You’re at a busy airport using public WiFi. Will hackers steal your Avalanche private keys when you send a transaction just before you board a plane? Can hackers access your wallet when using public WiFi?
Yes, it is usually OK to use cryptocurrencies using public WiFi. But, as with everything related to cryptocurrencies, some care must be taken, especially when using untrusted networks.
There are always risks, but you can minimize them using some common sense tips.
First things first.
Private keys are the crypto crown jewels. As long as your private key is secure, no one can move your funds.
Ideally, your main wallet keys should be air gapped and stored on a cold wallet whenever you’re in transit. Transfer a smaller amount to a hot wallet and take it with you to cover travel expenses. You should never use your cold wallet for transactions anyway, regardless if you’re at home or on the move.
Making your wallet air gapped means you transport your main wallet as a cold wallet whenever traveling.
This implies keeping the keys somewhere offline like a piece of paper, flash drive, hardware wallet or some other storage. “Air gapped” means there’s no Internet connection whatsoever on the chosen device. So, taking a second mobile phone with you and connecting it to the Internet won’t make your keys safer at all. A Ledger Nano, on the other hand, would do the job.
When you connect your notebook computer or smartphone to a public WiFi network, you’re actually establishing what we call a “local area network” (LAN) connection.
This connection is usually in the 10 MBit/s to 1 GBit/s speed range, which is faster than most mobile connections.
The main issue with LAN connections is that the operating systems running on the devices usually have less firewall filtering than your Internet access provider gives you on the mobile connection.
For example, a wireless connection has most TCP and UDP ports blocked so that remote attackers cannot scan your phone or notebook so easily. At a LAN, on the other hand, anyone can usually scan other users’ PC’s for common services and open ports.
You wouldn’t believe how many openly shared hard drives you can find by scanning a busy public LAN at a restaurant or at he airport! Just connect to the share and use the hard drive remotely! Send, receive files and the user will likely have no idea there’s someone accessing his PC resources.
If possible, avoid accessing public WiFi networks you don’t absolutely trust.
A simple exercize of warwalking (in contrast with wardriving) will reveal tens or hundreds of open WiFi networks with vulnerable printers, TV boxes, modems and even home security cameras. IoT is a disaster in the making and WiFi LAN’s are a constant target for hackers.
A hacker could access your device on a LAN looking for something else entirely and then accidentally come across your wallet.dat file.
This is harder said than done.
Securing mobile devices is notoriously difficult. First of all, we don’t really control the innards of iOS and Android. Both are delivered by corporations in binary form. Yes, we have access to most Android source code, but who actually compiles Android for your phone? We, the end users, rarely do. Instead we get precompiled binaries.
First step to a bit more secure mobile device is to install a firewall of some sort. On Android I use NetGuard. It sets up a systemwide VPN which all apps then use. This VPN is filtered according to rules you set. Easy access icons allow you to completely allow or disallow mobile and WiFi traffic by just pressing an icon. It’s fun to watch the tracking apps unable to connect to the user spying urchins when you disable their traffic via NetGuard!
Other firewall apps are fine if you prefer them. Just make sure the smartphone’s internal networking stack is going through some filter you control.
You should also keep your device fully updated. I realize some updates introduce security flaws rather than fix them, but it’s still worth it updating the device often.
There’s just been a big security flaw discovered in all Apple phones. The exploit could infect phones through regular web pages visited by the users. Millions of infected phones circulated for over 2 years without this malware being detected. If this malware were a cryptocurrency thief app instead of some dictator’s dissident tracking spyware, we’d hear about possibly billions of U$ in stolen cryptos.
In this latter case there’s little a user could’ve done to stay safe. It’s a bad flaw in Apple’s core software and only Apple can patch it.
The best advice is to always keep your main savings wallet in cold storage and only use it on clean desktop PC’s. I only use Linux or BSD variants. OpenBSD is famously secure, but I’ve never tried Bitcoin Core or other wallets on it. Surely *BSD and Linux are far more secure than iPhones, Android or Windows desktop PC’s. Windows is famously insecure due to all sorts of unnecessary bloat it comes with.
When was the last time you read the fine print on some temporary WiFi rental agreement?
Was there an agreement at all?
Imagine getting a free password to some WiFi network in some random amusement park. No contract, the password is available to patrons on a bulletin board by the bathroom entrance hall. Get the idea? There’s no contract. You’re basically trusting some random network somewhere not to snoop on all your communications.
Why do we blindly trust such networks? I’m pretty sure 90% of people would blindly connect, not questions asked.
Your mobile connection is subject to an extensive contract. Should the phone company spy on you or intercept your communications in any way, without a search warrant, they’d be in major trouble. Why? Because there are rules established by the FCC (and equivalent institutions abroad) and …. there’s a contract! You signed a contract whereby you can demand your rights if their infringed upon.
What are your rights when you use a “free” WiFi somewhere? None. You know the old adage when you’re not paying, you are the product.
I hope these few tips give you a better idea about WiFi security and cryptocurrency-related risks.
When traveling, keep your stash in a cold wallet somewhere. Only transfer necessary funds to a hot wallet so you can spend them on the road.
Don’t blindly trust public WiFi networks – this is good advice even if no cryptocurrency is involved. WiFi networks are a major hub for virus and malware propagation.