From a security perspective, there are three primary concerns with wide area WiFi hotspots: sniffing, hacking hotspot users, and spoofing access points.
The vast majority of WiFi hotspots, including most coffee shops, hotels, and airports, do not use encryption. This design allows everyone to connect without requiring credentials or encryption keys. It also makes it trivial to monitor data flowing between user endpoints and access points; every packet in and out of a visitor’s laptop, tablet, or phone can be observed, logged, and analyzed by anyone in range of the same access point.
HTTPS, VPNs, and other encrypted protocols offer some protection. However, HTTP and FTP sessions are not encrypted, and some email configurations still use unencrypted POP3, IMAP, and SMTP. Login credentials sent using these vulnerable protocols can be intercepted and subsequently used by an attacker. Tools to automate this process are commonly available.
The absence of WiFi hotspot encryption also facilitates more advanced attacks. For example, hackers can monitor DNS queries real-time and inject false responses. This approach can be used to redirect hotspot users to hostile websites for malware injection, credential theft, and HTML content injection.
Another common tactic is to directly attack other hotspot users. WiFi hotspots usually place clients on the same network and often allow them to communicate with each other. In this environment users do not have the same protection afforded to them by home and office firewalls. Unless mobile devices are carefully configured, and use software firewalls, vulnerable services may be exposed. Windows users with file shares are particularly vulnerable, as are Linux users who have not adequately secured their SSH service.
Spoofing access points is especially problematic when wide area WiFi hotspots are deployed, such as MTLWiFi. Within such a system, each wireless Access Point (AP) uses the same Service Set Identifier (SSID). That allows users to readily identify the network and connect to the closest AP. Unfortunately, there is no AP authentication mechanism. An attacker can simply configure their own AP to broadcast the target SSID. If the signal strength is greater than than the legitimate APs, clients will connect to the rogue AP. High-power APs and directional antennas can be used to target specific areas.
When a client device connects to a hotspot AP, it is assigned an IP address and provided with information such as DNS servers. Since the attacker has complete control of the network behind the rogue AP, it is simple to manipulate and redirect traffic. If Internet connectivity is provided, all traffic can be intercepted and monitored. However, if the purpose of the rogue AP is to spread malware, a simple tactic is to redirect all HTTP queries to a local web server and send malware in response. A single PC or embedded system connected to an AP can easily be weaponized.
Hotspot providers and users must consider security. Providers should design their system to prevent communication between clients. In other words, users of access points should not be able to communicate with each other. They should also monitor the environment for rogue access points and work with law enforcement to remove them. If appropriate criminal remedies are not available, the use of bylaws and intellectual property law may be required.
Users need to recognize that WiFi hotspots are potentially hostile environments. At a minimum, users must ensure that they have valid connections to HTTPS sites prior to entering credentials. A preferable option is to use a trusted VPN service so that all data is encrypted when using a hotspot.
Free WiFi helps foreign tourists avoid excessive data roaming fees. Canadians, who pay some of the highest prices on the planet for mobile data, love free WiFi. But without careful planning, MTLWiFi has the potential to become a hacker’s paradise.
Have a security question you’d like answered in a future column? Email firstname.lastname@example.org