NYC Wi-Fi hubs raise security concerns

Those blazing-fast Wi-Fi speeds that New Yorkers are seeing from the new LinkNYC hubs are impressing more than a few reviewers, but some warn that there could be security hazards.

The Wall Street Journal reports that it took just 45 seconds to download a two-hour, 1 GB file while sitting 10 feet away from a LinkNYC booth. Engadget said using one of the futuristic-looking pay phone replacements was about 10 times the speed of the average American home Internet connection. The free service went live for beta testing at more locations this week.

But The Verge also reports that a public Wi-Fi network as big as this one – the project calls for deploying thousands of the hubs throughout five New York boroughs -- also brings a new set of security risks. The nature of public Wi-Fi means the hubs are constantly exposed to untrusted devices.

"The first thing that pops into my head when I see public Wi-Fi is if I can access it publicly as a regular user, then hackers can get into it," Joseph Pizzo, an information security professional, told The Verge.

Shane Buckley, CEO of Xirrus, told FierceWirelessTech that while public Wi-Fi offers convenience, he can't envision New Yorkers hanging around pay phone hotspots in 2016. If it were a remote village in a country somewhere else in the world, that would make sense. But "are people really going to hang out at a phone box just to connect to the Internet? That's kind of what you have your LTE plan for with your phone company, right? Fundamentally, that's the challenge."

With regard to security, he said one of the big problems is the user doesn't know who's behind the network. For example, if a user connects to New York public Wi-Fi, "how do you know that's the Wi-Fi that's run by the city? You have no way of knowing … It can give you a splash page that looks exactly the same."

An end user could log in to a bogus account with their user name and password and then the hacker has that information, as well as possibly credit card or other information if the end user enters that unwittingly. "This happens all the time," Buckley said, adding that lot of people know that public Wi-Fi is not secure, but they use it anyway because they feel they don't have a choice.

CityBridge, the group that designed the hubs, has built in a number of protections. Colin O'Donnell, CTO for CityBridge, told The Verge that they will have a series of filters and proxies to block anyone who tries to download malware during a browsing session. The city also employs a team dedicated to monitoring traffic, and if that team sees a user receiving data from a command-and-control server, it will end the session immediately.

LinkNYC representatives told Engadget that LinkNYC won't track any web traffic on its public or private network. The full privacy policy, published by NYC's Department of Information Technology and Telecommunications (DOITT), notes that Citybridge might share anonymized data with third parties but not anything personally identifiable.

For more:
- see The Verge article
- see this Engadget article
- see this Wall Street Journal article

Related articles:
LinkNYC's free Wi-Fi could threaten cellular carriers with Passpoint roaming, speedy connections
LinkNYC access points start appearing in New York City
New York City project promises Gigabit Wi-Fi speeds using up to 10,000 'Links'
Xirrus offers access point to help enterprises ride Wave 2 Wi-Fi