From man-in-the-middle attacks to evil-twin networks, SMBs must protect themselves against a host of hotspot threats.
Widespread access to connectivity is what makes mobile and dispersed workforces possible. That’s a good thing for thousands of growing businesses, but it may also be their Achilles’ heel. Any defense is only as strong as its weakest point, and public Wi-Fi hotspots can be just that.
Wi-Fi broadcasts its traffic in much the same way as a radio station. “Anyone can tune in and listen,” says Pieter VanIperen, an adjunct professor of code security at New York University and a founding member of Code Defenders, a cybersecurity collective. “If traffic is encrypted, I can’t see all of it, but I can still see some details. And if the encryption is weak, I can crack it. If it is a public open network, I can literally see everything.”
Unsecured Wi-Fi presents multiple threats and dangers to SMBs. Cyber threats include network hacking, ransomware, phishing, and others. Being hacked can ruin a company’s reputation and create financial liability because of increasingly stringent privacy protection laws. “The potential for network breach and loss of sensitive business, customer, supplier, and employee data is particularly high,” says Michael Fauscette, chief research officer at G2 Crowd, a peer-to-peer business solutions review platform.
Hackers have a bag of tricks
There’s no shortage of bad actors trolling Wi-Fi hotspots, and they have a robust bag of tricks to snag their victims. Here are some common ones.
- Wardriving: The hacker practice of driving around and looking for “weak” Wi-Fi networks. They typically map the locations and record the networks’ names (SSIDs) and encryption settings.
- Network sniffing: Attackers monitor (“sniff”) Wi-Fi network traffic in search of user names, passwords, and other personally identifiable information (PII).
- Man-in-the-middle attacks: Network sniffing alone generally isn’t enough for hackers to get what they’re after. Most websites and applications that require PII are encrypted over HTTPS, a secure version of the code computers use to communicate with each other.Attackers can bypass HTTPS by using a man-in-the-middle device (basically, a malicious Wi-Fi radio) to insert themselves between a victim’s Wi-Fi device and a legitimate Wi-Fi access point. They intercept the data packets being transmitted and use a software tool to strip the encryption protection from HTTPS, thus gaining access to sensitive information in plain text. It can be done without the victim ever detecting any suspicious activity, says Ryan Orsi, director of strategic alliances at WatchGuard Technologies, a network security appliances and services firm.
- Evil-twin networks and pineapples. In these attacks, a hacker sets up a Wi-Fi router (pineapple) and give it a name identical or very similar to a nearby reputable network. The router has a stronger signal so it will be preferred by devices searching for a connection, or the hacker blocks the legitimate network being spoofed. If the real network has a password, the evil twin uses the same one.To demonstrate how dangerous this can be, technology consulting firm Kelser Corporation sometimes sets up its own evil twin network at conferences, says Jonathan Stone, Kelser’s COO and CTO. Typically called “Hotel Free Wi-Fi” or something similar, they use the hotel’s brand on the sign-in page. “During our presentation, we’ll ask for a show of hands of who logged into the network. Inevitably, about half the people in the room have,” he reports.
No refuge at the office
Mobile and remote workers may face a higher level of threat from unsecured Wi-Fi networks, Orsi says. Office-based workers who use Wi-Fi-connected devices are also at risk due to “client misassociation.”
This can happen innocently, such as when an employee’s laptop is tethered to a cell phone hot spot. The employee may also inadvertently connect to the office’s guest Wi-Fi, which typically has less robust security than the company’s private internal network. However, the network may also be malicious, such as a hacker spoofing a company’s SSID with an evil twin network.
An ounce of prevention
Whether or not you have remote workers, some of your employees are likely accessing public Wi-Fi hotspots at least some of the time. Adopting these best practices can help protect your business from the dangers of unsecured Wi-Fi:
- Use an ethernet connection rather than Wi-Fi whenever that option is available.
- When traveling, choose mobile data or personal hotspots over public Wi-Fi networks whenever possible.
- Use a VPN (virtual private network) whenever you communicate into your business infrastructure from an unsecured network–and unless you know otherwise for sure, assume every Wi-Fi network is unsecured.
- When using hotspots, only log in or send personal information to websites you know are fully encrypted for the entire duration of your visit. If you find yourself on an unencrypted page, log out immediately.
- Never enable network administration via a public Wi-Fi network.
- Don’t stay permanently signed in to websites, accounts, or apps.
- Use a different password for every website, account, and app.
- Keep your browser and security software up to date.
- Disable the Wi-Fi auto-connect feature on mobile devices for greater control over when and to which networks your devices connect.
- Look for networks with the strongest level of encryption. WPA2 is stronger than WEP and WPA.
The mobility and connectivity public Wi-Fi hotspots enable are important advantages for growth businesses. Yes, there are risks involved, but adopting the best practices detailed above can help SMBs minimize those risks and take maximum advantage of all the technology has to offer.