warning to all federal employees, leading defense contractors and the 3.4 million uniformed, civilian and reserve personnel serving in the military, the National Security Agency issued an unusually specific admonition late last week that logging on to public Wi-Fi “may be convenient to catch up on work or check email,” but it is also an invitation to attackers. In an eight-page document, the agency described how, in a year marked by ransomware attacks on pipelines, meatpackers and even the police force in Washington, D.C., clicking on to the local coffee shop’s network was asking for trouble.

Government officials say they are fully aware that getting people to heed the advice is about as likely as getting them to sit outside at a baseball game fully masked. But the message is a turning point: After a decade in which every restaurant, hotel and airline felt competitive pressure to improve their free Wi-Fi, the nation’s leading signals intelligence agency is trying to throw on the brakes.

“Avoid connecting to public Wi-Fi, when possible,” the warning says, stating that even Bluetooth connections can be compromised. “The risk is not merely theoretical; these malicious techniques are publicly known and in use.” The warning links readers to videos of how easy it is for hackers to use an open Wi-Fi network, one that requires no passwords, to harvest passwords and the contents of passing cellphones.

Cybersecurity experts have long warned about the dangers of public internet in coffee shops, airports, hotel rooms and similar venues. At conferences like Black Hat, where government officials are hunting this week for new recruits, exposing the vulnerabilities of mobile devices is something of a sporting event. Some participants take glee in revealing the contents of a visitor’s phone on a big display for all to see. It is meant as a vivid reminder that hooking on to public Wi-Fi, or enabling Bluetooth connections, or even the capability to make a purchase by tapping a reader with a phone, is an invitation to have nonencrypted data seen by anyone.

And then there is the risk of being spoofed. Without citing particular incidents, the N.S.A. warning includes a caution that criminals or foreign intelligence agencies can set up open Wi-Fi systems that look as if they are from a hotel or a coffee shop, but are actually “an evil twin, to mimic the nearby expected public Wi-Fi.” (When State Department officials were negotiating the Iran nuclear accord in 2014 and 2015, many powers — from the Iranians to the Israelis — deployed such systems in hotels where the negotiations were underway, American officials warned at the time.)

The National Security Agency warning was not prompted by any recent uptick in criminals or nation-state adversaries using public internet to steal information or stage hacks, officials say. Instead, it appears to be part of a significantly accelerated U.S. government effort to raise awareness about a range of electronic vulnerabilities in recent months.

President Biden recently issued an executive order requiring software vendors who sell to the federal government to meet a series of cybersecurity standards. It also requires federal agencies to use two-factor authentication, the same way that consumers get a text message, with a code, from their bank before getting into their account.

On Wednesday, speaking at the Aspen Security Forum, Anne Neuberger, the deputy national security adviser for cyber and emerging technologies, repeated her frequent warning that the administration had to make up for lost time by persuading the public, and companies, to adopt protections that should have been in place years ago. She said a key element of the administration’s strategy was “disrupting the ecosystem” that has made ransomware such a profitable pursuit, and acknowledged that the state of America’s defenses, and its resilience to attack, was still “inadequate.”

The N.S.A. warning was clearly timed to come out as more people are traveling again for work, and agency officials said the timing was a recognition of a permanent change in how and where people are using the internet, even for critical national security jobs.

Neal Ziring, the agency’s cybersecurity technical director, said the announcement came as remote work has become “more and more prevalent” for employees of defense contractors and the government. It is important for all remote workers to take steps to “identify and mitigate risks to their wireless devices and data,” he said.

“Malicious cyberactors can target and compromise devices over several of the most common wireless technologies teleworkers use in public,” Mr. Ziring said.

While experts say it is good for the government to raise awareness of risks with the public, security measures that focus on improving the behavior of computer users are far less effective than those that focus on companies, prodding corporate information technology departments to impose better security measures.

“It is defaulting back to, ‘Hey, Mr. End User, take care of security!’ That never works, not on a large scale,” said Amichai Shulman, the co-founder of AirEye, which specializes in wireless security.

In a post on the company’s website, Mr. Shulman wrote that the new guidance was a step in the right direction because it increased awareness of the security vulnerability, but that the kinds of tips promoted by the N.S.A. were unlikely to be followed by any large swath of the public.

Agency officials noted that their primary audience was a group of workers steeped in cybersecurity dangers, people who were more likely to be targeted than an average mobile phone or computer user.

“It’s important to keep in mind that although our guidance can be useful for the general public, N.S.A.’s mission is to provide guidance to military, intelligence and defense industry users, who often have different risk apparatuses than a general user would have,” Mr. Ziring said.

The N.S.A. warning will have a real impact, outside experts said, if it prompts defense companies and other corporations to take steps to give their employees alternatives to public Wi-Fi, such as providing mobile hot spots.

“There is some solid advice here, as long as it is implemented systematically by corporations,” Mr. Shulman said.

Over time, Mr. Ziring said, the risks of using public Wi-Fi for many users have decreased as various security improvements have been made. But those improvements have not eliminated the risks.

“Wi-Fi can still be exploited at the network level, so there are still some risks there,” he said. “This is especially true for users covered by N.S.A.’s cybersecurity mission who may be targeted by foreign adversaries.”

Mr. Shulman said there were other measures those offering public Wi-Fi could take to protect users, such as upgrading to the most recent security standards.

One tip the N.S.A. offered was to reboot a mobile device after using public Wi-Fi. Rebooting could hamper further loss of information if a mobile user was hacked on a public Wi-Fi system. While it would not stop all hacks, it could mitigate the damage of common hacks.

Other tips, like using virtual private networks, will blunt some attacks, but they will not stop the most sophisticated criminals or foreign intelligence officers. A compromised hotel Wi-Fi system could infect a laptop as the user was prompted to login, before VPN could be engaged.

Using public Wi-Fi to steal data has been a technique long in use, Mr. Shulman said. And now the vulnerability is exploited by both criminals and nation-states.

“Adversarial powers are the first to use new techniques,” he said. “They’re usually the ones that come up first with the clever stuff. And then it slowly propagates into criminal hacking, sometimes with a twist.”