Why The TSA Is Warning Travelers To Avoid Free Airport Wi-Fi

The holiday travel season is here, and that means an increasingly high number of flyers are going to spend their time at airports. It's a busy time, brimming with unexpected delays, long lines, and extended waiting times. Naturally, a lot of passengers turn to their trusty phone or laptop to kill time. Airports are notorious for their poor cellular network signals, and as a result, users often turn to the free airport Wi-Fi, especially when traveling abroad. But it may not be the proverbial free lunch, thanks to security risks. The US Transportation Security Administration has also warned flyers to avoid the avoid public Wi-Fi available within the airport premises. "Do not ever enter any sensitive info while using unsecure WiFi," the agency wrote in a social media post, adding that users should especially avoid it if they intend to do online shopping.

Now, the TSA's warning must not be taken lightly, especially considering how common the usage of airport Wi-Fi networks is. And the fact that it's free to use, most passengers rely on it to do a last-minute check on their travel plans, or download entertainment content to watch on their flight. However, the risks highlighted by the TSA aren't too different from using virtually any public Wi-Fi network. Google also asks users to avoid public Wi-Fi networks because they can be "unencrypted and easily exploited by attackers." Unencrypted networks are an open invitation for hackers and bad actors, but there are ways you can steer clear of the attack vectors without any overtly technical hoops. But before we get into the technical nitty-gritty, it's best to limit internet activities to casual chores like checking schedules, social media, flight updates, and streaming on public Wi-Fi at airports. But if you must go beyond, take a few precautions.

Let's start with the obvious risk of using an unencrypted network. A huge chunk of the web has already moved from HTTP to the "secure" HTTPS protocol. As of 2023, 95% of all Google services had shifted to encrypted HTTPS, which means the data traveling between your phone/laptop and the internet service you're accessing is encrypted. So, if a hacker intercepts it, they won't have unfettered access to it, unlike the plaintext data packets from the early days of the Internet. As an added safety measure, you can opt in to the HTTPS-only mode in browsers such as Chrome or Firefox for extra assurance. 

Another precaution is using a VPN, especially if you're accessing sensitive portals such as cloud drive containers, financial sites, or internal company dashboards.  The best way forward is to confirm the right Wi-Fi channel with on-ground staff or avoid such open networks. If connecting to an open public network doesn't lead to a login portal or a Terms and Conditions agreement page, it's a telltale sign of a risky network." As a general rule of thumb, try to avoid sensitive sites involving log-in steps if you are connected to a public Wi-Fi network at airports. Experts over at Norton and the US FTC also suggest disabling Bluetooth and file sharing, and using multi-factor authentication (MFA).

The bigger threat is linking to a spoof network, or "evil twin" networks. Bad actors can create hotspots mimicking the name of the public Wi-Fi networks, such as AirPort-WiFi vs Airportwifi or Free-AirPort-WiFi. In June last year, a bad actor was arrested over an "evil twin" Wi-Fi attack with the intent of data theft. Boingo, which offers public Wi-Fi services at dozens of airports in North America, told CNBC that evil twin attacks are happening with regularity in the United States. Another expert highlighted that as widespread access to free Wi-Fi becomes the norm in public places, evil twin attacks will be on the rise. Now, evil twin attacks aren't a complete doom-and-gloom scenario. Even if you have linked to a spoofed network, the hacker won't be able to access traffic passing through encrypted services. But as experts at ProtonVPN highlight, it's the remaning 15% of websites that don't use the HTTPS protocol, which can pose a privacy intrusion threat. 

What makes evil twin attacks more lucrative is the ease of launching them. A spook network can be started using just a smartphone, laptop, tablet, or portable router. For maximum damage, hackers can use specialized devices such as a Wi-Fi Pineapple. Once the network has been set, the hacker can set up an unencrypted captive portal masquerading as a log-in page. If an unsuspecting user enters login details to any of the services they use on a daily basis, the attacker can intercept those credentials. Per Kaspersky, evil twin attacks also open the doors for injecting malware. The folks over at Okta have also raised the risk of a distributed denial of service (DDoS) attack, data theft, and financial fraud.