People tend to favor Wi-Fi over cellular for obvious reasons – it’s usually faster, it doesn’t tax your data plan and it’s widely available. However, there are a number of Wi-Fi security red flags you should know about.
1. Your phone is leaving a trail of Wi-Fi cookie crumbs
The majority of smartphones use a method for Wi-Fi network discovery called a ‘probe request’. What this means is every minute a smartphone’s Wi-Fi is enabled (but not connected), it is broadcasting the name of every Wi-Fi network that it has ever joined to the nearby vicinity. These particular smartphone emissions can be described as ‘digital exhaust’.
This information is alarmingly easy to access. A small script that works on most Macs can listen to probes sent out by any smartphone in a certain vicinity. When you consider how many Wi-Fi networks a typical employee’s smartphone has joined in the previous two years, that is an awful lot of information to broadcast to the public.
2. Attackers are snooping on open hotspots
Insecure networks make all data traffic visible to a malicious actor that wants to see the online communication of people physically nearby. Almost every coffee shop, hotel, airport, train, hospital, etc., offers a service of open Wi-Fi connectivity to their customers with zero Wi-Fi security, encryption or privacy.
What’s the big deal? When a leaking site or app is being used on an open Wi-Fi network, the unencrypted information can be harvested by a malicious actor or “man-in-the-middle”. Depending on what is being leaked, this Wi-Fi security risk could lead to credit card theft, identity theft, or even the reuse of login credentials to access a corporate network.
3. Attackers can hit you at the network level
This is where Wi-Fi risks become a bit more severe. Attackers can physically compromise a wireless infrastructure or tamper with signaling on the local network.
One example of this is SSID spoofing, when a hacker advertises the same network name as a legitimate hotspot or business WLAN, causing nearby devices to connect to their malicious hotspot. These malicious hotspots are called ‘Evil Twins’. In order to set one up, hackers can use tools to ‘listen’ to the probe requests coming from nearby devices (aka digital exhaust), discover SSIDs they’re connecting to, and automatically start advertising those SSID names.
Hackers set up a fake network to mirror the real, freely available one, users unwittingly connect to the fake network, and then a hacker can steal account names and passwords, redirect victims to malware sites, and intercept files.Steve Fallin, Senior Product Manager at NetMotion Wireless
A second example is ARP spoofing or ARP cache poisoning. An attacker connected to the same hotspot as a victim can fool two devices into thinking they are communicating with each other by associating the attacker’s MAC address with the IP address of the victim so that any traffic meant for the target will be sent to the attacker instead. As a man-in-the-middle (MitM), the attacker can inspect traffic and forward on to the intended destination to avoid detection.
A third example of network layer attacks is KRACK, which exploits a serious weakness found in WPA2, the security protocol that protects most modern Wi-Fi networks.
4. Attackers can tamper with a seemingly secure session
This is where the attacker turns their focus to the connection established between a client application and the internet, tampering with Wi-Fi security protocols.
One example is SSL strip, also known as HTTP-downgrading attacks. HTTPS uses a secure tunnel, commonly called SSL (Secure Socket Layer), to transfer and receive data. In SSL Strip, all the traffic from the victim’s machine is routed via a proxy that is created by the attacker which forces a victim’s browser to communicate with a server in plain-text or HTTP.
Another example is browser session hijacking. The principle behind most forms of session hijacking is that if certain portions of the session establishment can be intercepted, then that data can be used to impersonate a user to access session information. This means that if a hacker captured the cookie that is used to maintain the session between your browser and the website you are logged into, they could present that cookie to the web server and impersonate your connection on another website.
A third example is DNS spoofing. DNS spoofing is a MitM technique used to supply a false IP address in response to a request for a domain made in the browser. For example, when you type a web address such as www.mybank.com into the browser, a DNS request with a unique identification number, is made to a DNS server. The attacker could use an ARP spoof or other inline method to intercept the DNS request. From there the attacker can respond to the DNS request with their own malicious website’s IP address using the same identification number so that it is accepted by the victim’s computer.
5. Your device can be forced to trust malicious services
By far the most serious form of man-in-the-middle Wi-Fi attack is those that involve tampering with certificates and profiles to make the device implicitly trust the attacker.
Each device ships with a trust model of root certificate authorities that are trusted. In this manner, a device will automatically trust certificates signed by these trusted authorities who vet applications for certificates.
If a malicious 3rd-party root certificate authority (CA) is installed and trusted on the device, a malicious actor can craft a certificate to any resource and the end-user will not be prompted for any error. And now the attacker has control and full visibility of the device and its traffic without any warning prompts or errors for the user of the device.
Certain applications work around comprised trust stores by certificate-pinning but web browsers have no such protection nor are they protected by other SSL-pinning methods today.
Flaws in Wi-Fi security protocol
The most widely reported WPA2 security flaw was found in the Wi-Fi security standard itself and, therefore, impacted a wide range of devices and operating systems, from Android and Apple to Linux and Windows. This is particularly concerning because it doesn’t matter if the network is encrypted, the WPA2 flaw was in the encryption protocol of the vast majority of modern routers that enable a secure Wi-Fi connection.
Fortunately, the researchers responsible for discovering the WPA2 flaw reported it responsibly to the Wi-Fi Alliance, a network of companies responsible for Wi-Fi, thus enabling many of the impacted companies to have patches available to coincide with the announcement.
As a result, any Wi-Fi attack that attempts to exploit the Wi-Fi WPA2 weakness must do so within range of the wireless signal between the device and the Wi-Fi network. From a defensive perspective, this is a good thing, as it prevents the attack from being launched remotely.
Furthermore, industry best practices call for sensitive data being transferred on the network to be protected using Secure Sockets Layer (SSL) encryption, which sits above the network-layer WPA2 protections.
In summary, for the Wi-Fi WPA2 vulnerability to be exploited, the attacker must be physically co-located near the wireless signal he is trying to compromise. Even if the attacker is successful in compromising the Wi-Fi signal via the WPA2 security flaw, sensitive data being sent over that channel would likely be encrypted using SSL, ensuring it is still protected from the attacker.
Captive portal pages – a false sense of security
Sometimes, open “guest” networks will display a captive portal page asking for some personal information, in exchange for access to their open Wi-Fi connection. These captive portal pages usually look like a standard web page and most people rush through the process of handing over information in order to get online. So let’s stop and think about why captive portal pages are used.
There are three main drivers:
1. Limiting liability for risky user behavior
Establishments that are providing “open guest access” are therefore not providing authentication of users and encryption of data presenting an array of open Wi-Fi security problems. Guests can have data intercepted and PII or money stolen by a malicious actor for example.
If a captive portal is displayed before the connection is made, then the provider has a chance to rid themselves of legal liability by writing in the terms and conditions that they aren’t liable for any risky user activity or data theft before a user agrees.
2. Identifying their network
It’s not difficult for a hacker to create a malicious hotspot and advertise the same network name as a legitimate hotspot or business WLAN, causing nearby devices to connect to their malicious hotspot.
These malicious hotspots are called ‘Evil Twins’. Once victims connect and traffic is routed through the malicious network, then there are any number of things a hacker can do
with that traffic such as intercepting credentials and obtaining valuable PII and corporate communications.
The legitimate provider should provide a captive portal page that looks on brand. But beware, even these captive portals can be spoofed and injected into peoples’ devices.
3. For more targeted marketing
Establishments often use captive portal pages to gather data about the guest user in order to target them with more personalized marketing. This is especially effective when the option to login using Facebook is offered, then the network provider has access to a bunch of personal data.
So in summary, it’s not safe to assume that just because a provider is asking for credentials that you are on a secured connection and therefore safe from open Wi-Fi risks. Providers have other motives behind injecting this verification layer which perhaps don’t concern your data security.
Protecting your business from Wi-Fi risks
Wi-Fi security risks, products, and attacks will continue to emerge. Security admins still need to be aware of new threats, assess their security posture, and take appropriate action to protect their networks and their corporate devices. We recommend the following precautions:
- Avoid using open Wi-Fi networks to access sensitive information. Users should turn off Wi-Fi when trying to pay bills or make online purchases.
- If using public Wi-Fi is unavoidable, consider offering a VPN to your users. VPNs create a private network for your data in transit, adding an extra layer of security to your connection. You should ensure the VPN is routed securely and processed according to their standards (e.g., routing all of the traffic back through the HQ for processing).
- Have a security product that can detect insecure web services and block data leaks to dramatically reduce the risk that WiFi threats pose.
- Configure your device settings to disable automatic connection to available Wi-Fi hotspots. This will prevent you from unknowingly connecting to public networks. It will also limit your digital exhaust. Enterprise Mobility Management (EMM) services can assist in managing device configuration centrally, eliminating the need to rely on end user action.
- Implement a Wi-Fi security solution that can identify insecure hotspots and alert admins during suspected MitM attacks
The best way to protect your entire mobile feet from Wi-Fi security risks is to have a Wi-Fi vulnerability solution monitoring device traffic at all times and ensuring man-in-the-middle activity and communication with leaking apps and sites can be detected and blocked in real-time. Get more advice in our full report.
Wi-Fi hotspots: Can you trust them?
Despite being mostly free, fast and widely available, Wi-Fi is a less secure connection than cellular. For someone with malicious intent and cheap equipment, every hotspot is a window to your sensitive data. So why do so many people blindly trust it?