Protect your Mobile Workers from Wireless Hotspot Phishing

By | June 8, 2005

Using public hotspots is convenient; however you may want to think twice before accessing confidential information via hotspots. Recent headlines raise concern about wireless security issues around hotspots.

Particularly the “Evil Twin” attack has received much attention, even though it is based on a tool that is relatively straightforward and has been around for several years. In this scenario a hotspot user connects to the “Evil Twin” wireless access point, believing it to be a legitimate commercial hotspot. Once connected the hacker impersonates a legitimate hotspot, and records all information entered into the web page, which can include your passwords, emails or worse credit card information.

The good news is that wireless knowledge and basic security precautions can mitigate most of the wireless risks and allow the user to enjoy the convenience of wireless access while sipping a lattй.

How does the “Evil Twin” attack work?

A hacker would set up his laptop to act as an Access Point. Several commercial and freeware software tools are available that can turn any laptop with a wireless card into a so-called “Soft Access Point”. The soft AP will broadcast an identification beacon or Service Set Identifier (SSID) that lets other computers know it is available. The hacker can even give it a legitimate name, such as “tmobile”, “Wayport”, “Free Internet Access”, to fool unsuspecting users.

The hotspot users can now connect to what appears to be a real T-Mobile hotspot. When connected the hacker will redirect the user to web pages created to look like the real thing. As the user enters passwords or creates a new ID with credit card information, all entries are logged by the hacker for future abuse.

This concept is very similar to the email ‘phishing’ scams, where a message is sent to users tricking them to enter confidential information, such as bank account information or other sensitive username and password combinations. The process of tricking someone to voluntarily provide confidential information has been used for years in a variety of forms; more generally it is known as “social engineering”.

Every wireless device that is Wi-Fi enabled actually makes the hacker’s job even easier. Every device continues to ‘probe’ for access points it has been connected to in the past. If the Wireless Connection manager in Windows XP sees a legitimate SSID it will automatically re-connect to that access point. All the hacker has to do is give his soft AP a default SSID, such as “linksys”, “boingo”, “home” or “public” and the laptop will automatically establish a wireless connection without any required user action.

Risks and Basic Wireless Security Measures

First sign up for the Hotspot Provider at their office or through a dedicated connection

Go to the Hotspot Providers that you might use and sign up for Pay-as-you-go, or Day passes, and provide them with your credit card and other personal information.

Validate all connections before you enter personal information

Check and validate all certificates and read all warnings and information messages, especially when working at a Hotspot.

Use Encryption when possible

Make sure the access point you connect to uses encrypted communication. Because wireless communication is broadcast over the radio waves, eavesdroppers who merely listen to the airwaves can easily pick up unencrypted messages. Using basic encryption such as WEP or other more secure encryption protocols will prevent information being ‘sniffed’ in clear text. The sign-in page of the hotspot you are connecting to should be secure (the web pages you visit must be using SSL (Secure Socket Layer); you can check this by looking at the website address, which should start with https:// rather than just http://). As mentioned under 2), check the certificate, and make sure that it has a proper certificate path. If the hotspot does not provide encryption, make sure you use a VPN to access the information.

Check your Wi-Fi settings

As mentioned many laptops continuously search for and log on to the nearest hotspot or other access points. Turning off this option will prevent your laptop from automatically connecting to a wireless network without your knowledge. You also want to select the option in your Windows Wireless Connection Manager that the wireless card can only use”infrastructure mode” (instead of “any”), which will disable the ad-hoc mode. Ad-hoc mode allows other laptops to directly connect to yours. While this may seem convenient it presents a significant security risk to your computer.

Update to Service Pack 2 for Windows

Service Pack 2 contains many fixes to security and wireless issues; this is a must if your laptop is to be connected at any hotspot.

Disable your wireless network card

When not in use the best security will be provided by disabling or removing the wireless network card altogether.

Use a Virtual Private Network

Most businesses will provide a Virtual Private Network (VPN) client for remote access to the corporate networks. You can think of the VPN as a conduit or tunnel between your laptop and the company’s network. By using a VPN the mobile worker is as secure as they would be wired into the network sitting at their desk. Using a VPN will ensure encryption and protection at the IP layer (Layer 3) and make wireless transmission of data incomprehensible to eavesdroppers. However, establishing the connection and other wireless communication between access points and your latop all occur at the MAC layer. The MAC layer is a sub-layer of the Data Link layer, also known as Layer 2 of the OSI (Open System Interconnection) model, which is one level below where VPNs operate.

Use a Personal Firewall

A personal firewall is a requirement due to the hostile nature of most hotspots. Since most hotspot do not enforce client isolation this allows anyone connected at the hostport to talk to your laptop. This is how viruses are spread, systems get compromised and identities are stolen. A personal firewall will hide your laptop’s identity on the internet and actively block intrusions of suspicious incoming traffic. Make sure you pay attention to the dialog boxes when they pop up.

Leave a Reply