IT Brief Australia - Technology news for CIOs & IT decision-makers
Story image

Cyber experts warn of public Wi-Fi risks in Australia

Yesterday

Cybersecurity experts in Australia have issued warnings to local councils and small and medium-sized enterprises (SMEs) concerning the risks associated with free public Wi-Fi.

Free Wi-Fi networks are prevalent in urban centres, libraries, cafés, airports, and shopping areas across Australia, offering convenience to many. However, these networks can potentially expose users to cyber threats including data breaches, identity theft, and operational disruptions, according to authorities in the cybersecurity field.

Recent incidents highlight this vulnerability, such as the arrest in June 2024 of a 42-year-old Western Australian man accused of creating fake, "evil twin" Wi-Fi networks at airports in Perth, Melbourne, and Adelaide, as well as onboard domestic flights. These fraudulent networks closely resembled legitimate airport networks, directing users to fake login pages that captured their email and social media credentials. It was only after multiple travellers had been compromised that airline staff discovered the rogue network mid-flight.

In the context of "smart city" initiatives and community engagement, councils in Victoria, Queensland, and New South Wales provide public Wi-Fi in libraries, parks, and civic centres. However, cybersecurity attacks on governmental infrastructure underline the risks of unsecured networks turning into entry points for serious breaches.

One notable incident took place in 2021 when a Victorian council had to suspend its online services for more than two weeks following a cyberattack that disrupted its ePlanning and payment systems, affecting both internal functions and public services.

A Senior Cybersecurity Adviser stated, "Councils are often doing the right thing by increasing accessibility. But without proper segmentation, encryption, and user education, public Wi-Fi can become a threat vector rather than a public good."

SMEs, particularly in the hospitality, retail, and service sectors, frequently depend on cloud platforms, emails, and POS systems that utilise public networks. According to the Australian Cyber Security Centre (ACSC), these businesses face increasing risks such as man-in-the-middle attacks, credential harvesting through fake hotspots, data leaks from unencrypted transmissions, and malware infections via unsecured connections.

In one example, data from a Brisbane-based legal firm was intercepted and used in a blackmail attempt after a staff member sent sensitive documents over café Wi-Fi without using a VPN. Similarly, a marketing agency in Melbourne had to temporarily suspend operations after malware contracted through a public network infected its cloud storage.

"Too many SMEs and councils overlook the security of their guest Wi-Fi networks," commented a spokesperson from Borderless CS, a cybersecurity company collaborating with local governments and businesses. "It's not just about providing internet access anymore it's about protecting that access."

The Privacy Act 1988 mandates that Australian organisations take "reasonable steps" to safeguard personal information. Should a breach occur, such as interception of customer data via company-provided Wi-Fi, the Notifiable Data Breaches (NDB) scheme may necessitate notification to affected users and the Office of the Australian Information Commissioner (OAIC).

Additionally, businesses offering public Wi-Fi could be classified as Carriage Service Providers under the Telecommunications Act 1997, bringing additional federal responsibilities.

The ACSC and government agencies have suggested several measures to mitigate these risks. For councils, they recommend deploying WPA3 encryption and client isolation, displaying verified network names, routinely auditing access points, collaborating with licensed internet service providers, and promoting cyber safety on captive portals or signage.

For SMEs, suggested precautions include equipping staff with VPNs for out-of-office work, enforcing multi-factor authentication on all cloud platforms, educating employees about rogue networks, disabling auto-connect and file sharing on company devices, and keeping devices and applications updated and patched.

A spokesperson from the ACSC remarked, "Free Wi-Fi is not inherently unsafe, but it is inherently untrusted. Every connection made without protection is a potential opportunity for someone to intercept or exploit that data."

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X