Is the subway Wi-Fi hackable? What to know and tips on staying secure

There are several ways to protect against hackers on the subway's free Wi-Fi, including the use of a Virtual Private Network.
There are several ways to protect against hackers on the subway’s free Wi-Fi, including the use of a Virtual Private Network. Photo Credit: Todd Maisel

You arrive at the subway — coffee in one hand and your phone in the other — and quickly log into the Wi-Fi before firing off emails as you head to work. It’s a morning routine for many a multitasker in New York City, but it also poses hidden dangers.

Free public Wi-Fi has been available in all underground subway stations for nearly two years. The service, provided by Transit Wireless via a long-term contract with the MTA and NYC Transit, allows commuters to stay connected as they move about the city. But as with any free and public Wi-Fi network, there are risks to using it.

“Like any product on the market, the system is hackable,” said expert Omri Admon, corporate innovation specialist for SOSA, the firm tapped by the city Economic Development Corporation to launch its Global Cyber Center.

Subway Wi-Fi users should make sure web addresses begin with HTTPS, which ensures information is being sent through an encrypted tunnel.
Subway Wi-Fi users should make sure web addresses begin with HTTPS, which ensures information is being sent through an encrypted tunnel. Photo Credit: Todd Maisel

Transit Wireless and the MTA have taken precautions to mitigate the effects of hacking as much as possible, Admon added, including the use of advanced encryption codes and automatic system reboots when an attack is suspected.

About 10.5 million people access the subway’s Wi-Fi each month, according to the MTA. Christopher McKniff, a spokesman for the transit authority, encouraged riders to “utilize the same common sense cybersecurity precautions they would employ in any common space.”

“The introduction of Wi-Fi and cell connectivity in the subway system has not only provided our customers with an enhanced customer experience, but also offered additional capacity for emergency and trip planning communications,” he added. “As part of our efforts to modernize the system, riders are now able to keep up with work, access entertainment, utilize trip planning services, and contact family and friends.”

The two main concerns with public Wi-Fi, according to Admon, are “evil twin” and “man-in-the-middle” attacks.

A man-in-the-middle attack might involve a fake access page that looks similar or identical to the Transit Wireless Wi-Fi landing page. Once the user clicks through, the hacker can access the phone’s data.

“So if I type something that is a password or card information, that can definitely cause a problem. And that’s something that any public network is in danger of, especially one that is used by so many people,” Admon said.

An evil twin attack, meanwhile, is when someone sets up a fake Wi-Fi network that has the exact same name as the authentic one to trick unsuspecting users into connecting to the wrong one. Additionally, if someone has previously logged into the authentic Wi-Fi and has automatic connect engaged on their phone, they could be instantly and unknowingly brought to the fraud network, where the hacker can then access the phone’s data.

While Transit Wireless does what it can to stop both types of hacking from occurring, commuters can also play an active role in avoiding cybersecurity attacks.

Amy McLaughlin, Transit Wireless’ general manager of Wi-Fi data and advertising, said the company’s chief goal is to provide a quality experience for riders while ensuring the network’s security.

“Public Wi-Fi is an open network meant for people to easily and seamlessly connect to the internet,” McLaughlin said. “Users looking to enhance their security while on a public network can use web addresses that begin with HTTPS, which provide added protection by sending their information through an encrypted tunnel. Additionally, users can use a virtual private network (VPN), which encrypts device traffic.”  

There’s also a free app, NYC Secure, that alerts users to potential threats on their device.

“It might tell you to disconnect from the Wi-Fi system or navigate away or uninstall an app,” Admon said. “So it’s kind of adding a layer of security.”

The city-funded, ad-free mobile app is operated by the NYC Cyber Command, an agency created by Mayor Bill de Blasio in 2017 that works to prevent, detect and respond to cyber threats.

Admon said education on the risks of using public Wi-Fi and the ways riders can protect themselves is also paramount.

“The main issue with cybersecurity is the human factor, so most of the hacks come through that,” he said. “Just as with any other technology, you just need to be smart about it and know what you’re logging into.”