As free public Wi-Fi networks go live, one unlikely community will be waiting to log in: cyber criminals.

Municipal and public Wi-Fi networks could become a breeding ground for crooks looking to steal information from individual users and big companies alike.

Mischief makers won’t have to wait long. This month, search giant Google started testing its free wireless Internet service in Mountain View, California.

Google

That news comes as a number of cities including San Francisco, New York, Philadelphia, and Toronto have announced plans to create municipal, or “muni,” Wi-Fi networks (see Google, EarthLink to Unwire SF).

The free public networks will carpet cities with free Internet connectivity. By 2007, cities in the United States will spend $405.6 million on wireless networks, up from 76.5 million in 2005, according to projections by the research firm MuniWireless.

The efforts should bring tens of thousands of users onto these networks. Internet service provider EarthLink is aiming to grab at least 100,000 users within the next two years for its 135-square-mile network in Philadelphia alone.

The large number of users jumping onto these networks has raised concern among security experts. While advocates have pushed the technology as a way to close the digital divide, some fear many users may not install the kind of security measures they need.

“The lack of any detailed discussion relating to security was troublesome,” said Brian Hernacki, an architect with security software developer Symantec’s research labs.

Muni Wi-Fi networks could be susceptible to attacks in a number of ways. Snoopers could monitor unencrypted wireless traffic. Or miscreants could create fake access points bearing misleading network identification labels such as “SF Muni.”

When users try to connect to a network, their devices will offer a list of visible wireless networks. Users could end up choosing a network set up by a crook.

“Many people rely on their home or company firewall to keep them safe, but when you are out on the muni network, you don’t have those protections,” said Mr. Hernacki.

Businesses at Risk

The prospect of users tapping into muni Wi-Fi networks is especially troubling for businesses that have spent millions of dollars securing their data, said experts. Security experts fear that hackers could use muni Wi-Fi networks as a back door to get into business networks.

“The greatest threat to [corporate] networks comes from employees, and many of these employees will be using insecure public Wi-Fi networks,” said Josh Kessler, an analyst with TowerGroup, an information technology research and consulting firm.

Mobile devices that tie into business systems via wired or wireless links extend the edge of a corporate network to wherever they go. As a result, laptops and other wireless devices could create a hole in a company’s security infrastructure when used with muni Wi-Fi.

“When you have free unencrypted public Wi-Fi, most people don’t realize that checking their web-based email is almost completely in the open,” said Glenn Flinchbaugh, vice president of marketing for Devicescape, which sells embedded software for wireless devices. “There’s a lot of information even there that can be a risk when some of those users come back to their offices.”

So far, businesses have largely focused on protecting their networks through firewalls and virtual private networks (VPNs). But these can’t combat the lack of security in public Wi-Fi networks. They only protect data as it moves from one place to another, or from a direct hacker attack, according to wireless security company AirDefense in a recent advisory. In contrast, muni Wi-Fi attacks will likely be more like phishing, where users are tricked into believing they are using legitimate access points when in fact a fraudulent access point has been created, the company said. A strict No Muni Wi-Fi policy while at the office or traveling on business is what AirDefense suggests.

Educating Users

Others, however, believe that fears about security over muni Wi-Fi networks are overblown.

“It’s high on people’s minds primarily because it is used as a tool of opponents of the muni networks,” said Craig Settles, author of the book, Fighting the Good Fight for Municipal Wireless. “The reality is that the networks in and of themselves when properly developed and deployed are no less secure than standard networks.”

Fighting the Good Fight for Municipal Wireless

Most users are simply unaware of how they can identify secure Wi-Fi networks and what measures they need to take to log on securely, said Mr. Settles. As a result, he said service providers, cities, and companies that sell devices like laptops or PDAs should educate users about security.

“I refer to security as the bogeyman for the uninformed and handmaiden of the obstructionist,” said Mr. Settles.

Such a campaign will not be without its challenges, however, with new users facing an alphabet soup of acronyms they’ll need to master to lock down their computers.

“VPN, WPA [Wi-Fi Protected Access, a new security specification] configurations on the laptops, etc.; how do you do that in a large city like New York or San Francisco?” said Mr. Hernacki. “How do you teach to that many users the many access points to connect to?” Those setting up muni Wi-Fi networks aren’t ignoring that challenge. Google was unavailable for comment. However, the company is offering secure private network software called Google Secure Access as a free download.

Such an offering may take time to catch on with average users, said Mr. Hernacki.

“Google has a clear, unencrypted network and wants people to use a VPN client if they want security,” he said. “That concerns me because expecting the average user to use VPN on their own is pretty difficult.”

And that’s exactly the opportunity some fear cyber criminals are waiting for.

Contact the writer:PGanapati@RedHerring.com