This is the second post in a series examining the risks associated with the three most popular Wi-Fi network categories (listed below), and what users can do to manage these.
- Residential, Home, SOHO (Small Office/Home Office) Wi-Fi networks
- Public Wi-Fi networks (coffee shops, libraries, shopping malls, hospitality market, outdoor hot spots provided by telcos or ISPs)
- Enterprise level Wi-Fi Networks (internal staff and guest network access)
Public Wi-Fi networks
Public Wi-Fi setups range from Access Points (APs) configured with:
- Open system authentication (no security at all)
- Open system authentication and using a “Captive Portal”, which is a login page to enter your credentials
- APs with a configured encryption standard (WEP, WPAv1 or v2 PSK)
- APs using IEEE 802.1x authentication with an Authentication Server in the backend of the network containing the usernames and passwords (Note: open system authentication is required first before the real authentication can be used to create a Robust Security Network (RSN) Architecture)
- APs using IEEE 802.1x and IEEE 802.11u Hotspot 2.0 using roaming agreements with other service providers.
Security risks to be aware of when using public Wi-Fi networks
Below are some examples of potential risks to be aware of with public Wi-Fi networks:
- Open system authentication, which is used by most frameworks, does not provide any security – all Wi-Fi traffic is exposed and can be captured by a protocol analyzer. However, depending on the security framework, additional security can be provided by a captive portal or IEEE 802.1x authentication (Note: open system authentication is vulnerable to several Wi-Fi attacks like evil twin, man-in-the-middle, honeypot, peer-to-peer and de-authentication attacks, to name a few)
- Captive portals provide an additional layer of security, but if the login is via HTTP and not via HTTPS, then login credentials may be exposed if these frames can be captured.
Captive portals are typically secured by validating the MAC-address of the laptop and either time or volume based limitations are put in place. The MAC-address validation can be bypassed by spoofing the MAC-address or using different client adapters to extend the time.
In hotels, captive portals are typically secured by guest name and room number, which are vulnerable to impersonation attacks and Shoulder Surfing attacks (attackers will listen for details at the reception counter). Credentials are also often sent via HTTP over such networks.
- IEEE 802.1x Port Based Authentication with validation in the backend, either with or without captive portal, provides a stronger authentication and encryption framework depending on the authentication framework used (Extensible Authentication Protocols – EAP). Clients and ISP support several EAPs, including:
- EAP-TLS (Transport Layer Security)
- PEAP (MSCHAPv2) or others like TEAP
(Note: there are more EAP frameworks, some are weak, some are stronger, for example, tunnelled authentication and mutual authentication.)
- Some of IEEE 802.1x and/or captive portals integrate with social network providers like LinkedIn and Twitter, and can expose your whereabouts – automatic messages get posted on your personal social networking page.
How can you protect yourself from such risks?
There are several ways that users can manage for these security risks. These include:
- Using the methods as explained in Part 1 of this series, for example, using long password or passphrase and checking for evil twins.
- Avoid using the social network login options. Instead, create new login details for each application.
- Installing additional end-point security software, like firewalls, anti-virus and anti-malware.
- Using a Virtual Private Network (VPN), at layer 3 and/or layer 7 to connect to your remote network.
- Using Network Access Control (NAC) applications, if the organization provides these.
- If IEEE 802.1x is used with an EAP-framework that supports tunnelled authentication, for example, PEAP (MSCHAPv2), check that anonymous identity is configured. Otherwise, the real username will be exposed during the authentication. Note: this is not supported on all OSs.
- Being aware of pop-up messages. Read them first before clicking on them (these messages can be very technical, like certificate validations), as they could potentially be a security risk (Man in the Middle attacks).
- At public hotspots, looking around for people using laptops with external dongles or antennas connected to their laptop (Wi-Fi professionals use external antenna’s, dongles to do Wi-Fi analysis and site surveys but the average user does not do this). Note: Wi-Fi scan software can run on smaller devices like Android platforms, Raspberry Pi’s, ODroid and Intel-Stick.
In my next post, I will look at the risks for Enterprise Level Wi-Fi Networks (internal staff and guest network access) and ways to overcome them.
Ronald van Kleunen is CEO of Globeron Pte Ltd. He is a certified wireless network expert and certified security professional.
The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.