People tend to favor Wi-Fi over cellular for obvious reasons – it’s usually faster, it doesn’t tax your data plan and it’s widely available. However, there are a number of Wi-Fi risks you should know about.
1. Your phone is leaving a trail of Wi-Fi cookie crumbs
The majority of smartphones use a method for Wi-Fi network discovery called a ‘probe request’. What this means is every minute a smartphone’s Wi-Fi is enabled (but not connected), it is broadcasting the name of every Wi-Fi network that it has ever joined to the nearby vicinity. These particular smartphone emissions can be described as ‘digital exhaust’.
This information is alarmingly easy to access. A small script that works on most Macs can listen to probes sent out by any smartphone in a certain vicinity. When you consider how many Wi-Fi networks a typical employee’s smartphone has joined in the previous two years, that is an awful lot of information to broadcast to the public.
2. Attackers are snooping on open hotspots
Insecure networks make all data traffic visible to a malicious actor that wants to see the online communication of people physically nearby. Almost every coffee shop, hotel, airport, train, hospital, etc., offers a service of open Wi-Fi connectivity to their customers with zero security, encryption or privacy.
What’s the big deal? When a leaking site or app is being used on an open Wi-Fi network, the unencrypted information can be harvested by a malicious actor or “man-in-the-middle”. Depending on what is being leaked, this Wi-Fi risk could lead to credit card theft, identity theft, or even the reuse of login credentials to access a corporate network.
3. Attackers can hit you at the network level
This is where Wi-Fi risks become a bit more severe. Attackers can physically compromise a wireless infrastructure or tamper with signaling on the local network.
One example of this is SSID spoofing, when a hacker advertises the same network name as a legitimate hotspot or business WLAN, causing nearby devices to connect to their malicious hotspot. These malicious hotspots are called ‘Evil Twins’. In order to set one up, hackers can use tools to ‘listen’ to the probe requests coming from nearby devices (aka digital exhaust), discover SSIDs they’re connecting to, and automatically start advertising those SSID names.
Hackers set up a fake network to mirror the real, freely available one, users unwittingly connect to the fake network, and then a hacker can steal account names and passwords, redirect victims to malware sites, and intercept files.Steve Fallin, Senior Product Manager at NetMotion Wireless
A second example is ARP spoofing or ARP cache poisoning. An attacker connected to the same hotspot as a victim can fool two devices into thinking they are communicating with each other by associating the attacker’s MAC address with the IP address of the victim so that any traffic meant for the target will be sent to the attacker instead. As a man-in-the-middle (MitM), the attacker can inspect traffic and forward on to the intended destination to avoid detection.
A third example of network layer attacks is KRACK, which exploits a serious weakness found in WPA2, the security protocol that protects most modern Wi-Fi networks.
4. Attackers can tamper with a seemingly secure session
This is where the attacker turns their focus to the connection established between a client application and the internet, tampering with security protocols.
One example is SSL strip, also known as HTTP-downgrading attacks. HTTPS uses a secure tunnel, commonly called SSL (Secure Socket Layer), to transfer and receive data. In SSL Strip, all the traffic from the victim’s machine is routed via a proxy that is created by the attacker which forces a victim’s browser to communicate with a server in plain-text or HTTP.
Another example is browser session hijacking. The principle behind most forms of session hijacking is that if certain portions of the session establishment can be intercepted, then that data can be used to impersonate a user to access session information. This means that if a hacker captured the cookie that is used to maintain the session between your browser and the website you are logged into, they could present that cookie to the web server and impersonate your connection on another website.
A third example is DNS spoofing. DNS spoofing is a MitM technique used to supply a false IP address in response to a request for a domain made in the browser. For example, when you type a web address such as www.mybank.com into the browser, a DNS request with a unique identification number, is made to a DNS server. The attacker could use an ARP spoof or other inline method to intercept the DNS request. From there the attacker can respond to the DNS request with their own malicious website’s IP address using the same identification number so that it is accepted by the victim’s computer.
5. Your device can be forced to trust malicious services
By far the most serious form of man-in-the-middle attack is those that involve tampering with certificates and profiles to make the device implicitly trust the attacker.
Each device ships with a trust model of root certificate authorities that are trusted. In this manner, a device will automatically trust certificates signed by these trusted authorities who vet applications for certificates.
If a malicious 3rd-party root certificate authority (CA) is installed and trusted on the device, a malicious actor can craft a certificate to any resource and the end-user will not be prompted for any error. And now the attacker has control and full visibility of the device and its traffic without any warning prompts or errors for the user of the device.
Certain applications work around comprised trust stores by certificate-pinning but web browsers have no such protection nor are they protected by other SSL-pinning methods today.
Protecting your business from Wi-Fi risks
Wi-Fi risks, products, and attacks will continue to emerge. Security admins still need to be aware of new threats, assess their security posture, and take appropriate action to protect their networks and their corporate devices. We recommend the following precautions:
- Avoid using open Wi-Fi networks to access sensitive information. Users should turn off Wi-Fi when trying to pay bills or make online purchases.
- If using public Wi-Fi is unavoidable, consider offering a VPN to your users. VPNs create a private network for your data in transit, adding an extra layer of security to your connection. You should ensure the VPN is routed securely and processed according to their standards (e.g., routing all of the traffic back through the HQ for processing).
- Have a security product that can detect insecure web services and block data leaks to dramatically reduce the risk that WiFi threats pose.
- Configure your device settings to disable automatic connection to available Wi-Fi hotspots. This will prevent you from unknowingly connecting to public networks. It will also limit your digital exhaust. Enterprise Mobility Management (EMM) services can assist in managing device configuration centrally, eliminating the need to rely on end user action.
- Implement a security solution that can identify insecure hotspots and alert admins during suspected MitM attacks
The best way to protect your entire mobile feet from Wi-Fi risks is to have a security solution monitoring device traffic at all times and ensuring man-in-the-middle activity and communication with leaking apps and sites can be detected and blocked in real-time. Get more advice in our full report.
Wi-Fi hotspots: Can you trust them?
Despite being mostly free, fast and widely available, Wi-Fi is a less secure connection than cellular. For someone with malicious intent and cheap equipment, every hotspot is a window to your sensitive data. So why do so many people blindly trust it?