People tend to favour Wi-Fi over cellular it’s usually faster, it doesn’t tax your data plan and it’s widely available. However, there are many inherent risks in allowing your devices to connect to Wi-Fi networks. Read on to find out more about the many dangers of Wi-Fi, and how to deal with them.
WIRELESS INTERNET: CELLULAR VS WI-FI
The two major categories of wireless internet access are cellular and Wi-Fi. The obvious diﬀerence being that cellular is available almost everywhere, whilst Wi-Fi is only available within range of a Wi-Fi hotspot.
The advantages of Wi-Fi have meant that Wi-Fi traffic has exceeded that of cellular. Predictions show that by 2021, 63% of data used on a mobile will be from Wi-Fi, compared to 60% in 2016. Research shows, the number of Wi-Fi hotspots will grow six-fold from 94 million in 2016, to 541.6 million in 2021.
As an attack vector, these hotspots are the perfect vehicle to intercept a user’s traffic. Using cheap and readily available tools, minimally skilled hackers can easily eavesdrop and monitor your online traffic to capture valuable information, such as login credentials and credit card details.
- STATIONARY HOTSPOTS
Typically called a “mobile broadband router,” stationary units include a Wi-Fi base station that supports multiple devices over a wide range such as an office.
- SMARTPHONE HOTSPOTS (TETHERING)
Smartphones have both cellular and Wi-Fi radios built in, and most phones can be made to connect the two and turn the device into a portable hotspot for tablets and laptops.
- PORTABLE HOTSPOTS (MIFI)
Portable hotspots are dedicated units that leverage 3G or 4G mobile phone networks and use this connection to create a mini wireless broadband hotspot for multiple devices to connect to.
- USB WI-FI DONGLES
Cellular service can be added to laptops by plugging in a small USB ‘dongle’.
- VEHICLE HOTSPOTS
In-vehicle cellular hotspots are oﬀered by many manufacturers, and third-party devices are also made that plug into the On-Board Diagnostics (OBD) board, the vehicle’s electronic troubleshooting system.
- HOTSPOTS ON PUBLIC TRANSPORT
On certain train lines and buses, Wi-Fi is oﬀered using a similar technology to vehicles. Many airlines oﬀer inﬂight Wi-Fi via ground-based mobile broadband towers or satellite technology.
The accessibility and popularity of Wi-Fi makes it the ideal avenue for hackers to intercept and manipulate traffic. Many of these attacks occurring over Wi-Fi involve a “Man-in-the-Middle”. The intention is usually to eavesdrop on communication, obtain data from the victim’s device or to manipulate the data in transit.
When an attacker picks up the cookie crumbs your mobile device leaves as it connects to diﬀerent hotspots.
Notes: Affects all users with Wi-Fi enabled but is only a shallow privacy risk, no personal data is lost.
Laptops spend time listening for beacons from Wi-Fi access points, which contain the network name along with other information. This ‘listening’ would be a major drain on battery consumption.
On iPhone’s, this is known as a Preferred Network Offload (PNO). Meaning that every minute an employee’s smartphone’s Wi-Fi is enabled (but not connected), it’s broadcasting the name of every Wi-Fi network that it has ever joined to the nearby vicinity. These can be described as ‘digital exhaust’.
This information is alarmingly easy to access. A small script that works on most Macs can listen to probes sent out by any smartphone in a certain vicinity. For iPhone users, this is conducted using the Control Center in iOS, but since the latest major upgrade iOS 11 was released, this doesn’t permanently turn-oﬀ the radio; it only disconnects from any active networks. Android has exhibited the same behavior since 4.4.2.
Another way to avoid digital exhaust is to regularly reset network settings, allowing the smartphone to ‘forget’ its learned networks.
When an attacker eavesdrops on your online activity while you’re both connected to the same network.
Notes: Affects all devices connecting to open Wi-Fi, but only a risk when using web services that do not encrypt traffic.
Unsecure networks make all data traffic visible to a malicious actor that wants to see any online communication of people physically nearby. Almost every coﬀee shop, hotel, airport, train, hospital, etc., oﬀers open Wi-Fi connectivity to their customers with zero security, encryption or privacy. Why is this the case?
Approximately 24.7% of Wi-Fi hotspots in the world do not use any encryption at all. This means employees are likely being more conscientious with their corporate devices perhaps since security solutions implemented by IT management are ﬂagging the risk of open Wi-Fi. It seems that users don’t have any reservations about connecting to open Wi-Fi hotspots and typically favour convenience over security, with a quarter (24%) of devices in Wandera’s network using open hotspots.
Worryingly, 59% of all leaks identified were from just three categories: news & sports, business & industry and shopping. A further 28% were from: travel, entertainment, lifestyle and technology. All categories which would normally be considered safe and allowed by IT administrators.
If any authentication is provided it is often in the form of a captive portal. Even though Apple, Windows and Android operating systems provide automatic HTTP detection for captive portal pages, many Wi-Fi networks spoof HTTPS certificates for the purpose of redirecting traffic to their portal.
PHYSICAL/NETWORK LAYER ATTACKS
When an attacker has physically compromised a wireless infrastructure or can tamper with signaling on the local network.
Notes: Affects only open Wi-Fi SSIDS that are learnt by the user’s device.
SSID spoofing is when a hacker advertises the same network name as a legitimate hotspot or business WLAN, causing nearby devices to connect to their malicious hotspot.
These malicious hotspots are called ‘Evil Twins’. To set one up, hackers can use tools to ‘listen’ to the probe requests coming from nearby devices (aka digital exhaust), discover SSIDs they’re connecting to, and automatically start advertising those SSID names.
Once clients connect and traffic is routed through the malicious network, then there are any number of things a hacker can do with that traffic such as intercepting credentials and obtaining valuable PII and corporate communications.
Looking at the vast list of frequently used hotpots within Wandera’s network, it shows there are some common themes. It appears many of the most heavily used hotspots belong to hotels, airports, retailers and mobile carriers.
The only eﬀective defence against Evil Twins is server authentication, but unfortunately, today there is no standard for authentication to open Wi-Fi networks.
Your first defence is a solution that can alert the user before connecting to an open hotspot so they have a chance to think twice before connecting. However, this is only eﬀective if end users are already aware of the risks. For deeper security, employ a solution that can detect and block a Man-in-the-Middle (MitM).
Address Resolution Protocol (ARP) Spoofing
Notes: Affects all devices connected to Wi-Fi networks running in promiscuous mode.
Also known as ARP Cache Poisoning, ARP spoofing is very simple to execute and is difficult to detect and defend against. It takes advantage of the unsecured nature of ARP requests.
An attacker connected to the same hotspot as a victim can fool two devices into thinking they are communicating with each other by associating the attacker’s MAC address with the IP address of the victim so that any traffic meant for the target will be sent to the attacker instead.
Notes: Affects only open WPA2 on unpatched operating systems
October 2017, researchers discovered a serious weakness in WPA2, the security protocol that protects most modern Wi-Fi networks.
The weakness allows anyone to break the security layer that is established between a wireless device and the targeted Wi-Fi network, essentially exposing network traffic, including passwords, chat messages and photos to the attackers.
In theory, every key on every device should be unique, but this vulnerability in WPA2 allows hackers to manipulate communications between routers and devices so that the keys can be reused.
This weakness is present in the Wi-Fi standard itself; it is not a vulnerability in an individual product or a specific implementation. This means that every instance of WPA2 contains the weakness, thus impacting a wide range of devices and operating systems, from Android and Apple to Linux and Windows.
For the WPA2 weakness to be exploited, the attacker must be physically co-located near the wireless signal they are trying to compromise.
HIGHER-LAYER PROTOCOL ATTACKS
When an attacker tampers with the connection that is established between a client application and the Internet.
Secure Socket Layer (SSL) Strip
Notes: Affects only certain apps and websites that don’t enforce HSTS meaning an un-encrypted version of the website will be served if the encrypted version is not supported.
The most common security protocol compromise is SSL stripping, also known as HTTP-downgrading attacks. HTTPS uses a secure tunnel, commonly called SSL, to transfer and receive data. In SSL Strip, all the traffic from the victim’s machine is routed via a proxy that is created by the attacker which forces a victim’s browser to communicate with a server in plain-text.
The attack only aﬀects certain websites and apps that don’t enforce HSTS (HTTP Strict Transport Security). HSTS ensures that a website will only load securely, or it will not load at all.
Notes: Affects only certain apps and websites that don’t enforce HSTS or use TLS.
Session hijacking through cookie stealing involves HTTP sessions. Websites that require login credentials are a good example of session-oriented connections. You must be authenticated by the website with your username and password to formally set up the session.
As with previous attacks, nothing that goes across an unencrypted connection is safe and HTTP session data is no diﬀerent. The principle behind most forms of session hijacking is that if certain portions of the session establishment can be intercepted, then that data can be used to impersonate a user to access session information. If a hacker captured the cookie that is used to maintain the session between your browser and the website you are logged into, they could present that cookie to the web server and impersonate your connection on another website.
Domain Naming System (DNS) Spoofing
Notes: Only affects devices that connect apps and websites that don’t enforce HSTS or use TLS.
The DNS is a protocol that maps user-friendly domain names to unique IP addresses. DNS spoofing is a MitM technique used to supply a false IP address in response to a request for a domain made in the browser.
For example, when you type a web address such as www.mybank.com into the browser, a DNS request with a unique identification number is made to a DNS server. The attacker could use an ARP spoof or other inline method to intercept the DNS request. From there the attacker can respond to the DNS request with their own malicious website’s IP address using the same identification number so that it is accepted by the victim’s computer.
ATTACKS ON THE DEVICE TRUST MODEL
When the attacker tampers with a user’s device configuration, forcing it to implicitly trust the attacker and their malicious services.
Notes: Requires an individual device to be hijacked and is often intimidated via a phishing attack or personalised message.
SSL certificates are a way of digitally certifying the identity of a website. They inform the user that their personal information has been encrypted into an undecipherable format that can only be returned with the proper decryption key.
If a malicious 3rd-party root certificate authority (CA) is installed and trusted on the device, a malicious actor can craft a certificate to any resource and the end-user will not be prompted for any error.
Wandera’s research shows that 4% of corporate mobile devices have come into contact with a MitM attack in the past month. These range from intercepting data leaks to motivated attacks that compromise the device trust model.
The below heatmaps show the prevalence of high severity Man-in-the-Middle attacks. This means the hacker has tampered with SSL certificates to execute the attack. The first map suggests these serious attacks are taking place in the world’s developed regions.
It might be tempting to think of Wi-Fi threats as only issues to be concerned about in notoriously dangerous places like China or Ukraine. However, the data shows that even more privacy and security-conscious locations, such as those in Western Europe and North America, are vulnerable to them. As is the case with many other kinds of threats, attackers are targeting the places they believe they can get the biggest gains – and that means aiming at US and European businesses. This is a global issue that must be taken seriously.
HOW MOBLICITI CAN HELP
Mobliciti can provide you with both these solutions, giving you access to over 62 million global trusted hotspots and MTD software which can prevent, detect and contain threats.
Get in touch today, to find out how we can help your business.