Written by Michael Martin
With the continuation of remote working and the loosening of COVID restrictions, many people are venturing out to work in public. All of this is made easier due to the increase in the availability of public Wi-Fi at a number of businesses. It’s not just coffee shops and hotels that have publicly available wireless networks, they can be found in grocery stores, stadiums, and even public parks. While this adds a layer of convenience, it also poses risks to privacy and confidential business data – especially with a remote workforce population that is growing every year.
In this article, we will cover what some of the potential risks are and how to mitigate them before they can become a problem for your business.
What are the potential risks?
Some of the main risks to using a public or unsecured Wi-Fi network are:
1. Unsecured WiFi Networks
Gaining access to these networks is usually very simple – either there are no passwords or you can ask an employee for one. What makes these types of networks even riskier is that many will have the default settings left on the access point, meaning anyone can get admin access to the network and make any changes. This can allow criminals to intercept or redirect traffic to a malicious site, or otherwise use the network as a jump point for other malicious activities.
2. Rogue WiFi Networks
These networks may appear to be legitimate but are set up by an attacker. By creating a network that mimics an access point created by a business, for example, naming it “CoffeeShopNetwork”, an attacker can get unsuspecting people to connect and use the rogue network. This allows the attacker to eavesdrop on network traffic to steal credentials or bank data, or redirecting traffic to a device that injects malware into the content the victim receives.
3. Man-in-the-Middle Attacks
When utilizing a public or unsecured Wi-Fi network, the possibility of a nearby eavesdropper capturing a sender’s communications, modifying the message or data, and re-transmitting to the receiving system is known as a “Man-in-the-Middle” attack. There are several goals of an eavesdropper, but most commonly it’s used to steal credentials for reuse later or to modify or falsify a message to the receiver.
4. Distribution of Malware
An attacker may use an unsecured Wi-Fi network as a distribution point for malware. By utilizing an unsecured network, the attacker can appear to be a trusted source, either to distribute malware to the internal corporate network or to the endpoints of clients or users over the internet.
5. Malicious Network Creation through Ad-Hoc Network
Ad-Hoc networks are used as a peer-to-peer network, usually when connecting two computers together wirelessly without the use of an access point or larger network infrastructure. Allowing devices to automatically discover and connect to Wi-Fi networks can make it possible for attackers to easily gain access by creating an Ad-Hoc network nearby and transmit data with them.
6. Interception of Sensitive Data
Using a public Wi-Fi network increases the risk of transmitting sensitive data in “clear text”, meaning connecting to a system or website that doesn’t protect its communications using any sort of encryption mechanisms such as SSL or HTTPS. The transmission of sensitive data over clear text can allow attackers to gain access to sensitive financial data, customer information, or network credentials, allowing them to use that information maliciously.
7. Worm Attacks
When connecting to a public or unsecured Wi-Fi network there is a risk of allowing a “worm”, a type of malicious code that replicates itself on devices throughout a network. Often a worm will exploit open and unpatched devices on the network, not only corrupting data but consuming system and network resources as it spreads, causing other tasks to slow, or stop completely.
How can you mitigate the risks of using public Wi-Fi?
While there is an inherent risk of using public Wi-Fi, these can be lessened by implementing some basic policies and practices that will increase the base security of your infrastructure:
1. Protect Network Traffic with HTTPS
Forcing network traffic to use HTTPS provides additional security and privacy protection for corporate and user data. Confirming all traffic to your website is secured in this manner adds little overhead in cost or resources and ensures that all traffic is protected. The usual validity of SSL certificates, the basis of HTTPS traffic, is two years. To be sure that traffic remains protected, it’s a good practice to inventory the SSL certificates yearly and renew any that will be expiring soon.
2. Use a Virtual Private Network (VPN)
A VPN is a secure “tunnel” that encrypts all traffic between two devices and prevents network traffic between the two points from being eavesdropped on. Using technology such as Microsoft’s “Always On VPN”, you can make sure all traffic is always routed over secure channels to the corporate network and prevent sensitive data from being intercepted or eavesdropped on. More information on the implementation of this technology can be found here: https://docs.microsoft.com/en-us/windows-server/remote/remote-access/vpn/always-on-vpn/always-on-vpn-technology-overview
3. Forget Previously Used Networks
Forcing laptops to “forget” Wi-Fi networks that it has previously connected to is one way of preventing a system from automatically connecting to a rogue network. Creating a GPO with a script that runs at startup executing the command “netsh wlan delete profile name=* interface=*” would remove all previously associated networks and force the user to enter the credentials to use a Wi-Fi network rather than relying on saved credentials. This path would be a little more cumbersome for most end-users, so should be approached with caution. Making it too restrictive might tempt the user to create a network at home with little or no security, opening to larger security vulnerabilities. Adding a GPO with Wi-Fi settings pre-configured and providing the user with an Access Point to use at home may be a good compromise for this scenario.
4. Enabling Firewalls at Endpoints
Ensuring that firewalls are configured and enabled on all endpoints prevents attackers and malware from entering the device through exposed vulnerabilities. Creating a GPO that implements these configurations on the endpoints prevents a user from knowing or unknowingly misconfiguring them.
5. Using Malware Protection
Using – and monitoring – malware protection is critical for any environment. Using a solution that offers centralized management and a central monitoring point can help detect potential issues or alerts before they are catastrophic. Monitoring the platform and configuring it for optimized protection, as well as regularly updating patches and hotfixes on servers and desktop/laptops, can be a critical piece in preventing unauthorized access through exposed vulnerabilities.
6. Use a Mobile Hotspot or Cellular Connection
Bypassing Wi-Fi altogether and opting to use a mobile hotspot or tethering the device to a phone is an effective way to ensure security. The wide deployment of LTE and 5G speed is no longer a roadblock in getting connected remotely, providing the assurance that the connection is tightly controlled and less vulnerable to being eavesdropped on. As with any technology, it isn’t bulletproof and other security measures should still be used, such as VPN’s and firewalls, to provide a more complete security suite for safer infrastructure.
7. Create Corporate Policies and Provide Regular Training
Creating a corporate policy and educating the users on why it’s important to take protective steps will help them understand the risks of using Public Wi-Fi. Influencing them to make more informed decisions on the networks they choose to connect to, both on their corporate and personal equipment will increase the strength of the environment in total.
Contact us for help
For more information about the risks of using public networks or for help training your staff regarding the dangers of these networks, please fill out the form below and a team member will contact you: