Doing a Google search for “security risks of public Wi-Fi hotspots”
can pop up hundreds of links to odd articles giving specifics of wireless
threats and security measures that wireless hotspot users must take on while
using public Wi-Fi networks. But, do wireless hotspot users understand all
possible security risks associated with public Wi-Fi networks? Without
understanding real risks, it is hard for wireless hotspot users to assess any
free or fee based end point security solutions and they may end up relying on
virtual solution that claim protection against all wireless attacks that can be
launched on public Wi-Fi networks and its connected wireless users. Therefore, users
must understand all security threats and their implications while using the
services of an insecure public Wi-Fi network. The blog aims to highlight five
lethal wireless security threats and why the most often recommended mitigations
strategies are not enough.
Types of Wireless Attacks in Public Wi-Fi Networks
1. Eavesdropping
Public Wi-Fi networks are mostly configured without
any Wi-Fi security for user’s convenience, and therefore are easy prey to
eavesdropping attack. Anyone with malicious intents, using freely available software,
can easily snoop on the conversation of a public Wi-Fi user when present in the
radio range of the later. The conversation can potentially include information’s, such as, credit card details, bank account details,
passwords, emails, instant messages etc., leakage of which can be extremely
damaging for a user.
2. Impersonation
a. Wireless Client Impersonation
Identity of a Wi-Fi
capable device called MAC address remains visible in the air while searching or
connected to a Wi-Fi network, any Wi-Fi device connected and authenticated to a
insecure public Wi-Fi network can be easily impersonated.
By exploiting such an impersonation, a hacker can use an authenticated device
MAC address to bypass user authentication for accessing a particular public
Wi-Fi network. This can potentially have serious implications for the user of
the impersonated Wi-Fi device.
b. User’s Identity Impersonation
Identity of a public Wi-Fi
user can be impersonated by stealing cookies related to various sessions
established over a insecure public Wi-Fi network. A lot of web services use cookies to identify
an active session of a user, and send these cookies in plaintext making them
visible to hackers in range. . Recently, a tool called “Firesheep” was released
to expose the above weakness in various web services such as Facebook, Twitter etc.,
and how the weakness can be easily exploited impersonate user's identity over
insecure public Wi-Fi networks.
3. Man-in-the-middle Attack (MITM)
MITM attack can be easily simulated in an insecure
Wi-Fi network environment using easily available Wi-Fi tool suites such as
Aircrack-ng. After successfully launching MITM attack, attacker takes complete
control over wireless data flowing to/from Wi-Fi users. Attacker can even snoop
into HTTPS based web using a tool called SSLStrip. There are two popular tricks
of launching MITM attack in an insecure public Wi-Fi network.
a. Honeypot
Honey pot is a Wi-Fi
network planted by an attacker which appears to be a public Wi-Fi network by
the name it advertises for example-“Free public Wi-Fi”, “Free Wi-Fi” etc. This
is a very popular trick for launching Man-in-the-middle attack on public Wi-Fi
users. As the flow of data traffic
remains seamless and transparent, the wireless user on a Honeypot remains
ignorant of underlying MITM attack he/she is subjected to.
b. Evil
Twin
Evil twin is a variant of
Honeypot attack which exploits the fact that a Wi-Fi client device is configured
to connect to a wireless network identifiable by its name called service set
identifier (SSID) and not by identity of access points (APs). In an “evil twin” attack, an attacker can
create a twin of an insecure authentic public Wi-Fi network by advertising the
same authentic SSID. After setting up an 'evil twin', the attacker can easily
lure the wireless client device to its own fake network by preventing it to
connect to the authentic wireless network by launching DoS attack. Sometimes
attacker can confuse and lure wireless clients to fake evil twin AP by increasing
transmit power on the planted AP.
4. Peer-to-peer Attack
Peer-to-peer attack can be instrumented by accessing
other Wi-Fi user’s machine over an adhoc connection or via common Access points
advertising the similar Wi-Fi network. A lot of APs forward wireless traffic
directly over-the-air if both sender and receiver are connected to the same AP.
A Wi-Fi user when connected to an insecure public Wi-Fi network is vulnerable
to peer-to-peer attack if client isolation also known as public secure packet
forwarding (PSPF) is not enabled in the network. Client isolation/PSPF is an
enterprise grade feature and effectively works on centrally controlled WLAN
system. Unfortunately, due to high cost of deployment of controller based WLAN
system, a lot of public Wi-Fi networks are using standalone SOHO grade wireless
access points (APs). By exploiting peer-to-peer attack over a public Wi-Fi
service, a hacker can easily target a user accessing the Wi-Fi service to
his/her favour.
5. Unintended Client Connection
Unintended connection is the one which happens
without user’s knowledge. The anatomy of unintended connection is as follows.
When connecting to a Wi-Fi network, the Wi-Fi client device immediately saves the
network details in its memory, in order to keep the connection intact by
automatically connecting again, in case the client device loses the connection
with the network.
However, saving the network credentials can cause an
unwanted connection to a Wi-Fi network and the wireless users may remain
completely uninformed. Tendency to establish unintended connections can be a
big threat for wireless users carrying Wi-Fi enabled devices which remain ON
most of the time, such as Wi-Fi capable smartphones. Such device can be easily
exploited by a hacker by advertising a fake Wi-Fi network having similar
details as the saved one. If the unintended Wi-Fi connection succeeds on a
hacker’s fake Wi-Fi network, then umpteen
number of cloud based applications residing nowadays on most of the smart
mobile devices, will start uploading/downloading user’s private data to their
respective cloud servers causing users data to flow over and done with hacker’s
controlled network. Moreover, unintended connection does not provide opportunity
to activate and run secure tunnelling software such as Virtual Private Network
(VPN).
Solutions Recommended by Wireless Experts
1. Use of password protected Wi-Fi Network
You may often find advisories for using password
protected Wi-Fi network. A password protected Wi-Fi network can be either WEP
enabled or WPA/WPA2 passphrase based. WEP does provide no security to wireless
network as it can be cracked in a few minutes using off-the-shelf hardware and
software tools freely available on the Internet. WPA/WPA2 passphrase is more
robust compared to WEP, but in public Wi-Fi networks, sharing password defeats
the purpose. There are tools such as, for example “wireshark” (http://www.wireshark.org/),
freely available on the Internet which can be used to strip off security cover
from encrypted wireless data of WEP or WPA/WPA2 passphrase enabled wireless
networks.
 |
| Snapshot of Wireshark option for decryption of encrypted wireless data |
2. Captive Portal
Captive portal is implemented in public Wi-Fi networks
to prevent unauthorized, unknown or unpaid access to the Internet. This is
often based on username/password which is mistakenly considered by wireless
users as security. This is a first line of defence for service providers and do
not offer security to wireless hotspot users.
3. Use of VPN
VPN does provide security in an insecure public Wi-Fi
network and help protect private data exchange if it can be setup reliably
after establishing a wireless connection. A motivated attacker can still
prevent wireless user from using VPN in an insecure public Wi-Fi network by
disrupting the communication and forcing user to browse without VPN. There are
other weaknesses associated with the use of VPN discussed in this blog:
4. Only use SSL encrypted websites
There are only a bunch of web services that implement
complete HTTPS sessions. Interestingly, there are tools available, as mentioned
earlier also, such SSLSTRIP that can strip off SSL security from a session.
Tech savvy user can identify this difference but not a naïve user and he can
still become victim of a wireless attacker.
Conclusion
Users of insecure public Wi-Fi networks are vulnerable
whenever they use these wireless networks and they may remain vulnerable even after using
the network. By turning on firewall on client device one can only restrict
malicious user from actively scanning and penetrating into a victim's wireless client
device. Use of VPN service provides limited security in certain scenarios. Since foot print of Wi-Fi is getting wider
and bigger, it is high time to build secure public wireless networks which have
its own intelligence for managing security for users. In order to achieve this goal, Wi-Fi alliance
is working on a new specification to bring security and roaming for public
Wi-Fi hotspot users but that may require firmware upgrade on millions of Wi-Fi
capable client devices already in the market.
Airegis unique and innovative solution helps wireless
service providers uniquely position themselves in the market by offering secure
wireless service and thereby helping wireless users use public Wi-Fi networks
for all private data communication without requiring any software upgrade on
wireless client device and without subscribing any third party solution for
security. Moreover, it is fully compliant with today’s most robust security
configurations for wireless networks. Hence any Wi-Fi client device certified
by Wi-Fi alliance can avail the benefits of secure public Wi-Fi networks
powered by Airegis.
No comments:
Post a Comment