In today’s highly mobile and on-the-go world, WiFi (Wi-Fi) has become an integral part of daily life. WiFi is a staple of organizations and businesses worldwide, and unsecured WiFi hotspots are now an increasingly common convenience offered by many of them to their customers and members of the public. In fact, Kaspersky Lab reports that “70% of tablet owners and 53% of smartphone/mobile phone owners stated that they use public Wi-Fi hotspots.”
While the thoughtfulness of providing free internet access is appreciated, connecting to these open WiFi networks doesn’t come without immense cybersecurity risks. And, these risks don’t apply to just you: If you are a professional using a company machine to connect to a public WiFi hotspot, then these risks apply to your business, clients, and any other important account information or data that your device is connected to in any way.
Malicious users (hackers) use public WiFi connections as a means to gain access to and steal whatever information you have available that they can get their hands on. It’s essentially like leaving your home’s front door wide open when you go to work and expecting nothing bad to happen to your belongings.
If you’re a business that offers free WiFi as a complimentary service to employees, customers, and the general public, you need to take the appropriate steps to protect them and their valuable data (as well as your own).
How to Combat the Dangers of an Unsecured WiFi
When it comes right down to it, public WiFi is an insecure connection that leaves your device, data, and other related information vulnerable to attack and theft. Having a strong IT security posture is a good way to start developing WiFi security processes and procedures to provide WiFi protection to your employees, business, and customers.
If you neglect to secure your network and someone decides to “piggyback” on it to commit a crime, the activity could be traced back to your network. That is a security and legal risk that your organization can likely avoid by putting the right cyber protections in place.
The Federal Trade Commission (FTC) shares some recommended steps to improve residential WiFi security. These steps are a great baseline for how to start increasing IT security for your business as well:
- Using WiFi security types of encryption, such as wired equivalent privacy (WEP, not recommended), WiFi Protected Access (WPA), and WPA2 (the current recommended standard);
- Limiting access to your network; and
- Securing your router.
As IT security experts, we also recommend implementing the following steps as well:
- Patching and updating your router and devices to their latest manufacturer updates.
- Adjusting your WiFi security settings to make it a closed network that can be accessed via a password you freely provide to employees and customers (so it’s open to their use but still more secure).
- Implementing a wireless intrusion prevention system (WIPS) that can identify any rogue devices that are trying to access your network so their access can be shut down.
- Adding a user agreement that every user must sign before accessing your guest or public WiFi to provide some legal protection.
- Teaching employees that they’re never “truly secure” on WiFi hotspots and to proceed with caution.
- Advising users to transmit sensitive data only via a TLS/SSL-encrypted website pages.
- Requiring employees to use a virtual private network (VPN) service or app on company devices while using the WiFi for additional cyber protection.
- Partnering with a managed security service provider (MSSP), like FPA, to perform these functions and others to increase your WiFi network’s cybersecurity defenses.
The Concern about “KRACKs” in Your WiFi Hotspots
Last year, news broke about a potential weakness in the WiFi security protocol that protects virtually all wireless connections that was identified by Dutch researchers. The gap, a basic design flaw in the WiFi Protected Access 2 security model used to connect wireless access points, created a vulnerability that the researchers realized left WiFi networks vulnerable to a key reinstallation attack (or, what is known as a KRACK for short).
According to the researcher who discovered it, Mathy Vanhoef of the University of Leuven (KU Leuven) in Belgium:
“Our main attack is against the 4-way handshake of the WPA2 protocol. This handshake is executed when a client wants to join a protected Wi-Fi network, and is used to confirm that both the client and access point possess the correct credentials (e.g. the pre-shared password of the network). At the same time, the 4-way handshake also negotiates a fresh encryption key that will be used to encrypt all subsequent traffic. Currently, all modern protected Wi-Fi networks use the 4-way handshake. This implies all these networks are affected by (some variant of) our attack.”
This type of attack can be used to launch malware and ransomware into websites so attackers can spread to future users. It also leaves WiFi connections (and, therefore, your data) open to man-in-the-middle (MITM) attacks, which places the attacker between you/your customers and the real WiFi network.
This revelation about the WPA2 cybersecurity issue is particularly significant because the compromised security protocol, which is used to encrypt WiFi connections, has been considered the most secure protocol that has been available on such a large scale.
An article in The Guardian discusses KRACKs, which leave sensitive information such as credentials, chat messages, emails, account and financial information, images and more vulnerable to theft.
“Attackers can use this novel attack technique to read information that was previously assumed to be safely encrypted… the attack works against all modern protected wifi networks. Depending on the network configuration, it is also possible to inject and manipulate data.”
According to the FTC, the good news is that the attack is unlikely to compromise the security of information transmitted via the network that is protected by more than the standard WPA2 encryption. The Guardian article states that encrypted connections such as a VPN, SSH communications, and secure websites are still considered safe to use while on an open WiFi.
There is more good news: KRACK is not a remote vulnerability and requires physical proximity to take advantage of. This means that the threat isn’t someone living half of the way across the world — it is someone nearby that authorities may be able to catch.
Your business, regardless of size, needs to dedicate adequate time and resources to securing your WiFi hotspots for your employees and customers. Merely patching your systems isn’t enough if you want to defend your WiFi network against these targeted attacks successfully. Your IT security provider should be focused on cybersecurity so you can focus on your business. They should be dedicated to keeping wireless access points as secure as possible to protect your networks from lurking threats.
What are your thoughts? Share your thoughts in the comments section below or send me an email if you’d like to discuss this in more detail.
To learn how effective cyber protection methods (or a lack thereof) can affect your business’ operations and bottom line, download our free resource now by clicking on the link below.