GUEST BLOG: Martin Lethbridge from WatchGuard Technologies explores the risks of ubiquitous wireless and provides some tips for creating a secure Wi-Fi hotspot.
Our list of basic needs includes food, shelter, water and energy. But if you ask people what else they could not live without, chances are they would put Wi-Fi near the top of the list. Guest Wi-Fi has become a ubiquitous offering across many sectors. In the hospitality industry, travellers now rank free Wi-Fi access as their number one criterion in selecting a hotel.
The drive to ubiquitous Wi-Fi is also being driven by mobile operators using ‘hand-over’ to W-Fi networks as a way of supplementing limited spectrum to meet the demand for capacity, along with the fast-growing Internet of Things. Depending on who you believe, the number of connected devices – ranging from fridges and lightbulbs to home security systems and cars – will be anything up to 20 billion by 2020.
According to iPass, the number of Wi-Fi hotspots is predicted to grow from 23 million in 2014 to almost 300 million in 2018. But this increasing demand for anytime, anyplace connectivity, means that we are inclined to jump onto Wi-Fi hotspots at cafes, hotel, airports or company guest networks, with only passing concerns about security. As a result, this has created a perfect hunting ground for attackers.
Hotspots that require no passwords are open, using no encryption meaning that anyone with a simple packet sniffer can potentially pick up your login credentials to sensitive websites and applications. Hotspots that require a ‘password of the day’ are encrypted but a sophisticated Wi-Fi attacker can exploit this and decrypt the traffic with ease using easily-available Wi-Fi hacking toolkits. Hotspots that invite us to log in using social network credentials are increasingly popular as they allow businesses to use demographic information such as age, gender and occupation to target personalised content and advertisements.
And of course, the risks from hotspots are further compounded because access devices are typically personal and unmanaged by Mobile Device Management (MDM) systems that can enforce security policies.
Top Eight Wi-Fi risks
Wi-Fi Password Cracking
Wireless access points that still use older security protocols such as WEP, make for easy targets because these passwords are notoriously easy to crack.
Nothing physically prevents a cyber criminal from enabling a foreign access point near your hotspot with a matching SSID that invites unsuspecting customers to log in. Users that fall victim to the rogue access point are susceptible to a malicious code injection that often goes unnoticed.
It’s possible to mimic a hotspot using portable hardware such as The Pineapple, which is small enough to be stored in a back pack and costs as little as £150. This pretends to be the genuine Wi-Fi connection – so when an unsuspecting user connects, they are actually connecting to a hacking device.
Customers who join a guest wireless network are susceptible to unknowingly walking out with unwanted malware, delivered from bad-intentioned neighbouring users. A common tactic used by hackers is to plant a backdoor on the network, which allows them to return at a later date to steal sensitive information. There are common hacking toolkits to scan a Wi-Fi network for known vulnerabilities and exploit them in various ways. In the hotel industry, security researchers reported vulnerabilities in many hotel Wi-Fi routers.
Joining a wireless network puts users at risk of losing private documents that may contain highly sensitive information to cyber thieves who opportunistically intercept data being sent through the network. In retail environments, attackers focus their efforts on extracting payment transaction details such as credit card numbers, customer identities and mailing addresses.
Guests run the risk of having their private communications intercepted, or packet sniffed, by cyber snoops while on an unprotected wireless network
Inappropriate and Illegal Usage
Businesses offering guest Wi-Fi risk playing host to a wide variety of illegal and potentially harmful communication. Adult or extremist content can be offensive to neighbouring users and illegal downloads of protected media leave the business susceptible to copyright infringement lawsuits.
As the number of wireless users on the network grows, so does the risk of a pre-infected client entering the network. Mobile attacks, such as Android’s Stagefright, can spread from guest to guest, even if victim zero is oblivious to the outbreak.
Avoiding the security threats
There are best practices, which will help secure your Wi-Fi network. The first is to implement the latest WPA2 Enterprise (802.1x) security protocol wherever possible; it’s one of the hardest encryption methods to crack. All Wi-Fi traffic should also, at a minimum, be inspected for viruses and malware, including zero day threats and advanced persistent threats. Application ID and control will monitor and optionally block certain risky traffic, while web content filtering will prevent unsuspecting users from accidentally clicking a hyperlink that invites exploitation, malware and backdoors to be loaded into your network.
Other measures include using strong passwords and changing them regularly; scanning for rogue Access Points (Aps) and whitelisting MAC addresses when possible. Finally, narrowing the Wi-Fi range will also reduce your risks.
The speed of Wi-Fi adoption has led to a disconnect between access and security. Many early APs and corresponding management systems focused purely on getting clients to connect with limited attention to protecting users and their data. But the security industry is now driving secure Wi-Fi solutions by extending physical network safeguards to wireless networks and also providing better network visibility to overcome a major security blind-spot. There is no longer any excuse for providing unsecure Wi-Fi and we shouldn’t have to feel we are living dangerously whenever we log on to a Wi-Fi hotspot.
Visit WatchGuard at Wi-Fi Now 2016 in London, October 25-27 or go to www.watchguard.com