By Ryan Orsi, Director of Strategic Alliances at WatchGuard Technologies
Open public Wi-Fi hotspots are experiencing explosive growth. According to Cisco’s latest Visual Networking Index Forcast, by 2020, public Wi-Fi hotspots will reach 432 million – nearly seven times the total in 2015. To most, this figure wouldn’t come as a shock. You’d be hard-pressed to find an airport, store, hotel, gym or coffee shop in business today that doesn’t provide public Wi-Fi. The rise of connected or “Internet of Things” (IoT) devices and cellular offloading onto Wi-Fi as a method of easing capacity demands are a few strong drivers of this growth. The ubiquitous nature of wireless connectivity itself has resulted in seeding Wi-Fi radios into almost everything around us: smartphones, laptops, tablets, watches, TVs and even cars. In fact, Gartner estimates that 26 billion IoT devices will be connected by the year 2020.
It’s safe to say that the widespread proliferation of Wi-Fi hotspots and connected devices makes our lives easier. But as convenient as anytime access to Wi-Fi maybe, when everything is connected to everything, there are very real security concerns to consider.
Understanding Wi-Fi Security Risks
In a world consisting of only your laptop and a Wi-Fi access point, you’re perfectly safe checking your bank account balance over a public hotspot. The main security risk with public Wi-Fi is the risk of a third party diverting your Wi-Fi traffic either on its way to the internet or back to your client device. This strategy is called a man-in-the-middle (MitM) attack and has been well-known since the original release of Wi-Fi. A MitM attack allows malicious hackers to examine the wireless traffic, login credentials, credit card numbers or other personally identifiable information being used by people who are unknowingly connected to a rogue access point.
When you connect your smartphone, tablet, laptop, or even a smartwatch to a public Wi-Fi hotspot, the name or SSID of that hotspot is typically automatically saved so that the next time you walk back into that same establishment, your device will conveniently re-connect on its own. But, once you leave that airport or coffee shop, your smart devices continue to send out probe requests in the air looking for the SSID of the hotspots on your “auto-connect” list. A Karma attack is one that takes place when an attacker takes advantage of your device’s automatic beaconing and attempts to use a spoofed SSID to connect you to a rogue access point under their control.
Bad actors are known to dwell in public Wi-Fi areas frequented by employees of investment banks, technology companies, and healthcare organizations in order to target them with a MitM attack. This is typically done by forcing the Wi-Fi clients off the legitimate access point broadcasting the hotspot SSID and pulling them onto the rogue access point that also is imitating the same hotspot SSID. The client connection disruption is minor and falls within the realm of “must have been a Wi-Fi glitch” and the victim’s traffic is now unknowingly flowing through the MitM.
Impractical Wi-Fi Hotspot Security Advice
The wireless security threats discussed above have been talked about often throughout the past decade amongst the information security community. That being said, the advice on how to protect ourselves hasn’t really changed during that time and isn’t very practical for the world at large. Some common Wi-Fi security tips include:
1. Use a VPN client to encrypt your traffic over public hotspots
2. Check for the “lock” symbol in the web browser to verify the connection is HTTPS (S for secured and encrypted) when connected to public hotspots
3. Don’t use public hotspots
First, although technically sound, the VPN client advice isn’t practical for the droves of everyday public Wi-Fi users who probably aren’t familiar with that acronym and aren’t equipped for this kind of setup. Next, far as HTTPS goes, I’m confident that someday the masses will understand what it is and even how to verify SSL certificate authorities, but right now, this just isn’t a practical method of protecting the world of public Wi-Fi users. Additionally, at the time of this writing, there is at least one well-known method of easily bypassing HTTPS during a MitM attack. And lastly, simply advising the public to not use public Wi-Fi just sounds like giving up.
So naturally, a good portion of responsibility for the security of public Wi-Fi rests on the shoulders of businesses that provide it. Luckily, there are Wi-Fi security solutions that companies can use to provide quality Wi-Fi access for customers and users while making security a priority. First developed in the early 2000s, Wireless Intrusion Prevention Systems (WIPS) are a common network security solution designed to control Wi-Fi radios and mitigate wireless attacks and rogue access points.
The Problem with WIPS
WIPS solutions were originally meant to defend airspace through detection, classification, and prevention. WIPS “prevention” is a setting that, when enabled, shuts down attacks by sending standard IEEE 802.11 de-authentication packets to the rogue access point, telling it to disconnect from any connected clients and to any connected clients telling them to disconnect from the rogue access point.
But the full promise of WIPS hasn’t been realized in the mass Wi-Fi market because of one serious technical flaw: the method used to classify access points and clients as good or bad (authorized or rogue) is plagued with false positives and negatives. The result is that industry IT leaders, service providers, and technologists often disable the “prevention” piece of WIPS for fear of legal consequences in accidentally shutting down neighboring Wi-Fi networks that may conduct business-critical operations such as hospitals or retail stores over Wi-Fi.
The Missing Piece: True Prevention Through Accurate WIPS Classification
Without complete confidence in their WIPS solution’s ability to differentiate between genuinely rogue and neighboring devices or APs, businesses have to rely on manual verification and classification of each connection, which can be a less accurate and more time-intensive process. Essentially, without classification, WIPS can’t actually prevent much at all.
While no solution can truly guarantee zero false positives and 100 percent accuracy of WIPS classification, there is an elegant new technique that stands apart from the rest. A very short rebroadcast packet from known good (authorized) access points or WIPS sensors is sent either across Ethernet cabling or over the air. Thankfully to the open standard of the IEEE 802.11 protocol, when another 802.11 access point or client device receives this packet, it will rebroadcast it over the air or across the Ethernet cabling.
This tiny packet can traverse within all areas of a network and get the digital fingerprint of everything it touches. The MAC address correlation and signature-based methods are limited in that they are performing the detection outside the perimeter of the network meaning the whole wired and wireless network is more or less a black box.
Through this packet technique, the WIPS system can very accurately classify access points and clients and do so automatically with no manual intervention. This auto-classification can allow IT, administrators, to confidently define prevention policies without the fear of accidentally shutting down neighboring Wi-Fi networks.
It’s safe to say that Wi-Fi provides incredible convenience and accessibility for businesses and end-users. But along with those benefits come serious security challenges. Wireless attacks may not be all over the news, but they are often the initial touchpoint bad actors use to access credentials that enable them to pull off the massive data breaches that steal the headlines. True prevention is the best way to defend against Wi-Fi attacks, and it all starts with classification.
About the Author
Ryan Orsi – Director, Strategic Alliances at WatchGuard Technologies
Senior network security and wireless technology expert, Ryan has a diverse background including more than 10 years’ experience in business development, sales, and marketing. He holds a high distinction Electrical Engineering Degree from the University of Nevada, Reno, as well as a Master’s Degree in Business Administration.
