The Risk: When Convenience Becomes a Liability

Imagine this: You’ve visited a coffee shop and connected your smartphone to their Wi-Fi network. Your device remembers this network to connect automatically next time. Seems harmless, right? Here’s where the risk creeps in.

Once you tell a device to automatically reconnect to a remembered network in range, your device will continuously send out “probes” or signals looking for that network, typically one to four times a minute and more often when other events can trigger a probe. A threat actor can set up a Wi-Fi access point with a common SSID name, such as “home.” And what if your device is configured to automatically connect to a network you trust named “home?” When your device, say your smartphone or laptop, is within range, it might automatically connect to this rogue Wi-Fi network without your knowledge.

The Trap: A Deceptive Doppelgänger

This rogue network, set up by the threat actor, is a doppelgänger of your trusted network but with nefarious purposes.

Remember: Your device connects to the rogue access point automatically and often without alerting you at all. (see “what about passwords” below). This attack does not need you to make any mistakes to succeed, and it can happen without your knowledge.

Ten common network names threat actors can use that will often lure devices from unsuspecting users to connect include:

• xfinitywifi
• linksys
• Marriott_Guest
• Hyatt
• hhonors
• NETGEAR
• Guest
• dlink
• FreeWifi
• Home

To make it even easier to connect, there are commercially available devices that listen for the SSID name in a probe from an unsuspecting user’s device and then broadcast that name in an effort to capture the device’s connection. In that case, it doesn’t matter how unique your SSID is, an automated device can attempt to establish a connection without your knowledge. If you are technically minded, you can read the section at the bottom of this article for a detailed explanation of how probing works.

Once connected, the attacker can intercept your device’s data. This interception could be called a “Man-in-the-Middle” attack. Thanks to encryption technology, the attacks are more complicated than they used to be, but they are still possible in some circumstances. If the attacker successfully establishes the Man-in-the-Middle connection, imagine sending confidential emails, accessing your company’s financial data, or even logging into your personal banking app, all while an unseen cybercriminal is potentially recording every keystroke and data transfer.

Another serious concern is if threat actors know of undiscovered vulnerabilities that will allow them to hack into your device. This is one of the most important reasons to always apply security updates when they are released and always keep backups for the unlikely scenario of an update causing a problem on your device. Even if you applied all of your security updates, sometimes attackers know of ways to break in that haven’t been discovered by the device’s manufacturer, operating system producer, or app developer yet. Thus, there are no updates written. Bad actors can use tools to scan your device and exploit vulnerabilities quickly. Their ultimate goal would be to take control of, or pwn, your device. This isn’t always easy if you have all your updates in place, but it isn’t impossible either.

The Consequences: A Digital Pandora’s Box

The consequences from attackers successfully tricking your device into connecting to their rogue access point and exploiting vulnerabilities can range from private information exposure to significant breaches:

1. Personal Data Theft: Sensitive personal information can be stolen.
2. Corporate Espionage: Confidential business information could be compromised.
3. Identity Theft: Your digital identity could be used for fraudulent activities.
4. Network Infiltration: Once a device is compromised, it can serve as a gateway to your business’s entire network.

Prevention: Turning Awareness into Action

As executives, instructing your workers to implement security measures is crucial. Here are some actionable steps you can take in the Wi-Fi settings of your laptops, phones, and tablets:

1. Forget Networks: In your device’s Wi-Fi settings, examine the network names identified as “remembered” or “my networks.” Tell your device to ‘forget’ networks by removing them from the ‘my networks’ list, except those you use frequently. Were any of the ten listed above remembered on your device? To establish the unauthorized connection, the threat actor would need to use the name of one of the networks you leave remembered or use the device mentioned above that responds to probes for names your device sends.
2. Avoid a False Sense of Security: If your device has the “Ask to Join Networks” setting, read the fine print. The device will still join known network names without asking. The setting is usually more about asking before joining new or unknown networks, rather than known ones.
3. Turn off Wi-Fi When You Aren’t Using it: To reduce your exposure dramatically, disable Wi-Fi when you are not using it. Your device will stop probing, stop listening for access points broadcasting their name, and won’t connect to any Wi-Fi networks. Some devices have a quick shortcut to turn off Wi-Fi from an easily accessible menu, but they might turn Wi-Fi back on again after a while or when you move to a new location. On those devices, if you go into “Settings” to disable Wi-Fi, it should stay off until you manually change the setting to “on” again.

What about Wireless Passwords?

If the original remembered network you connected to, such as the coffee shop network, had no password, your device would join the network automatically and not alert you. This is a common risk with some remembered networks. You may have noticed that many hotels and some coffee shops and restaurants now require no Wi-Fi password; this is undoubtedly to reduce guest frustration and the number of calls from hotel rooms to the front desk asking for the password. The prevalence of public networks without passwords makes it especially important for you to tell your device to forget networks and be sure to forget the ones with no passwords.

However, if the “remembered” network did have a password, then to get your device to connect automatically without warning you, the threat actor will need to set the same password on the rogue access point. It is simple for an attacker to know the password for coffee shops and other networks that share the password with guests.

Many companies will set passwords on networks and hopefully don’t write the password on dry-erase boards in the meeting room. Even if the passwords are configured at the company, and users do not know the password since the IT Professionals configure their computers, if an attacker is able to access one computer, in-person or remotely, there is a chance they can run a script to find out the wireless password for the company. This is why some companies use enterprise-level Wi-Fi authentication that does not rely on a shared password.  Or, attackers can use social engineering to successfully trick a user into providing the network password. If a user’s device doesn’t detect any anomalies between the rogue access point and the access point it is used to connecting to, the user will not be alerted they are connecting to a rogue access point, and their device will connect automatically.

An exception that might generate an alert is when there is a discrepancy between the security settings of the known network and the one to which the device is trying to connect. An example is when the rogue access point does not have a password, but the remembered network does. In this case, some devices will prompt you: “Are you sure you want to join this network?” The default button, “join,” is preselected. Unless you are on the lookout for this kind of message and know the seriousness, you might click “join” and not think anything of it. Sometimes, the device will connect and not alert the user but will quietly list the word “open” or “insecure” under the network name on the list of networks under settings. Most people do not periodically look at the Wi-Fi settings, so the label often goes unnoticed. Even if a user does notice the label, there is a good chance the attacker already probed for weaknesses and exploited any vulnerabilities they discovered.

However, if you ever see a prompt asking you to re-enter a password, that is a huge red flag, and you need to assess the situation carefully to determine if your device is attempting to connect to a rogue access point with an inaccurate password.

And to be sure you don’t have a false sense of security, remember that devices do not prompt the user if the security settings of the new network match those of the remembered network, and the device will quietly automatically connect even if it’s a rogue access point.

What about a VPN?

A Virtual Private Network (VPN) is a technology that encrypts data as it moves to and from your device. This encryption can prevent attackers from reading your data. However, it’s important to note that a VPN doesn’t protect you from attackers who scan for unpatched vulnerabilities, search for open ports, and exploit weaknesses on your device. Even if you use a VPN, you’re still vulnerable to such attacks. Follow the instructions above to help ensure your online safety.

Final Thoughts: Balancing Convenience with Caution

In today’s fast-paced digital world, convenience often beats caution. However, in the realm of cybersecurity, this trade-off can have dire consequences. As leaders, our role extends beyond making decisions; it includes understanding and mitigating the risks associated with the technology we use every day. Stay safe, stay informed, and lead your organization confidently in this digital age.

Technical Details About the Probing Process

For the more technically minded, here is more information about the probing process. When we say that devices are constantly probing, they are, and the probing might be once every 15 to 60 seconds. The probing frequency can vary, for example, if you put your device in low battery mode.

In addition to devices probing, know that Wi-Fi access points, including rogue access points attackers use, broadcast their network name, a process called beaconing, sometimes as often as ten times every second. The rate of beaconing is usually configurable by your IT Professionals.

If you look at “available networks” in “settings” on your device, you might notice that the list takes a few seconds to build because your device is cycling through multiple Wi-Fi frequencies, listening for the beacons.

An interesting setting not everyone is familiar with on wireless access points is that you can instruct the access point to be “hidden.” If you do, then the access point will not send out beacons. However, hidden networks, while not broadcasting their SSID, will still respond to direct probes that contain their SSID name. So, as soon as your device sends out a probe looking for the remembered hidden network, which it does regularly, as described above, the access point will respond, and your device will connect. Just because a network you “remembered” is hidden at your home or office doesn’t affect a threat actor’s ability to lure your device into connecting to their rogue access point, even if the hacker’s access point is not hidden.

Additionally, to reduce the delay in connecting, your device will send immediate probes in certain circumstances, such as when it wakes from sleep, when you open your laptop’s lid, or if you just disabled airplane mode. Your device will quickly find access points, even rogue ones, especially if they are “remembered.”

A significant benefit to attackers of your device probing periodically, such as every 15 to 60 seconds, is when the attacker doesn’t already know the network names your device has remembered. The attacker tools wait for the probe, then know the name, and the rogue access point automatically claims to have that network’s name. This is a very powerful way for attackers to capture as many unsuspecting users as possible without needing to predict the names of remembered networks.

Subscribe to maximize your executive potential with Foster Institute’s E-Savvy Newsletter, packed with practical IT security solutions and actionable strategies for success: https://fosterinstitute.com/e-savvy-newsletter/

Disclaimer: The information provided in this blog is for general informational purposes only. Technology changes constantly, and some of this information might become obsolete or incorrect. We do not endorse or receive compensation for mentioning products, services, or brand names. Any outbound links provided are for your convenience and to get you started, but we cannot guarantee the security or safety of those external websites. Conducting your research and making an informed decision about any products or services mentioned here is essential. We shall not be held responsible for any actions taken based on the information provided.

The post Outsmarting the Invisible Threat: How Cyber Attackers Hijack Your Wi-Fi Connections and How to Protect Yourself appeared first on Foster Institute.

Set a passcode on the device. Even a 4-digit code is much better than nothing. Just avoid 0000, 1111, 1234, 2580, or other easily guessed codes. Keeping the device in your possession, or in a secure place, is just as essential since is can prevent the opportunity for someone to guess your password.

Keep the device backed up, and apply security patches as soon as they are released. The patches often protect against attacks that are already happening in the wild.

Do not connect to Wi-Fi networks without weighing the risk of convenience versus your potential benefits. When you connect to any Wi-Fi network, there is a chance that attackers can exploit your device in many ways. Because bad actors can trick your device into connecting to their malicious access points without your knowledge, consider using your device’s settings to disable Wi-Fi when you are not using it. Re-enable Wi-Fi only when you are at your office, home, or in another trusted environment.

At the office, there is technology that will allow your IT team to implement MDM, Mobile Device Management, to restrict your team members’ activity on their devices. This can help protect against one of your team members accidentally becoming a vector for attackers to access, and potentially interfere with, your entire organization’s network.

For families, keep these three possibilities in mind:

First, use the internal parental controls and restrictions that are built into the device. The settings and features are very effective, and well documented on the support sites. More features can be added with security and feature updates, so review the settings periodically. The best strategy for using these restriction settings is to use steps A, B, and C.

• Step A: As you apply security and privacy restrictions to a device for a family member, keep reminding yourself that you are restricting that device for their, not your, needs. It is easy to think about how you might want to use wireless payment options, and then you avoid restricting the options accordingly. When in doubt, restrict. You can always re-enable features later.
• Step B: Before applying parental control restrictions, first configure the other settings on the device. If you apply parental control restrictions first, you may find that you’ve restricted your own ability to adjust these settings.
• Step C: Wait until you finish steps A and B before you apply the restrictions designed to protect family members. You’ll be prompted to create your own unique password so that, in theory, only you can adjust the parental controls.

Second, when protecting families, consider commercially available tools designed to enhance your ability to, not only restrict, but also monitor usage. Many reviews place a product named Qustodio at the top of the list. We receive no compensation in any way for recommending this, or any other product or service. We just want you to have a place to start. It seems that, for many of the control tools available, parents either love them or hate them, depending on their expectations. To help ensure a good outcome for you, research the features and read comments from other parents. Restrict your search to comments made in 2017. Each product’s features, and approval ratings, tend to change from year to year. Some products will even permit you to restrict laptops and desktop computers in addition to tablets and phones. Interestingly, you may find that third party software is able to restrict Android devices more than Apple devices. This is because Apple’s own internal controls are already so restrictive, they can partially block the parental control software too.

Third, consider restricting the Internet access at your home, too. For example, you may choose to set a time limit on usage duration or time of day. This can help ensure that youngsters get enough sleep. A very powerful tool is called Circle with Disney. Again, we receive no compensation for recommending products or services. This tool is widely accepted as being one of the best. If nothing else, check out its features to help you get an idea of what you may want to control. It has a feature that can restrict access even when the device uses a cellular connection or connects to a different network. That added protection can prevent family members from simply going to someone else’s house to operate without restrictions. Bear in mind that Internet filtering tools do not restrict the ability for family members to use apps, except for apps that need to connect to the Internet in order to function. The afore mentioned products can control both apps and Internet usage. But sometimes having two products can be helpful too.

When implementing family control tools, remember that all of them include privacy risks. While restricting apps and Internet usage, software is able to monitor your family members’ electronic behavior too. That information can be sold to marketing firms who already build a profile on each consumer. Do you want to contribute to what they know about your family members? What if bad actors gain access to information that helps them target a family member? You may decide the risks are worth the benefits.

Please forward this information to everyone you know who might want to place restrictions on Apple and Android based devices. Thank you for helping make the world a safer place to live and work! Happy New Year!

The post Protecting and Restricting iPads, iPhones, and Android Devices appeared first on Foster Institute.

A big problem is that security patches that protect against these kinds of breaches never reach users’ Android devices because of something known as Android fragmentation. When Google releases security patches, the patches are sent to device manufacturers, who are then responsible for releasing the patches for their different models. Some do not release the patches, or do so after a long delay.

Google is taking steps to help mitigate the problem, such as scanning phones and apps to look for Gooligan code and forcing resets of credentials to Google accounts. But so far that hasn’t been enough to protect those million users that have had their accounts hacked.

So, what can you do? Always stay up to date with the latest Android versions and patches. Choose a brand that has a track record for releasing patches every 30 days. Blackberry is one of those brands, but few people use those devices. If 30 days is too long to wait, consider using the Google Pixel line of Android phones since, because Google makes the devices, patches and upgrades should be available for download immediately upon release. Note: Brand names are mentioned to provide value to you. We do not receive any kind of compensation for mentioning brands. Another strategy is to install as few apps as possible on your device. Each app is a potential security issue and many people have installed apps that they realize are not essential, and some apps are rarely, if ever used.

Please forward this to anyone you know that uses Android devices and would like to be more secure.

The post 1 Million Android User Accounts Reported Hacked appeared first on Foster Institute.