Rogue WiFi Hotspots – Why getting coffee is putting your enterprise at risk (Social Engineering Ep. 4)

Most people don’t think twice before connecting to a free public Wi-Fi hotspot at a coffee shop, airport, or hotel. If someone is providing free WiFi, users will usually connect first and think later. With rogue Wi-Fi hotspots growing in numbers, it’s becoming much more critical to monitor connectivity.

This is our fourth entry on Mobile Social Engineering.
Read our first entry on Malvertising, here.
Read our second entry on Fake Apps, here.
Read our third entry on Scareware, here.

A rogue hotspot is a Wi-Fi access point set up by an attacker. It’s meant to mimic a legitimate hotspot provided by a business, such as a coffee shop that provides free Wi-Fi access to its patrons.

How does an attack work?
Victims that connect to rogue hotspots will usually have no idea that they’re in danger because the attacks use familiar and trusted SSIDs (network names). The entire experience can be relatively transparent to the victim – in some cases the connection might be a little slower than usual, but that’s about it.

Advanced attackers may even clone the MAC address of the real access point, enabling the rogue hotspot to be identified as a Base Station clone which further strengthens the illusion.

What are the consequences of a rogue hotspot?
Rogue hotspots enable the attacker to both eavesdrop on network traffic and target specific users with malware:

  1. By eavesdropping on the network traffic, an attacker can collect sensitive user details and credentials like account names and passwords, credit card details and bank data.
  2. A more “active” scenario will consist of the attacker either by pushing out malware to a victims’ device ([Suchi games?] or redirecting victims to malicious sites or servers that will infect them will malware. This can result in a victims device being infected with an mRAT (Mobile Remote Access Trojan).

It’s important to note that a rogue hotspot doesn’t have to specifically target mobile devices. Unlike other potential mobile security issues, a single rogue hotspot can eavesdrop on transmissions from a mobile devices as well as laptops.

The danger is exacerbated with mobile
In the mobile domain there are still no real WiFi management capabilities. Neither Mobile Device Management (MDM) solutions or dedicated apps provide a real and efficient way to manage and categorize WiFi hotspots on a mobile device.

This is in direct contrast to the PC-word where an admin can define specific networks that the PC can connect to and what can be done with each connection.

What can enterprises do?
Besides staying clear from public hotspots altogether, there are measures that can be taken to counter the eavesdropping issues:

  1. Implement a VPN service – using an encrypted tunnel provided by a VPN service can secure all traffic between a users device and the VPN server.
  2. Instruct employees to stick to reliable SSL encrypted sites and services. This might have been considered quite an easy rule to stick to, but in a post-Heartbleed world, it may prove to be a far trickier task.

Next week’s edition touches one of the most famous and recognizable types of social engineering – Phishing.