The Half Dozen Risks of Using Dirty Public Wi-Fi Networks

Part 1/3 of our series on Securing Work From Home Initiatives

Our world today is mobile and connected; devices from laptops to tablets to cars and beyond are always online. We depend on that connectivity to do our jobs and our lives grind to a halt when we can’t connect. Because of this, we often jump onto the nearest “free Wi-Fi”, assuming that we’ll be immune to breaches, attacks, and security incidents. We’re too often of the mindset that “this one can’t be that bad” or “it won’t happen to me” or “my antivirus or VPN has me covered”. 

Unfortunately, networks, whether public or private, are by their nature dirty. In fact, security professionals know that we should just assume every network carries inherent risk to our devices, data and resources we access.

In this article, I will describe the six risks associated with using insecure public Wi-Fi networks and how they impact you and your organization. I will then conclude the article with real world examples of incidents, breaches, and attacks that happened on these networks. 

The second part of this series will be released on March 24. Stay tuned for “Three Ugly Work From Home Wi-Fi Security Realities”.

What are the half dozen risks of using dirty public Wi-Fi networks? 

Six risks of using dirty public Wi-Fi networks include:

  • Scanning, Enumerating, and Fingerprinting

  • Eavesdropping

  • Remote Access Exploits

  • Evil-Twin Wi-Fi

  • Lateral Network Infections

  • DNS hijacking

Scanning, Enumerating, and Fingerprinting 

Network scanners are used to retrieve information about networked devices. Common scanners will tell the attacker what types of devices are connected to the network (laptop vs. printer vs. cellphone), which operating systems they’re running (GNU/Linux, Mac OSX, Windows 10, etc.), and what services they are running. Once the attacker has scanned the network, identifying a list of targets and vulnerabilities, they can take actions to steal, control, or manipulate the data.

A real world example

In early 2019, there was a firmware vulnerability found in a Marvell Avastar Wi-Fi chipset, currently used in popular devices such as the Microsoft Surface laptops, Samsung Chromebooks, Sony PlayStation 4, and Xbox One. The vulnerability could have been triggered without user interaction during the scanning for available networks. All an attacker had to do was send malformed Wi-Fi packets to any device with a Marvell Avastar WiFi chipset and wait until the function launches, to execute malicious code and take over the device.

Click here to learn more about how the Byos μGateway protects against this threat. 

Eavesdropping

Eavesdropping, also known as a sniffing or snooping attack, happens when an attacker steals, modifies or deletes essential information that is transmitted over the public Wi-Fi network.

A real world example

Researchers found a way to eavesdrop on information being transmitted over the Wi-Fi by Amazon Echo devices - Wired reported that the “technique that chains together a series of bugs in Amazon's second-generation Echo to take over the devices, and stream audio from its microphone to a remote attacker, while offering no clue to the user that the device has been compromised.”

Exploits

Attackers use exploits to access a victim’s device directly. Exploits work by tricking a specific piece of software running on the victim’s device into running a different task than expected. This can give the attacker backdoor access to the victim computer. Once the device is accessed, the attacker can gain full control and do what they like. Often some of the first steps taken are to disable security software and take actions to remain undetected. They will then attempt to move laterally or steal their data by rerouting traffic to their own servers. Exploits often go unnoticed by the victim.

A real world example

GE Healthcare medical devices have recently been found to have a number of vulnerabilities. These vulnerabilities would allow for attackers to disable the devices, harvest personal health information, change alarm settings, and alter device functionality. 

Evil-Twin Wi-Fi

Evil-Twin Wi-Fi networks are fake Wi-Fi networks created by an attacker, mimicking the real network name, called the SSID. Once connected to it, users inadvertently send all traffic to the adversary before it's forwarded to the internet.

A real world example

In 2018, the Russian military agency GRU was charged with implementing evil twin AP attacks. When employees travelled and connected to Evil Twin Wi-Fi networks in hotels and airports, attackers positioned themselves, stealing credentials and spreading "plant espionage-oriented malware" targeting organizations such as anti-doping agencies, nuclear power operations, and chemical testing laboratories. 

Lateral Network Infections 

Malware and attackers often move laterally through networks and devices which have no "insulation" from their network. Malware is written to evade common AV engines, making conventional endpoint security software an imperfect solution. These attacks are possible because of the perpetually exposed state of devices. When a device is connected, there is no physical isolation from a public Wi-Fi network. 

A real world example

The Emotet banking trojan, which appeared first in 2014, has recently resurfaced with the ability to spread across Wi-Fi networks that are located nearby to infected devices. 

Emotet is first delivered to the victim through a malicious link or attachment in an email. Once access is gained Emotet will go through several steps to gain more information from the device. After all username/password combinations have been scraped, Emotet’s Credential enumerator  begins its process. It will enumerate (continuously scan) network resources looking for other vulnerable devices and resources using SMB. If that is unsuccessful, it will try to brute force attack user and administrator accounts to gain access. Once it gains access to another system, it will install itself and begin the process again. The most important piece of this is Emotet’s access to SMB can result in the infection of entire domains - across an entire corporate network. 

Lateral movement is one of the most dangerous threat vectors; because of the mass numbers of exposed devices connecting to public Wi-Fi networks, computer viruses are widespread and difficult to contain. In 2017, the WannaCry and Petya ransomware attacks also exploited a vulnerability in the SMB protocol to load malware on vulnerable clients and propagate it across networks - costing billions to organizations worldwide, affecting an estimated 300,000 computers in over 150 countries.

DNS hijacking

DNS requests can be used to identify your browsing habits and other personally identifiable information, allowing an attacker to redirect or subvert DNS requests to malicious sites. To perform the attack, perpetrators either install malware on user computers, take over routers, or intercept DNS communications. DNS requests are sometimes unencrypted making them easily manipulated.

A real world example

DNSpionage, a wide-spread DNS hijacking campaign targeting government and private sector entities in Lebanon and UAE, utilizes fake websites and specializes in DNS tampering to redirect traffic (namely email and VPN traffic) from legitimate domains to malicious ones. In this case, multiple nameservers belonging to the affected organizations were apparently compromised, and hostnames under their control were pointed to attacker-controlled IP addresses. 

In Summary

The harsh reality of today’s endpoint security postures is that devices are still exposed to the risks of insecure public Wi-Fi. Security softwares like endpoint detection and response (EDR) and VPNs aren’t enough protection for today’s threat landscape - Scanning, Enumerating, and Fingerprinting, Eavesdropping, Exploits, Evil-Twin Wi-Fi, Lateral Network Infections, and DNS hijacking are all still prominent threat vectors.

Security is all about layers and the layer missing from endpoint security postures has been a hardware layer of protection that isolates devices from these insecure public Wi-Fi networks.

In the second part of this “Securing Work From Home Initiatives” series, we will be discussing the “Three Ugly Work From Home Wi-Fi Security Realities”. Stay tuned for its release on next week on March 24, 2020

Three Ugly Work From Home Wi-Fi Security Realities

NordVPN, TorGuard, and VikingVPN breached