Using a VPN for Public Wi-Fi Security? Think Again; there’s been a Quantum Shift

Bill, was a busy executive, sitting in a coffee shop in 2008, connecting to the public Wi-Fi to check his emails and messages quickly. Little did he know, his sensitive data, including his passwords and credit card information, were being intercepted by a hacker who was eavesdropping on the unencrypted connection. By the time Bill realized what had happened, it was too late. He'd been compromised.

Quantum Mistake

Do you trust your VPN software more than you should?

You heard these tales, and you listened and learned. So did Bill; today, he always uses a VPN when he connects to public Wi-Fi, and he can relax. Like Bill, you have VPN software on your computer, so you’re safe too. Right?

Unfortunately, you are already not as safe as you think. The rise of quantum computing means that your chances of being “Bill 2.0” have increased dramatically if you don’t change your habits.

Security Risks of Public Wi-Fi Networks

Public Wi-Fi networks are convenient, but they come with inherent security risks. Unencrypted public Wi-Fi hotspots are susceptible to a range of attacks, including the following (see glossary for definitions):

  • Packet Sniffing

  • Session Hijacking

  • Man-in-the-Middle (MITM) Attack

  • Fake Wi-Fi Access Points

  • Eavesdropping

The Role of VPNs in Securing Public Wi-Fi Networks

The traditional countermeasure against these risks is to use a Virtual Private Network (VPN). VPNs encrypt all your internet traffic, making it difficult for hackers to intercept and steal your data. This encrypted communication tool has become an essential best practice when connecting to public Wi-Fi networks thanks to cheap CPU power and affordable software-only VPNs.

The Quantum Threat to VPN Security

How quantum computing works

Unfortunately, the security we have enjoyed from VPNs is under attack. A new threat to legacy encryption protocols used by VPNs will render them vulnerable to hackers. Quantum computing has been on the horizon for a while and is about to arrive. This new technology uses the principles of quantum mechanics to perform calculations exponentially faster than classical computers. This technical innovation poses an existential risk to the classical computer encryption protocols that enable virtually all digital transactions.

Encryption techniques used by current VPNs are vulnerable

Legacy Public key cryptography (PKC) encryption techniques use specialized math that traditional computers can process extremely fast if the encryption “key” is known. The protection relies on our current computers' inability to quickly determine the encryption key if it is unknown.

 When the math is hard, it is unprofitable for criminals to crack the encryption and access the data it protects. Quantum computers alter the landscape because they excel at the problematic math legacy encryption depends on. Quantum computers are so good at that math that they make it laughably fast and affordable to crack.

Harvest now, decrypt later attacks

Over the next several years, widespread data encryption protocols, including public key cryptography (PKC) standards like RSA, will become vulnerable. Any classically encrypted communication that could be wiretapped is at risk, potentially already exposed to exfiltration, to harvest that data once quantum decryption solutions are viable. These tactics are called "harvest now, decrypt later" attacks, and the public Wi-Fi (unencrypted on encrypted) infrastructure is one of the best and cheapest places to harvest data from.

 The Future of VPN Security

Post-quantum cryptography (PQC) and the CRYSTALS-Kyber algorithm

Fortunately, it’s well-accepted that Computer Security is an arms race, and the National Institute of Standards and Technology (NIST) has been championing a post-quantum cryptography (PQC) standardization project since 2016. After a six-year effort and collaboration with academics and the private sector, NIST has selected the CRYSTALS-Kyber algorithm as a potential solution to this quantum threat. Among CRYSTALS-Kyber’s advantages are relatively small encryption keys that two parties can exchange easily and its speed of operation.

 Vendor PQC Solutions

This ongoing research and development is good news for VPN users. Vendors will begin implementing the CRYSTALS-Kyber algorithm and other post-quantum cryptography (PQC) solutions in the near future to ensure their services remain secure. As a user of VPN technology, it's essential to ensure that your favorite VPN vendor implements the CRYSTALS-Kyber algorithm or equivalent sooner rather than later.

Best Practices for Secure Online Activity Until PQC Arrives

Until PQC arrives from our VPNs of choice, all users should adopt vital security behaviors:

  1.  Refrain from doing personal or business financial work on public WI-FI.

  2. Never place orders for goods from public Wi-Fi. Browse the stores without logging in and make notes so you can order at home or at work.

  3. Refrain from working on Confidential or Controlled information of any kind over public Wi-Fi.

  4. Pause or turn off the “Cloud Files Storage” syncing software if you are using public Wi-Fi.

  5. If you absolutely need to do any of items 1-4, then tether your phone to your laptop with a cable and use the phone hotspot over the cable and do the bare minimum necessary.

  6. Use Multi-Factor Authentication to secure accounts. Email is only one or many apps needing MFA.

  7. If you get your MFA codes via SMS, you aren’t secure. Get a dedicated MFA Application.

If the information you are manipulating will travel to and from the Internet in any way and you don’t want to place that data at risk, simply don’t use public Wi-Fi to facilitate that work.

Conclusion

Watch for vendor updates

The risks of using unencrypted public Wi-Fi networks are real and significant. Hackers can exploit the inherent vulnerabilities of these networks to steal sensitive information from unsuspecting users. With quantum computing on the horizon, ensure that your VPN provider intends to implement robust encryption methods like CRYSTALS-Kyber algorithm or its equivalent to secure your data.

Change your habits

Don’t wait until it's too late to secure your online activity; learn to use a VPN if you don’t have one. If you have one, continue to use it. Be intelligent in your usage. Things will get safer when PQC gets here this year, but the habits you develop until then serve you long after your VPN has next-gen encryption.

If your VPN Provider charges an upgrade fee for the PQC upgrade, pay them.

Glossary

  • Packet Sniffing: A method of intercepting and examining the data packets transmitted over a network to capture sensitive information like login credentials, credit card numbers, and other personal data.

  • Session Hijacking: This technique involves stealing a user's session cookie, which allows a hacker to hijack the user's session and gain access to their account.

  • Man-in-the-Middle (MITM) Attack: This involves intercepting and relaying communications between two parties who believe they are communicating directly with each other. This technique allows the hacker to eavesdrop on the conversation, steal data, and even alter the communication without the parties knowing.

  • Fake Wi-Fi Access Points: Hackers can set up fake Wi-Fi access points with legitimate-sounding names in public places like coffee shops, airports, and hotels to trick unsuspecting users into connecting to them. Once connected, the hacker can carry out various attacks on the user's device.

  • Eavesdropping: When you connect to an unencrypted Wi-Fi network, any information you transmit can be intercepted by anyone else on the same network. This means that passwords, credit card numbers, and other sensitive information can be easily stolen.

Technosis inc