One of the primary elements of our mobility managed service is carrier plan management — keeping usage, and thus cost, as low as possible. A big way to do that is to move devices to WiFi wherever feasible. When our Insights usage monitoring system projects a user is on track to exceed their budget, it sends out an alert that even includes this as a tip.
It seems that everywhere we go, WiFi is available — coffee shops, restaurants, hotels, airports. In some cases, if cell coverage is spotty, those WiFi networks can be the only real connectivity option. Unfortunately, these ubiquitous WiFi networks can sometimes hide serious security vulnerabilities.
WiFi has a number of inherent security issues, but some of the most common that impact mobile users are designed as man-in-the-middle (MITM) attacks. In this type of attack, the attacker injects himself into the network communications to intercept the traffic. In this way sensitive information can be plucked out of the data stream or, in some types of attacks, collected directly from the user via a phishing site.
How does this work?
1. Spoofed or rogue SSIDs
Attackers often use this method to trick unsuspecting users into connecting to their WiFi network instead of a legitimate WiFi network. Usually, it’s through an official-sounding SSID name like “StarbucksFreeWiFi” or “HotelGuestWiFi.” Users may feel confident these networks are legitimate. In other cases, attackers will set up APs with the same SSID as a legitimate open network SSID in hopes that a device will connect to their AP instead of the correct one.
Every mobile device with WiFi enabled, even if it’s not connected, will broadcast its known networks. More sophisticated attackers may listen to these broadcasts and create SSIDs to match. If that network saved on the device is an open network, then the device may connect without the user even realizing it.
2. ARP spoofing
In an ARP spoofing attack, the attacker uses the ARP protocol, which tells networks what network address is associated with what physical device. If the attacker is on the same network, he can send out ARP packets that will fool the user’s device into thinking his PC is the router and will fool the router into thinking his PC is the user’s device. In this way, all traffic out to the internet or into the user’s device flows through the attacker’s PC.
3. HTTPS downgrade attack
Once an attacker is intercepting traffic, he can do what’s known as an HTTPS downgrade attack, though this type of attack is getting harder as browsers and servers adopt newer technologies surrounding SSL. In a downgrade attack, the attacker redirect the original SSL encrypted request to a non-SSL plain-text request. In this way, the attacker can retrieve otherwise encrypted data.
4. DNS spoofing
If the attacker is able to control what IP address the user’s device gets, he can also tell that device what server to use for DNS. In this way, the attacker can cause a request for, say, www.chase.com to point to an IP address of a server they control. This malicious server may look identical to the legitimate server, and an unsuspecting user may enter sensitive credentials that can then be used by the attacker on the legitimate system.
How can you protect your organization’s devices?
The sure-fire way to avoid these risks is to never connect to WiFi, at least not open WiFi. Unfortunately, this isn’t always feasible. Another step is to ensure your device isn’t set to automatically join hotspots. At minimum, you should disconnect from public WiFi to conduct sensitive transactions like banking or interacting with sensitive corporate resources.
If you’re using an MDM (you are using an MDM, aren’t you?), then you have a few more levers you can pull. Depending on how the devices are enrolled, you may be able to restrict the device to connecting to known networks. You can also deploy always-on VPN configurations that ensure all traffic is encrypted wherever the device is.
If you’re serious about security, then you can implement a dedicated mobile threat defense platform that’s capable of detecting network threats like these. We recommend Lookout, Wandera, and Better Mobile. All three have capabilities to protect against these kinds of security vulnerabilities.
If you’d like to learn more about how you can protect your devices and the wealth of sensitive data they likely contain, get in touch with us.