The Risk: When Convenience Becomes a Liability

Imagine this: You’ve visited a coffee shop and connected your smartphone to their Wi-Fi network. Your device remembers this network to connect automatically next time. Seems harmless, right? Here’s where the risk creeps in.

Once you tell a device to automatically reconnect to a remembered network in range, your device will continuously send out “probes” or signals looking for that network, typically one to four times a minute and more often when other events can trigger a probe. A threat actor can set up a Wi-Fi access point with a common SSID name, such as “home.” And what if your device is configured to automatically connect to a network you trust named “home?” When your device, say your smartphone or laptop, is within range, it might automatically connect to this rogue Wi-Fi network without your knowledge.

The Trap: A Deceptive Doppelgänger

This rogue network, set up by the threat actor, is a doppelgänger of your trusted network but with nefarious purposes.

Remember: Your device connects to the rogue access point automatically and often without alerting you at all. (see “what about passwords” below). This attack does not need you to make any mistakes to succeed, and it can happen without your knowledge.

Ten common network names threat actors can use that will often lure devices from unsuspecting users to connect include:

• xfinitywifi
• linksys
• Marriott_Guest
• Hyatt
• hhonors
• NETGEAR
• Guest
• dlink
• FreeWifi
• Home

To make it even easier to connect, there are commercially available devices that listen for the SSID name in a probe from an unsuspecting user’s device and then broadcast that name in an effort to capture the device’s connection. In that case, it doesn’t matter how unique your SSID is, an automated device can attempt to establish a connection without your knowledge. If you are technically minded, you can read the section at the bottom of this article for a detailed explanation of how probing works.

Once connected, the attacker can intercept your device’s data. This interception could be called a “Man-in-the-Middle” attack. Thanks to encryption technology, the attacks are more complicated than they used to be, but they are still possible in some circumstances. If the attacker successfully establishes the Man-in-the-Middle connection, imagine sending confidential emails, accessing your company’s financial data, or even logging into your personal banking app, all while an unseen cybercriminal is potentially recording every keystroke and data transfer.

Another serious concern is if threat actors know of undiscovered vulnerabilities that will allow them to hack into your device. This is one of the most important reasons to always apply security updates when they are released and always keep backups for the unlikely scenario of an update causing a problem on your device. Even if you applied all of your security updates, sometimes attackers know of ways to break in that haven’t been discovered by the device’s manufacturer, operating system producer, or app developer yet. Thus, there are no updates written. Bad actors can use tools to scan your device and exploit vulnerabilities quickly. Their ultimate goal would be to take control of, or pwn, your device. This isn’t always easy if you have all your updates in place, but it isn’t impossible either.

The Consequences: A Digital Pandora’s Box

The consequences from attackers successfully tricking your device into connecting to their rogue access point and exploiting vulnerabilities can range from private information exposure to significant breaches:

1. Personal Data Theft: Sensitive personal information can be stolen.
2. Corporate Espionage: Confidential business information could be compromised.
3. Identity Theft: Your digital identity could be used for fraudulent activities.
4. Network Infiltration: Once a device is compromised, it can serve as a gateway to your business’s entire network.

Prevention: Turning Awareness into Action

As executives, instructing your workers to implement security measures is crucial. Here are some actionable steps you can take in the Wi-Fi settings of your laptops, phones, and tablets:

1. Forget Networks: In your device’s Wi-Fi settings, examine the network names identified as “remembered” or “my networks.” Tell your device to ‘forget’ networks by removing them from the ‘my networks’ list, except those you use frequently. Were any of the ten listed above remembered on your device? To establish the unauthorized connection, the threat actor would need to use the name of one of the networks you leave remembered or use the device mentioned above that responds to probes for names your device sends.
2. Avoid a False Sense of Security: If your device has the “Ask to Join Networks” setting, read the fine print. The device will still join known network names without asking. The setting is usually more about asking before joining new or unknown networks, rather than known ones.
3. Turn off Wi-Fi When You Aren’t Using it: To reduce your exposure dramatically, disable Wi-Fi when you are not using it. Your device will stop probing, stop listening for access points broadcasting their name, and won’t connect to any Wi-Fi networks. Some devices have a quick shortcut to turn off Wi-Fi from an easily accessible menu, but they might turn Wi-Fi back on again after a while or when you move to a new location. On those devices, if you go into “Settings” to disable Wi-Fi, it should stay off until you manually change the setting to “on” again.

What about Wireless Passwords?

If the original remembered network you connected to, such as the coffee shop network, had no password, your device would join the network automatically and not alert you. This is a common risk with some remembered networks. You may have noticed that many hotels and some coffee shops and restaurants now require no Wi-Fi password; this is undoubtedly to reduce guest frustration and the number of calls from hotel rooms to the front desk asking for the password. The prevalence of public networks without passwords makes it especially important for you to tell your device to forget networks and be sure to forget the ones with no passwords.

However, if the “remembered” network did have a password, then to get your device to connect automatically without warning you, the threat actor will need to set the same password on the rogue access point. It is simple for an attacker to know the password for coffee shops and other networks that share the password with guests.

Many companies will set passwords on networks and hopefully don’t write the password on dry-erase boards in the meeting room. Even if the passwords are configured at the company, and users do not know the password since the IT Professionals configure their computers, if an attacker is able to access one computer, in-person or remotely, there is a chance they can run a script to find out the wireless password for the company. This is why some companies use enterprise-level Wi-Fi authentication that does not rely on a shared password.  Or, attackers can use social engineering to successfully trick a user into providing the network password. If a user’s device doesn’t detect any anomalies between the rogue access point and the access point it is used to connecting to, the user will not be alerted they are connecting to a rogue access point, and their device will connect automatically.

An exception that might generate an alert is when there is a discrepancy between the security settings of the known network and the one to which the device is trying to connect. An example is when the rogue access point does not have a password, but the remembered network does. In this case, some devices will prompt you: “Are you sure you want to join this network?” The default button, “join,” is preselected. Unless you are on the lookout for this kind of message and know the seriousness, you might click “join” and not think anything of it. Sometimes, the device will connect and not alert the user but will quietly list the word “open” or “insecure” under the network name on the list of networks under settings. Most people do not periodically look at the Wi-Fi settings, so the label often goes unnoticed. Even if a user does notice the label, there is a good chance the attacker already probed for weaknesses and exploited any vulnerabilities they discovered.

However, if you ever see a prompt asking you to re-enter a password, that is a huge red flag, and you need to assess the situation carefully to determine if your device is attempting to connect to a rogue access point with an inaccurate password.

And to be sure you don’t have a false sense of security, remember that devices do not prompt the user if the security settings of the new network match those of the remembered network, and the device will quietly automatically connect even if it’s a rogue access point.

What about a VPN?

A Virtual Private Network (VPN) is a technology that encrypts data as it moves to and from your device. This encryption can prevent attackers from reading your data. However, it’s important to note that a VPN doesn’t protect you from attackers who scan for unpatched vulnerabilities, search for open ports, and exploit weaknesses on your device. Even if you use a VPN, you’re still vulnerable to such attacks. Follow the instructions above to help ensure your online safety.

Final Thoughts: Balancing Convenience with Caution

In today’s fast-paced digital world, convenience often beats caution. However, in the realm of cybersecurity, this trade-off can have dire consequences. As leaders, our role extends beyond making decisions; it includes understanding and mitigating the risks associated with the technology we use every day. Stay safe, stay informed, and lead your organization confidently in this digital age.

Technical Details About the Probing Process

For the more technically minded, here is more information about the probing process. When we say that devices are constantly probing, they are, and the probing might be once every 15 to 60 seconds. The probing frequency can vary, for example, if you put your device in low battery mode.

In addition to devices probing, know that Wi-Fi access points, including rogue access points attackers use, broadcast their network name, a process called beaconing, sometimes as often as ten times every second. The rate of beaconing is usually configurable by your IT Professionals.

If you look at “available networks” in “settings” on your device, you might notice that the list takes a few seconds to build because your device is cycling through multiple Wi-Fi frequencies, listening for the beacons.

An interesting setting not everyone is familiar with on wireless access points is that you can instruct the access point to be “hidden.” If you do, then the access point will not send out beacons. However, hidden networks, while not broadcasting their SSID, will still respond to direct probes that contain their SSID name. So, as soon as your device sends out a probe looking for the remembered hidden network, which it does regularly, as described above, the access point will respond, and your device will connect. Just because a network you “remembered” is hidden at your home or office doesn’t affect a threat actor’s ability to lure your device into connecting to their rogue access point, even if the hacker’s access point is not hidden.

Additionally, to reduce the delay in connecting, your device will send immediate probes in certain circumstances, such as when it wakes from sleep, when you open your laptop’s lid, or if you just disabled airplane mode. Your device will quickly find access points, even rogue ones, especially if they are “remembered.”

A significant benefit to attackers of your device probing periodically, such as every 15 to 60 seconds, is when the attacker doesn’t already know the network names your device has remembered. The attacker tools wait for the probe, then know the name, and the rogue access point automatically claims to have that network’s name. This is a very powerful way for attackers to capture as many unsuspecting users as possible without needing to predict the names of remembered networks.

Subscribe to maximize your executive potential with Foster Institute’s E-Savvy Newsletter, packed with practical IT security solutions and actionable strategies for success: https://fosterinstitute.com/e-savvy-newsletter/

Disclaimer: The information provided in this blog is for general informational purposes only. Technology changes constantly, and some of this information might become obsolete or incorrect. We do not endorse or receive compensation for mentioning products, services, or brand names. Any outbound links provided are for your convenience and to get you started, but we cannot guarantee the security or safety of those external websites. Conducting your research and making an informed decision about any products or services mentioned here is essential. We shall not be held responsible for any actions taken based on the information provided.

The post Outsmarting the Invisible Threat: How Cyber Attackers Hijack Your Wi-Fi Connections and How to Protect Yourself appeared first on Foster Institute.

The race is on. They’ll step around a corner, unlock your phone with your passcode, click on settings, Apple ID, and reset your Apple ID password. All they need to know is your passcode to the phone. Your phone asks them, “Sign out other devices using your Apple ID?” Of course, they know to say yes.

Update on January 27, 2024: Apple has a new feature called Lost Device Protection released with iOS version 17.3 that helps solve this problem. Learn more here: https://fosterinstitute.com/safeguard-your-apple-iphones-and-ipads-activate-the-latest-theft-protection-setting-now/

They know that if you put the phone in Lost Mode, they have the passcode and can unlock the phone immediately. You might have your Apple ID protected with two-factor authentication; good work! But the second step of the verification process displays a verification code on your trusted devices. Unless you set your phone otherwise, the thief has a trusted device. Unless you posses a trusted device tied to your Apple ID, you won’t see the verification code, and your attempt to log in will fail.

At this point, only they can perform any functions that require you to enter your Apple ID and password.

Strive to Intervene:

The process only took seconds. It is unlikely you can stop their next moves quickly enough.

Perhaps your friend walked up as the thief was running away. Thinking you might win the race, you grab in a friendly way, of course, any device they have with Internet access and open https://appleid.apple.com. Enter your Apple ID and your password quickly! Remember, the bad guy is around the corner racing you. Then, guess what? Unless your friend’s device is a trusted device on your Apple ID account, you won’t see the secret code you need to log in. The thief will see the code on your stolen phone’s screen, and they’re laughing but admire your trying. You never had a chance in that race. Read more below about setting up Recovery Contacts and Recovery Keys.

But a way to win and be faster than the thief is if you have your second iPhone in your pocket booted up and connected to the Internet. If so, scramble to be the first to open settings, Apple ID, scroll down through the devices, and log out the stolen device. Reset your Apple ID password. Great job! You did it! They can use the phone and most apps, but at least they cannot take over your Apple ID. Keeping two iPhones connected to your Apple account with you will help if one gets stolen.

Or, a more likely scenario than having two phones, maybe you happen to have your Mac open on the table in front of you the moment the phone is stolen. Assuming you weren’t using the phone as your hotspot, quickly click on the apple symbol in the top left corner, choose system settings, Apple ID, password & security, change password, find the stolen device in the list at the bottom of the menu, log it out, and reset your Apple ID password. Whew! They’re not going to gain control over your Apple ID. But they can still use your apps, log in to bank accounts, and access your company email, so you’ll need to reset all those passwords too.

Will you win the race, or will they? Maybe you want to practice the process a few times.

More Things the Thief Can Do to Affect You:

As you read this, do not be terrified. You can relax and remember this scenario assumes a thief has stolen your phone after watching you enter your passcode and memorized it. Hopefully, that will never happen to you, and it is good to be aware of some consequences, your response, and some preventative measures so you can educate your friends.

Since the thief knows the phone’s passcode, they can reset the Apple ID password. Then they can log in to your Apple account and affect your other Apple devices, including Mac laptops and computers connected to your account.

Then the bad actor can access your device’s Keychain, Apple Pay, Apple Cash, and other sensitive information. They can reset the Apple account’s recovery key. The thief can turn off location services so the phone cannot be tracked. They can change the Apple ID account’s trusted phone number and email address to make it even more difficult for you to regain access to your Apple account. They can change Face ID and Touch ID to their face and finger. They devastated your digital world and will start to steal your money and wreak havoc in your life. And don’t blame Apple; blame the bad guys.

Chances are that most of the apps on your phone will still work even if you log the device out of your Apple account. If the apps remember your passwords for you, then the attacker can use the apps. If you have a password manager that automatically fills in passwords without asking you to prove you are you, the password manager will also fill in passwords for the thief.

And if any of your apps, bank, email, or other services send a text message to your phone to verify your identity, and the thief has your phone, they will get the text message to authenticate and can impersonate you.

And any tools you have that rely on Apple’s Face ID or Touch ID to confirm your identity, if the thief resets Face ID or Touch ID on your phone to their face or finger, they’ll have access to those tools too.

Continue Immediate Steps:

You’d better rush to reset passwords to financial and other sensitive services. See the section on multi-factor authentication below.

Contact your phone service provider and convince them to disable your stolen phone’s ability to call or receive text messages until you buy your new phone.

Reset Passwords on all your other accounts for email, online payment tools, social media, cloud storage, and more. Apple devices, including the stolen phone, are very powerful for running apps, accessing email, using web applications, and more, even if the thief does not know the password for your Apple ID. If a thief has your phone, you have many passwords to reset quickly.

Keep trying to regain control over your Apple ID account. You can download the Apple Support App on your friend’s Apple device and initiate a process that will allow you to set a different phone number for the Apple ID verification process. Still, you must have access to the email address associated with your Apple ID to receive an emailed verification code. If you pass that verification, then endure a waiting period of at least 24 hours. The recovery process is similar to recovering your account at https://iforgot.apple.com/. The thief can cause much trouble during the day or longer wait. Read more below about the preventative step of setting up Recovery Contacts and Recovery Keys. More information about the recovery process: support.apple.com/en-us/HT204921. Apple’s guidance if someone gains control of your Apple ID: support.apple.com/en-us/HT204145.

Some people would advise you to not remove the stolen phone from your Apple ID account. If you do, you will lock yourself out of many ways to recover the phone, although the thief can block many of the protections because they know the passcode.

Multi-Factor Authentication:

An essential protection strategy is configuring multi-factor authentication, such as facial recognition, on apps and websites that support MFA. However, many two-factor authentication techniques rely on you having access to your phone.

It can be complicated to reset passwords on your sites and apps using multi-factor authentication if the second factor goes to the stolen phone’s phone number or relies on you having your phone for some other step. If you set up the MFA to send a text message to the phone, and the thief has your phone, they will see the text message, and you will not.

That might spur you to get a new phone and transfer the phone number to your new phone ASAP before the attacker logs into your apps and sites and changes the verification phone number to a number only they can access, and locks you out.

For websites or services that only support text messages for the second step, consider having text messages go to a device other than your phone.  Consider investing in an inexpensive flip phone with a different phone number to receive text messages. If the website or app supports other options for the second factor besides only text messages, consider how a phone thief could bypass them.

For example, if MFA involves an email message, if the thief can easily access your email on your stolen phone, it defeats the purpose of MFA. If you set up email as the second step, use an email address that requires some other form of authentication or is unavailable on the phone. Ensure email messages do not pop up on the preview screen when received.

Or, do everything possible to prevent an attacker from stealing your phone and knowing its passcode.

If you use passkeys, be sure to see this blog posting: https://fosterinstitute.com/the-risk-iphone-theft-poses-to-your-passkeys-and-what-to-do-now/

Prevention:

To Apple’s credit, and they deserve a lot of credit, they are taking many steps to fight this problem. They must balance the phone’s usability with security, and their multiple advanced security controls are extraordinary, and their responses are highly effective. In the constant game of cat and mouse between those who want to protect you and those who wish to harm you, there might be better defenses when you read this. As of now, here are some essential steps to protect yourself:

One of the most helpful defenses is to be cautious about where and when you enter your passcode. Hence, attackers never find out your passcode. An attacker must know the passcode to the phone as part of resetting the Apple ID password. Using an alphanumeric passcode would be more difficult for a bad actor to read from a distance than a four or six-digit passcode.

Another strategy is to use facial or fingerprint recognition to unlock the phone. That would be Face ID, or Touch ID when available, on Apple devices. If the user doesn’t type their passcode into the phone, nobody can “watch the victim type their code” into the phone. If Face ID won’t work due to lighting conditions or some other factor, rather than entering the passcode, you could move somewhere safe where Face ID works.

Even if the attacker holds the phone in front of the victim’s face and the phone unlocks, the attacker still won’t know the passcode to reset the Apple ID account password. Furthermore, Apple’s Face ID settings have an option called “Attention Detection,” so if the user is unconscious or drugged, the facial recognition will refuse to unlock the phone. Unless the thief coerces the victim to tell them the passcode, the thief cannot reset the Apple ID password.

Consider using a password manager rather than the Keychain that is tied to the Apple ID. If the user doesn’t use the Keychain to store passwords and uses a password manager such as 1Password, LastPass, NordPass, or others, then the thief knowing the phone’s passcode does not give them access to passwords stored outside of the Keychain. Ensure your password manager’s settings force you to enter a passcode and do not use the same passcode as the phone.

Before everything seems hopeless, remember this disaster starts when a thief sees you enter your passcode and steals your phone.

Be Proactive:

Erase your SSN, NI, DL, Passport, or other sensitive information anywhere you’ve stored it, whether in text, contact records, photos, and everywhere else. The thief will search for that information and use it to open accounts, take out loans, and perform other identity theft compromises.

And obviously, don’t share your passcode with anyone other than, if you are going to share it, a family member or close friend you can trust with the key to your digital world.

If you’ve not done so recently, visit appleid.apple.com to update all of your personal or security info. Look for an email address that is not yours. Be sure you recognize the devices in your account.

While you are there, consider setting up someone you trust who has an Apple device as a Recovery Contact who can vouch for you and generate a code to help you recover your Apple ID. They cannot access your data, only verify your identity if you lose access to your Apple ID. Details: support.apple.com/en-us/HT212513

You could set up a 28-character Recovery Key to print out and store in multiple secure locations to help you recover your Apple ID. But be careful. If you choose to have a Recovery Key, and lose the 28-character key, even Apple cannot help you recover your Apple ID. Details: support.apple.com/en-us/HT208072

You’ll see an option to set up a Legacy Contact who, with access to your death certificate, can access your photos and text messages but not passwords. Details: support.apple.com/en-us/HT212360.

Stay current on updates. Rarely do updates create security issues; more often they provide protection against ways attackers find to bypass security.

If you lose access to your Apple ID, you could permanently lose access to your photos of you, your friends, and your family. This underscores how important it is to keep backups of your Apple photos and videos in case someone takes over your Apple account: https://support.apple.com/en-us/HT209454.

Reality Check:

Rather than go through life fearing what could happen, reduce the damage you can suffer and the likelihood of something terrible happening. Continue to recognize and avoid dangerous situations and locations. Keep your phone secure, never enter your passcode when someone can see you, and take the preventative and proactive steps above. Now that you know the risks, your subconscious will alert you to dangers more than before.

Examine your risk tolerance. Balance the likelihood of someone stealing your phone against the damage a phone thief can cause you. If you need to be super-secure, you can reevaluate your practices based on the information contained within. Some people might take some steps to reduce the danger and accept what risk is left. Others might leave their phone locked safely at home more often when they go out.

With the advent of AI, attackers will find new ways to steal, but AI will also help develop new ways to prevent attacks. Everything is changing so quickly on both sides. When you read this, perhaps additional protections are available to help keep you, your organization, and your loved ones safe.

Subscribe to maximize your executive potential with Foster Institute’s E-Savvy Newsletter, packed with practical IT security solutions and actionable strategies for success: https://fosterinstitute.com/e-savvy-newsletter/

Disclaimer: The information provided in this blog is for general informational purposes only. Technology changes constantly, and some of this information might become obsolete or incorrect. We do not endorse or receive compensation for mentioning products, services, or brand names. Any outbound links provided are for your convenience and to get you started, but we cannot guarantee the security or safety of those external websites. Conducting your research and making an informed decision about any products or services mentioned here is essential. We shall not be held responsible for any actions taken based on the information provided.

The post Be Prepared: Know the Impact of iPhone Theft and What to Do Right Now appeared first on Foster Institute.

If you want to know more about passkeys: https://fosterinstitute.com/the-rise-of-passkeys-a-paradigm-shift-in-authentication-technology/

To gain the most value out of the information below, first review the details about how a stolen phone creates an authentication disaster: https://fosterinstitute.com/be-prepared-know-the-impact-of-iphone-theft-and-what-to-do-right-now/

As mentioned above, if your phone with passkeys is stolen, the thief can access your accounts and deny you access. Because passkey technology and strategies are constantly evolving, there might be more solutions when you read this. As of now:

One possible solution would be storing the passkeys in a password manager, not the Keychain. Then, as long as the attacker cannot unlock the password manager, the attacker will not have access to the passkeys. And if an attacker destroys the passkeys in the Keychain or blocks access to your Apple ID and thus Keychain, you would still be able to access your passkeys since the passkeys are stored in the password manager. The password manager NordPass advertises allowing users to create, store, and share passkeys between their devices. The password managers 1Password and LastPass have announced they will support storing passkeys soon. As you read this, other password managers might support storing passkeys too.

Without using a password manager to store passkeys, another way to protect passkeys would be to set up passkeys in multiple environments. Many iPhone users have a Windows desktop or laptop too. Or they might purchase an Android device where they could configure passkeys. Even if an attacker resets the Apple ID password or deletes the passkeys from the Keychain, thus blocking the victim’s access from all their Apple devices, the victim can still access their sites protected with a passkey generated using their Windows or Android device. Then they can revoke the passkeys created in their Apple ecosystem to prevent the attacker from authenticating from the stolen phone.

But unless users have them already, it is extra trouble and expense to buy a Windows computer or Android phone and remember to set up passkeys on two different devices. Someday, the technology created for convenience might allow the same passkey to function across Apple, Windows, and Android devices. That would render this strategy ineffective, but it could be a long time before such cooperation comes to fruition. A drawback of having more than one device is it gives thieves more opportunities to steal. Thus, using a password manager to store passkeys is a better option for many unless they distrust the security of password managers.

Subscribe to maximize your executive potential with Foster Institute’s E-Savvy Newsletter, packed with practical IT security solutions and actionable strategies for success: https://fosterinstitute.com/e-savvy-newsletter/

Disclaimer: The information provided in this blog is for general informational purposes only. Technology changes constantly, and some of this information might become obsolete or incorrect. We do not endorse or receive compensation for mentioning products, services, or brand names. Any outbound links provided are for your convenience and to get you started, but we cannot guarantee the security or safety of those external websites. Conducting your research and making an informed decision about any products or services mentioned here is essential. We shall not be held responsible for any actions taken based on the information provided.

The post The Risk iPhone Theft Poses to Your Passkeys and What to Do Now appeared first on Foster Institute.

I decided not to click. In other words, I thanked him and walked away.

He came after me, showed me an airport security badge that looked official, and reassured me that he is the taxi I called. I asked him what his taxi number was. He made up a number 1212. I told him no, so he jumped in his car and sped away.

Soon, a taxi showed up, painted like a taxi, with the number 1515 on the windshield. That’s the taxi I expected. The driver said that kind of thing goes on frequently, costing real taxi drivers income.

So the concept of spam messages, bogus people trying to get users to click, extends beyond email. In fact, that misleading problem has likely been around ever since business started. The victims are trusting of the wolves. Spam is no different. Teach your workers, and your family, to follow the admonition: Trust, but verify.

And how did that guy get an airport security ID anyway?

The post Spammed by a Taxi appeared first on Foster Institute.