With the prevalence of mobile device use and on-the-go communications, attorneys must be aware of the security challenges associated with increased work mobility. An attorney’s workday often consists of answering e-mails and accessing case files while out of the office.  Whether these tasks are completed through a smartphone, tablet, or laptop, the technologies that enable this accessibility often rely on Wi-Fi communications.

A familiarity with the nature of this type of communication is helpful to avoid the security risks associated with its use. Wi-Fi is a technology used to create a wireless local area network (WLAN) of electronic devices. Wi-Fi establishes a network connection between devices, such as laptops and smartphones, and a wireless access point or router. Wireless access points or routers often provide internet access to devices on its wireless network. This wireless network also permits devices on the network to communicate with each other. However, without some security protocol being in place, network traffic may be visible to all individuals on the network.

For example, where public Wi-Fi is offered by a local business, like a coffee shop, any patron of the shop can connect to its wireless access point by simply pointing their device to the access point’s name. It is then fairly trivial for a malicious patron of the coffee shop to open a network packet sniffer on their own device to observe the network traffic of other patrons using the same public Wi-Fi network. While “sniffing” the network, the malicious patron may be able to view other patrons’ visited websites, unencrypted e-mail or instant messages, or even login credentials to websites not using appropriate security protocols. This is a passive attack of which none of the other coffee shop patrons would be aware. Any patron may be at risk of unknowingly disclosing confidential information if this attack takes place.

However, the dangers of accessing public Wi-Fi do not end with passive attack disclosure.  It is possible for a malicious individual to stage a man-in-the-middle attack.  Essentially, this attack allows the malicious user’s device to route other users’ network connections through his machine to manipulate the traffic.  This may be used to bypass common security protocols or confuse users into revealing their login credentials. In addition, attackers may create their own public wireless access points for the purpose of enticing unsuspecting users to connect to them. These malicious access points, also known as “honey pots,” appear as public Wi-Fi networks and often have names (SSIDs) that are meant to attract individuals to connect to them, such as the name of a local business or “Free Wi-Fi.” Once connected, the attacker can observe and even manipulate network traffic by the means described above. In addition, attackers may actively seek vulnerabilities in the other devices connected to the network.

Some methods to help avoid or mitigate the risks associated with Public Wi-Fi use include:

  • Avoid accessing websites or conducting any network activity where sensitive information, such as financial information, personal information, login credentials, or confidential communications, is transmitted or received over the network.
  • Use “HTTPS” connections to websites when available. These connections are offered by certain websites and establish an encrypted connection between your browser and their server. All modern internet browsers will display whether your device is connected to an HTTPS connection. To check, look for a lock symbol next to the website’s address bar, or ensure that the website’s address begins with “https://”. Some browser extensions, like HTTPS Everywhere offered by the Electronic Frontier Foundation, attempt to force this to take place where possible.
  • Before connecting to Public Wi-Fi, disable file sharing features on your device and, if possible, set the connection as “Public,” and not “Work” or “Home.”
  • Be suspicious of all Public Wi-Fi network names. Ask the business who offers the network for the exact name of the Public Wi-Fi connection.
  • Ensure your operating system, anti-virus, and anti-malware definitions are up-to-date.
  • Ensure that your device has a firewall to prevent unauthorized connections.
  • If you do not need to connect to Public Wi-Fi, then do not connect to it. If you are done using the Public Wi-Fi, disconnect from it.
  • Consider accessing information via a cellular connection instead of Public Wi-Fi
  • Use a trusted Virtual Private Network (VPN) service. VPN providers use software installed on a device to encrypt all network communications and route them through the VPN provider’s servers. Since your communications are routed through the provider, it is essential that you trust the company that offers the service. Free VPN providers should not be trusted.  However, there are many established VPN providers that offer low-cost and effective services. Review the providers’ privacy policy, corporate location, and service details prior to committing to the provider. It is even possible to create your own VPN server to avoid connecting to a third party, but this is a technical matter beyond the scope of this article.

Although the above methods will go a long way toward protecting your connection on “Public Wi-Fi” where it cannot be avoided, this type of network connection is generally not appropriate for transmitting or receiving sensitive or confidential information and should be avoided wherever possible. Understanding how your information travels to and from its source is important to ensuring your and your clients’ confidentiality and security.

Securing your firm’s Wi-Fi

The doors to your office are locked at night. When an employee is terminated, the locks on those doors are changed. Certainly, you would never leave a client’s file sitting unattended in a public place. However, your office Wi-Fi remains open out of convenience to guests and staff. This is a very serious and dangerous mistake. Wi-Fi is a potential door into the most sensitive and confidential material housed by attorneys.  Below are some helpful tips to secure your firm’s Wi-Fi:

  • Use both a private and guest Wi-Fi network.
    • Private Wi-Fi Network: This network permits wireless access to the firm’s data, such as client and case information. Access to it should be strictly limited to only the devices that absolutely need the wireless connection.  One way to do this, in addition to a strong password, is to specify the devices that may connect to it by hardware number (MAC address). In addition, do not give out the private network password to guests. Consider hiding the wireless broadcast name (SSID) of the access point or router.
    • Guest Wi-Fi Network: This network may allow wireless access to the internet, but it should not provide any access to firm resources. It is not a part of the firm’s network and should be firewalled from any such access.
  • Access to Wi-Fi networks, including any guest network, should be secured with a complex password and that password should be changed on a regular basis. Do not use the default password that came with the wireless router or access point.
  • Login information for administration of the wireless router or access point should be changed from the default setting and given a strong password.
  • Appropriate wireless encryption protocols should be used. Avoid WEP encryption as this protocol has known security vulnerabilities. For a more secure wireless network connection, use WPA2 encryption. This can be set within the wireless access point’s administration settings.
  • Disable WPS (Wi-Fi Protected Setup) on the wireless access point or router. It should not be needed in an office setting and some implementations have known security vulnerabilities.
  • Regularly update wireless access point or router firmware, which is a type of software that runs on the device. Regular updates protect against security vulnerabilities.
  • Consider a wireless intrusion detection or prevention system (WIDS/WIPS). These systems detect and disconnect unauthorized devices on wireless networks, and can help mitigate threats.

Properly securing an office network can be a technical subject, and may require professional assistance. If you are unfamiliar with these technologies, or have complex networking needs, a computer networking professional should be used to secure the network.  For additional information on securing and using Wi-Fi networks, please refer to the below resources:

  • FTC: Tips for Using Public Wi-Fi Networks – https://www.consumer.ftc.gov/articles/0014-tips-using-public-wi-fi-networks
  • FCC: How to Protect Yourself Online – https://www.fcc.gov/consumers/guides/how-protect-yourself-online
  • US-CERT: Using Wireless Technology Securely – https://www.us-cert.gov/security-publications/using-wireless-technology-securely
  • FTC: Securing your Wireless Network – https://www.consumer.ftc.gov/articles/0013-securing-your-wireless-network
  • US-CERT: Guide to Securing Wi-Fi Networks – https://www.us-cert.gov/security-publications/Guide-Securing-Networks-Wi-Fi