Hotspot State of Fear
June 16, 2005
Vendors say that attacks like Wi-Fi phishing and evil twins are serious; some analysts say it's a case of sowing the seeds of hotspot FUD (Fear, Uncertainty, and Doubt).
Wi-Fi hotspots have become nearly ubiquitous. You can’t travel without seeing a cafe, bookstore, hotel or airport offering Wi-Fi connections to wireless workers. But warnings that public Wi-Fi hotspots may not be safe for business users is causing a stir between security vendors looking to increase sales and hotspot promoters hoping to calm fears.
For example, last month AirDefense alerted business-users to a scheme by hackers to snatch personal data from the air.
“Attackers are most interested in stealing user IDs and passwords to gain access to corporate networks,” said Richard Rushing, chief security officer for AirDefense. Rushing was speaking of a new twist on the old “Evil Twins” attack. While not new –Internet Security Systems presented a white paper detailing the problem in 2003 – there are several strains.
This vulnerability takes advantage of what location-aware security company Newbury Networks calls “promiscuous Wi-Fi cards.” Usually, Wi-Fi devices seek out and connect to the strongest signal by default. An Evil Twins attack begins by overpowering the legitimate hotspot AP signal and automatically connecting you to the bogus AP instead. Once connected to the virtual copy of a familiar login page, a user is either sent to a Web site laden with hidden Trojans, viruses and other exploits, or on to an actual destination. Either method permits harvesting of personal information.
One solution, proposed by AirDefense, is for business users to stop using public hotspots. Such venues should be “used primarily for surfing,” says Peter Evans, chief marketing officer for AirDefense.
Even public access wireless in hotels and airports, venues highly-prized by hotspot providers, should not be used for business, according to AirDefense. It believes public hotspots are simply not safe for common business tasks such as email and IM.
People have made the trade-off between urgency and security, says Peter Evans, AirDefense’s chief marketing officer. “Enterprises have the most to lose,” he says.
Hostile Hotspots Reality Check
“Hotspots should be viewed as hostile,” says Mike Disabato, senior analyst with the Burton Group.
“Hotspot users are at extremely high risk,” agrees Matthew Gray, founder and CTO at Boston-based Newbury Networks. “Intercepting a wireless network is trivial."
Gray says he avoids public hotspots for checking e-mail, but using Wi-Fi hotspots to check e-mail is a prime task of business travelers, according to Ina Sebastian, a Jupiter Research analyst. “Almost half of business travelers need access to their e-mail at least once daily, 19 percent need access at least twice daily,” says Sebastian, adding that 30 percent of companies consider lack of security at public hotspots a primary concern.
“We really need some reality check about this,” believes Disabato. This is the fourth time the subject of Wi-Fi phishing of personal data has surfaced, according to the analyst. Of all security threats facing Wi-Fi, “Evil Twins” ranks third or fourth in importance, he says.
“This is a crazy notion,” says David Hagan, president and COO of Boingo Wireless, commenting on calls to limit business use of Wi-Fi hotspots. While the Evil Twins threat is real, Hagan believes it is small. Hagan and Disabato agree that the report is a case of FUD (the promotion of Fear, Uncertainty and Doubt) to sell products and services.
The Evil Twins attack scenario “isn’t overblown,” counters Chuck Conley, spokesperson for Newbury Networks.
Expect to see the security market double from $100 million in 2004 to $200 million in 2005, according to Frost & Sullivan analyst Wai Sing Lee.
Virtual Private Networks (VPNs), allowing encrypted point-to-point communications, have long been the safety-net for enterprise workers using public hotspots as remote offices. Britain’s National Security Coordination Centre (NISCC) recently pointed to a weakness in the IPSec method of encryption. The vulnerability “can cause decrypted VPN traffic to be diverted to a network address of the attacker’s choice,” warned Newbury Networks.
As the IPSec hole relies on intercepting traffic between security points, the vulnerability particularly touches Wi-Fi security. The vulnerability “is yet another example of how VPNs are not sufficient to protect networks from wireless attacks,” according to Gray.
What’s the answer for enterprises? The British alert says the IPSec vulnerability can be fixed by configuring “ESP (Encapsulating Security Payload) to use both confidentiality and integrity protection. This is the recommended solution.”
Also, a growing number of VPNs offer Secure Socket Layers (SSL), a security technology familiar to Web browsers. When visiting a banking or ecommerce site, the small ‘padlock’ icon will often appear indicating SSL encryption is in force.
New Security, New Challenges
The days of Evil Twins may be numbered, according to Hagan. Smart-client software is increasingly being used by hotspot aggregators such as Boingo and T-Mobile. The software eliminates confusion over similar-sounding SSIDS (“tmobile” versus “T-Mobile”, for example) which is key to phishing ploys such as Evil Twins. Smart-clients instead rely on a server-side database of hotspots. IT departments also can automatically configure a hotspot session, including firewall and virus updates, as well as encryption through VPNs.
Boingo offers its smart client software as both a free download and as private-label product to service providers such as MCI, AT&T, and Earthlink, according to Hagan.
AirDefense also offers its own free smart-client software.
The only way many enterprises will allow use of public hotspots by traveling employees is through such software, says Hagan.
Although “a lot of people stumble across a signal and use it,” as the hotspot market matures, Hagan sees exploiting hotspot login pages declining.
Burton’s Disabato points to simple Wi-Fi signal locators (such as the Canary Wireless Digital Hotspotter) as one way to detect if a rogue AP is near your hotspot.
While the latest Wi-Fi security scare may be over-hyped, all agree that security is a never-ending battle. As Wi-Fi hotspots become more common, along with the ease of Wi-Fi use, a new attacker profile is developing. Script-kiddies, the hackers without much knowledge of Wi-Fi’s inner workings, are now “invading,” says Gray.
Instead of young kids working in parents’ basements, Wi-Fi attackers are “organized and funded” for financial gain, according to Evans.
The melding of Wi-Fi and VoIP creating VoWi-Fi phones “introduces new challenges,” says Newbury's Conley. In 2009, there will be more 802.11-based phones than laptops, he says.