There has been a terrible natural disaster in Italy. A huge quake has broken a city. Rescue teams race to the scene to try to save lives and stabilise the situation.
During the rescue efforts, the Italian Red Cross sends this tweet:
— Croce Rossa Italiana (@crocerossa) August 24, 2016
It says "To facilitate communications and rescue operations we invite you to remove the password of the wi-fi network".
Should you do this?
Let me be clear.
No no no no no no no!
I sound like a curmudgeonly killjoy. I sound heartless. I sound nasty. I hate that. But this is incredibly dangerous advice. Both to citizens and rescuers.
In disasters there are always criminals looking to take advantage of the good-natured. I'm not saying the the Red Cross are criminals - I'm saying that they're creating an environment which makes it very easy for for criminality to flourish.
Why Is This A Bad Idea?
Imagine if they said "please hand any spare cash over to people dressed as firefighters" or "give your telephone to anyone in a red jacket" or "we need blood supplies - please invite in anyone who knocks on your door". You'd be crazy to follow that advice. It's similar for unprotecting your WiFi.
What could a malicious user do while connected to your network? They could, potentially...
- Send illegal communications using your IP address.
- Download illegal material.
- Break in to all the computers on your network.
- Control any Internet connected devices and/or hack them.
- Monitor all of your communications traffic.
But, suppose you did open your WiFi. And suppose you were malicious. When a Red Cross worker - or anyone else - connected to your WiFi, you could...
- Monitor their communications.
- Redirect them to malicious websites.
- Attempt to hack their computers.
I would hope that every emergency worker immediately fires up a VPN before transmitting sensitive data - but I bet you that they don't.
What Should I Do?
Assuming that your Internet connection is still up, there are three sensible things to do.
- Set up a guest network. Most modern equipment will allow you to do this. It will give you protection from most hackers using your network. It doesn't protect you against illegal usage of your connection, nor does it protect people who connect to it.
- Disconnect every single piece of equipment from your network first - including WiFi devices. Once the disaster has passed, reset your router and set everything up again. That may sound paranoid, but it is the only way to be sure nothing evil is lurking on there.
- Let your friends and family know you are safe, and then switch your phone to aeroplane mode. Stop clogging up the airwaves and give the rescuers priority.
Aren't You A Little Paranoid?
Perhaps. Are there really gangs of criminal hackers rushing to disaster zones in order to exploit people? Probably not.
Does a little Italian village contain enough uber-hackers to break in to the Red Cross and cause havoc? Again, doubtful.
It is human nature to help out people in distress. It's the most natural thing in the world to offer comfort, food, and shelter to those who have lost everything.
But we have to stop training people to think that security is merely an inconvenience. That security can be disposed of during times of crisis when it is needed most. We have to provide tools which will let people help in an emergency but not leave themselves vulnerable.
In the meantime, may I please encourage you to donate to Télécoms Sans Frontière - they do an incredible job providing emergency communications infrastructure in disaster zones.