Beware from Wi-Fi Hackspots!

The popularity of public Wi-Fi hotspots are growing tremendously and it is evident from the fact that Wi-Fi hotspots are being embraced aggressively for various reasons, such as customer acquisition for a business by offering Free Wi-Fi service, to promote some service over public Wi-Fi network, to offload cellular traffic, or to provide netizens access to the Internet at public places.  Google partnership with Ozone for providing free internet access for Google+ users in India is one example of how businesses are using public Wi-Fi to promote their services. Similarly, Malaysia has introduced a law making it mandatory for eateries to provide Wi-Fi service to their patrons.

Unfortunately, what is being ignored in this popularity is that insecure Wi-Fi hotspots can pose serious security threats to their wireless users. Majority of today’s public Wi-Fi hotspots installed at Hotels, Cafes, and Restaurants, Airports and other public places do not provide robust security to the user Wi-Fi connection, and hence hotspots users are vulnerable to various security risks.  Due to thesecurity vulnerabilities, public Wi-Fi hotspots have become new haven for wireless hackers, and therefore the hotspots are being increasingly termed as Hackspots. In this blog, we will see types of Wi-Fi hotspot setups mushrooming in public places and why they are being termed as next generation Hackspots.

Most of Wi-Fi hotspot deployments can be categorized into two:-

   

     1. Open Configured Wi-Fi Hotspots

      In this type of Wi-Fi hotspot service, any user with Wi-Fi enabled device can connect to the wireless network. Once connected, the user gets redirected to a web page, also called as login/captive portal, for carrying out user authentication with the service provider. At times in fee based Wi-Fi service, wireless users have option to buy

data bandwidth from the same login portal.

      In this type of Wi-Fi hotspots, user’s private data travel unencrypted and hence can be snooped easily. Wireless users have to rely on third party software which can encrypt data before transmitting them in the air.

 2. Password Protected Wi-Fi Hotspots

A lot of WISPs provide security enabled Wi-Fi service. In this type of Wi-Fi network, same common password or key is shared among its users. Wireless users have to use that key to make connection with the Wi-Fi hotspot service. After connecting to Wi-Fi hotspot, users may be redirected to captive portal for an additional user authentication, or for the purchase of Internet usage.

In this type of Wi-Fi hotspots, though user’s private data travel encrypted, yet they can be decoded easily as wireless key or password is shared among wireless users.

A lot of wireless users have misconception that they can use SSL secured websites in public Wi-Fi hotspots e.g. accessing Google+ social network from any of free public Wi-Fi hotspots allowing their users to access Google+ freely. They are unaware of wide array of security problems that exist in public Wi-Fi hotspot and how SSL secured website can be tricked to steal user’s private data. A more details explanation is available here.

Even use of VPN does not provide full protection. Unfortunately, in a Wi-Fi hotspot where users have free access to a limited set of websites, it is impossible to use VPN for data privacy. Wireless users unaware of the limitation of VPN service can find more details here.

Conclusion

In the absence of robust  and simplified Wi-Fi  security measures, today’s Wi-Fi hotspots have turned into Hackspots, as hotspot user’s confidential data such as bank account details, credit card number, private emails, instant messages can be sniffed out from these Wi-Fi hotspots. Awareness about security threats of wireless hotspots is also increasing causing lot of users to be hesitant in using the services of Wi-Fi hotspots. The lack of security requires immediate action from WISPs for provisioning robust and simplified security measures for their hotspots, so as to restore the faith of hotspot users by protecting them from hackers. Interestingly, new standard for Wi-Fi hotspots, called Hotspot 2.0, has an option for secure Wi-Fi service. Unfortunately, Hotspot 2.0 is a newly introduced standard by Wi-Fi alliance and hence its adoption will take whole lot of ime as this requires millions of already deployed wireless hotspots as well as wireless client device to be upgraded to Hotspot 2.0.

Airegis unique and innovative solution helps WISPs uniquely position themselves in the market by offering secure wireless service and thereby helping wireless users use public Wi-Fi networks for all private data communication without requiring any software upgrade on wireless client device and without subscribing any third party solution for security. Moreover, it is fully compliant with today’s most robust security configurations for wireless networks. Hence any Wi-Fi client device certified by Wi-Fi alliance can avail the benefits of secure public Wi-Fi networks powered by Airegis.

Security Risks of Using Insecure Public Wi-Fi Networks

Doing a Google search for “security risks of public Wi-Fi hotspots” can pop up hundreds of links to odd articles giving specifics of wireless threats and security measures that wireless hotspot users must take on while using public Wi-Fi networks. But, do wireless hotspot users understand all possible security risks associated with public Wi-Fi networks? Without understanding real risks, it is hard for wireless hotspot users to assess any free or fee based end point security solutions and they may end up relying on virtual solution that claim protection against all wireless attacks that can be launched on public Wi-Fi networks and its connected wireless users. Therefore, users must understand all security threats and their implications while using the services of an insecure public Wi-Fi network. The blog aims to highlight five lethal wireless security threats and why the most often recommended mitigations strategies are not enough.

Types of Wireless Attacks in Public Wi-Fi Networks

      1. Eavesdropping

Public Wi-Fi networks are mostly configured without any Wi-Fi security for user’s convenience, and therefore are easy prey to eavesdropping attack. Anyone with malicious intents, using freely available software, can easily snoop on the conversation of a public Wi-Fi user when present in the radio range of the later. The conversation can potentially include  information’s, such as,  credit card details, bank account details, passwords, emails, instant messages etc., leakage of which can be extremely damaging for a user.

      2. Impersonation

a.       Wireless Client Impersonation

Identity of a Wi-Fi capable device called MAC address remains visible in the air while searching or connected to a Wi-Fi network, any Wi-Fi device connected and authenticated to a insecure public Wi-Fi network can be easily impersonated. By exploiting such an impersonation, a hacker can use an authenticated device MAC address to bypass user authentication for accessing a particular public Wi-Fi network. This can potentially have serious implications for the user of the impersonated Wi-Fi device.

b.      User’s Identity Impersonation

Identity of a public Wi-Fi user can be impersonated by stealing cookies related to various sessions established over a insecure public Wi-Fi network.  A lot of web services use cookies to identify an active session of a user, and send these cookies in plaintext making them visible to hackers in range. . Recently, a tool called “Firesheep” was released to expose the above weakness in various web services such as Facebook, Twitter etc., and how the weakness can be easily exploited impersonate user's identity over insecure public Wi-Fi networks.

      3. Man-in-the-middle Attack (MITM)

MITM attack can be easily simulated in an insecure Wi-Fi network environment using easily available Wi-Fi tool suites such as Aircrack-ng. After successfully launching MITM attack, attacker takes complete control over wireless data flowing to/from Wi-Fi users. Attacker can even snoop into HTTPS based web using a tool called SSLStrip. There are two popular tricks of launching MITM attack in an insecure public Wi-Fi network.

a.       Honeypot

Honey pot is a Wi-Fi network planted by an attacker which appears to be a public Wi-Fi network by the name it advertises for example-“Free public Wi-Fi”, “Free Wi-Fi” etc. This is a very popular trick for launching Man-in-the-middle attack on public Wi-Fi users.  As the flow of data traffic remains seamless and transparent, the wireless user on a Honeypot remains ignorant of underlying MITM attack he/she is subjected to.

b.       Evil Twin

Evil twin is a variant of Honeypot attack which exploits the fact that a Wi-Fi client device is configured to connect to a wireless network identifiable by its name called service set identifier (SSID) and not by identity of access points (APs).  In an “evil twin” attack, an attacker can create a twin of an insecure authentic public Wi-Fi network by advertising the same authentic SSID. After setting up an 'evil twin', the attacker can easily lure the wireless client device to its own fake network by preventing it to connect to the authentic wireless network by launching DoS attack. Sometimes attacker can confuse and lure wireless clients to fake evil twin AP by increasing transmit power on the planted AP.

      4. Peer-to-peer Attack

Peer-to-peer attack can be instrumented by accessing other Wi-Fi user’s machine over an adhoc connection or via common Access points advertising the similar Wi-Fi network. A lot of APs forward wireless traffic directly over-the-air if both sender and receiver are connected to the same AP. A Wi-Fi user when connected to an insecure public Wi-Fi network is vulnerable to peer-to-peer attack if client isolation also known as public secure packet forwarding (PSPF) is not enabled in the network. Client isolation/PSPF is an enterprise grade feature and effectively works on centrally controlled WLAN system. Unfortunately, due to high cost of deployment of controller based WLAN system, a lot of public Wi-Fi networks are using standalone SOHO grade wireless access points (APs). By exploiting peer-to-peer attack over a public Wi-Fi service, a hacker can easily target a user accessing the Wi-Fi service to his/her favour. 

5. Unintended Client Connection

Unintended connection is the one which happens without user’s knowledge. The anatomy of unintended connection is as follows. When connecting to a Wi-Fi network, the Wi-Fi client device immediately saves the network details in its memory, in order to keep the connection intact by automatically connecting again, in case the client device loses the connection with the network.

However, saving the network credentials can cause an unwanted connection to a Wi-Fi network and the wireless users may remain completely uninformed. Tendency to establish unintended connections can be a big threat for wireless users carrying Wi-Fi enabled devices which remain ON most of the time, such as Wi-Fi capable smartphones. Such device can be easily exploited by a hacker by advertising a fake Wi-Fi network having similar details as the saved one. If the unintended Wi-Fi connection succeeds on a hacker’s fake Wi-Fi network,  then umpteen number of cloud based applications residing nowadays on most of the smart mobile devices, will start uploading/downloading user’s private data to their respective cloud servers causing users data to flow over and done with hacker’s controlled network. Moreover, unintended connection does not provide opportunity to activate and run secure tunnelling software such as Virtual Private Network (VPN).

Solutions Recommended by Wireless Experts

1. Use of password protected Wi-Fi Network

You may often find advisories for using password protected Wi-Fi network. A password protected Wi-Fi network can be either WEP enabled or WPA/WPA2 passphrase based. WEP does provide no security to wireless network as it can be cracked in a few minutes using off-the-shelf hardware and software tools freely available on the Internet. WPA/WPA2 passphrase is more robust compared to WEP, but in public Wi-Fi networks, sharing password defeats the purpose. There are tools such as, for example “wireshark” (http://www.wireshark.org/), freely available on the Internet which can be used to strip off security cover from encrypted wireless data of WEP or WPA/WPA2 passphrase enabled wireless networks.

Snapshot of Wireshark option for decryption of encrypted wireless data 

      2. Captive Portal

Captive portal is implemented in public Wi-Fi networks to prevent unauthorized, unknown or unpaid access to the Internet. This is often based on username/password which is mistakenly considered by wireless users as security. This is a first line of defence for service providers and do not offer security to wireless hotspot users.

3. Use of VPN

VPN does provide security in an insecure public Wi-Fi network and help protect private data exchange if it can be setup reliably after establishing a wireless connection. A motivated attacker can still prevent wireless user from using VPN in an insecure public Wi-Fi network by disrupting the communication and forcing user to browse without VPN. There are other weaknesses associated with the use of VPN discussed in this blog:

4. Only use SSL encrypted websites

There are only a bunch of web services that implement complete HTTPS sessions. Interestingly, there are tools available, as mentioned earlier also, such SSLSTRIP that can strip off SSL security from a session. Tech savvy user can identify this difference but not a naïve user and he can still become victim of a wireless attacker.

Conclusion

Users of insecure public Wi-Fi networks are vulnerable whenever they use these wireless networks and they may remain vulnerable even after using the network. By turning on firewall on client device one can only restrict malicious user from actively scanning and penetrating into a victim's wireless client device. Use of VPN service provides limited security in certain scenarios.  Since foot print of Wi-Fi is getting wider and bigger, it is high time to build secure public wireless networks which have its own intelligence for managing security for users.  In order to achieve this goal, Wi-Fi alliance is working on a new specification to bring security and roaming for public Wi-Fi hotspot users but that may require firmware upgrade on millions of Wi-Fi capable client devices already in the market.

Airegis unique and innovative solution helps wireless service providers uniquely position themselves in the market by offering secure wireless service and thereby helping wireless users use public Wi-Fi networks for all private data communication without requiring any software upgrade on wireless client device and without subscribing any third party solution for security. Moreover, it is fully compliant with today’s most robust security configurations for wireless networks. Hence any Wi-Fi client device certified by Wi-Fi alliance can avail the benefits of secure public Wi-Fi networks powered by Airegis.