Trinity Maxwell Partner with Wandera for Enterprise Mobile Security and Data Management, below is their take on open Wi-Fi and how safe it really is.
Research suggests that more and more mobile data is being consumed over Wi-Fi connections than cellular. But worryingly, businesses are struggling to manage an array of open Wi-Fi risks.
Open Wi-Fi networks are all around us and our mobile devices are likely connecting to these insecure networks every day. Almost every coffee shop, hotel, airport, train, hospital, etc., offers a service of open Wi-Fi connectivity to their customers with zero security, encryption or privacy.
For a Wi-Fi network connection to be encrypted, a Pre-Shared-Key (or certificate) must be provided by the client, and so it is no surprise that a minority of public networks follow this approach. But at what cost?
Open Wi-Fi risks explained
In Wandera’s global footprint of protected devices, we can see that 12% of the hotspots that employees are connecting to are open.
It seems that users don’t have any reservations about open Wi-Fi risks and typically favor convenience over security, with a quarter (24%) of devices in our network using open hotspots.
Open networks don’t use encryption and therefore make all data traffic visible to a malicious actor who wants to see any online communication of the people physically nearby. Unless the particular app or site being used enforces encryption.
So we could say there are two opportunities to establish a secure a safe connection. The network and the application. When one fails, you effectively have a backup. But sometimes both fail.
When insecure apps and sites are accessed on the unencrypted connection, your data suddenly becomes at huge risk of a data leakage event. Research in our Mobile Leak Report found over 200 sites and apps leaking users’ PII. Alarmingly, some of those leaks came from reputable companies.
Defining a data leak
A data leak involves the unauthorized or unintentional transfer of sensitive information from an enterprise mobile device to an Internet service.
By not using secure network transport protocol (HTTPS) in the development process, developers are essentially making the data available to anyone using a simple network sniffer on the same network as the device with the leaking app or site.
When a leaking site or app is being used on an open Wi-Fi network, the unencrypted information can be harvested by a malicious actor or “man-in-the-middle”. Depending on what is being leaked it could involve credit card theft, identity theft, or even the reuse of login credentials to access a corporate network.
Unhelpfully, new smartphone technology, everytime your phone moves into an open hotspot, it automatically connects to the network making it hard to control these leaks, unless it requires a password first.
But wait, just because a Wi-Fi network requires a password, doesn’t mean it uses encryption. This is where the water gets a little murky.
Captive portal pages – a false sense of security
Sometimes, open “guest” networks will display a captive portal page asking for some personal information, in exchange for access to their open Wi-Fi connection. These captive portal pages usually look like a standard web page and most people rush through the process of handing over information in order to get online. So let’s stop and think about why captive portal pages are used.
There are three main drivers:
1. Limiting liability for risky user behavior
Establishments that are providing “open guest access” are therefore not providing authentication of users and encryption of data presenting an array of open Wi-Fi risks. Guests can have data intercepted and PII or money stolen by a malicious actor for example.
If a captive portal is displayed before the connection is made, then the provider has a chance to rid themselves of legal liability by writing in the terms and conditions that they aren’t liable for any risky user activity or data theft before a user agrees.
2. Identifying their network
It’s not difficult for a hacker to create a malicious hotspot and advertise the same network name as a legitimate hotspot or business WLAN, causing nearby devices to connect to their malicious hotspot.
These malicious hotspots are called ‘Evil Twins’. Once victims connect and traffic is routed through the malicious network, then there are any number of things a hacker can do
with that traffic such as intercepting credentials and obtaining valuable PII and corporate communications.
The legitimate provider should provide a captive portal page that looks on brand. But beware, even these captive portals can be spoofed and injected into peoples’ devices.
3. For more targeted marketing
Establishments often use captive portal pages to gather data about the guest user in order to target them with more personalized marketing. This is especially effective when the option to login using Facebook is offered, then the network provider has access to a bunch of personal data.
So in summary, it’s not safe to assume that just because a provider is asking for credentials that you are on a secured connection and therefore safe from open Wi-Fi risks. Providers have other motives behind injecting this verification layer which perhaps don’t concern your data security.
Managing open Wi-Fi risks in your mobile fleet
The challenges businesses face is they have no visibility into these open Wi-Fi risks. For example, when or how or what apps are leaking and what kind of networks devices are connecting to. Only with specific software can these leaks and insecure connections be detected.
Authentication systems on open Wi-Fi networks are lacking. The only authentication provided is in the form of a captive portal. Despite the fact that Apple, Windows and Android operating systems provide automatic HTTP detection for captive portal pages, a large number of Wi-Fi networks spoof HTTPS certificates for the purpose of redirecting traffic to their portal.
On modern operating systems and browsers this leads to certificate mismatch warnings that, if a user bypasses, could lead to sensitive information (such as email passwords) being exposed to the captive portal page host.
The best way to control the use of insecure networks is to have a security solution that can block connection to these hotspots in real-time as well as blocking the apps and sites that don’t use encryption.