Minimizing the threats of public Wi-Fi and avoiding evil twins

As mobile workforces grow and BYOD initiatives expand across the enterprise, so does the threats associated with remote access. New attack vectors are on the rise and hotspots are becoming less safe for remote workers.

Mobility projects, along with BYOD (Bring Your Own Device) initiatives are growing at exponential rates in most enterprises, creating a host of security concerns that are all but impossible to defend against. Nowhere is this more true than with the mobile knowledge worker, who has come to rely on hotspots in airports, coffee shops, hotels and public areas to keep in contact with the corporate network and its associated applications.

Although mobility brings productivity, it also has a dark side, one that creates an element of risk and can open corporate resources open to attack, or at the very least - contribute to the growing problem of data leakage. What's more, those problems can occur all without the knowledge of the user, who simply becomes a pawn in the game of malicious activity.

Mitigating those threats has become a major challenge for IT security managers. However, there are few simple tricks that can help minimize those threats and even counter some of the newer threats that have come on to the scene. All it takes is educating users and enforcing some simple policies.

Public hot spots all have one thing in common; they are open networks that are vulnerable to attacks and security breaches. Most, if not all, public hot spots do not encrypt data, allowing passwords, email messages, and other information to be intercepted by nefarious types. The best defense starts with a good offense, in this case that means educating the user or creating automated policies on devices to prevent interception.

  • Disable WiFi adapters by default: In other words, keep Wi-Fi shut off until it is needed, change the default settings on the device to disable Wi-Fi, forcing users to turn it on when needed. That way users are kept in the know, at least when they are actively using a Wi-Fi hotspot.
  • Enforce HTTPs: Simply put, HTTPs (SSL) connections are more secure than open HTTP connections and bring added protection to sessions. Requiring that any company resources are only accessed via HTTPs (or VPN) reduces the possibility of data being intercepted.
  • Incorporate a local firewall: Many OSes today come with a software firewall either built-in or readily available as a download. Installing a firewall on the client device, along with enforcing antivirus policies can prevent malware from infecting devices and can stop data interception attempts by blocking suspicious traffic.
  • Validate connections: Many public hot spots have multiple wireless networks and knowing which one to connect to could be the difference between a secure session, or a session that exposes critical information to interception. Luckily, some OSes incorporate hot spot profile settings, which will automatically inform the user of what wireless networks are available and what ones they can connect to. In the best case scenarios, users are automatically prompted to approve new WiFi connections, and once approved, can then assign a profile for future use.
  • Use a VPN: Perhaps that is a no brainer, but many organizations still leave some applications open to non-encrypted traffic to ease mobile worker woes. However, that ease of use can come at a high price, one where data can be intercepted and corporate resources infiltrated. The simple solution here is to make sure all corporate resources can only be accessed remotely via a VPN connection. While that may require a user to log in numerous times (first into the hotspot, then into the VPN and then into the application), VPNs can protect data from interception and networks from compromise.

The rise of the evil twin

An evil twin hotspot is a Wi-Fi access point set up by cybercriminals, which is designed to impersonate a legitimate hotspot. Evil twin hotspots are on the rise and are starting appear most anywhere a business, such as a coffee shop, retail establishment or restaurant provides free Wi-Fi access to its patrons. Evil twin hotspots mimic legitimate hotspots so effectively that many users are unaware that they even exist. However, evil twin hotspots have one sinister intention in mind, stealing information and intercepting data.

Cybercriminals build evil twin hotspots to allow them to both eavesdrop on network traffic and insert themselves into the data conversation between the victims and their destination servers. By tricking users into connecting to the illegitimate hotspot, a cybercriminal can steal account names, passwords and redirect victims to malware sites, phishing sites, etc. Cybercriminals can also view the contents of files that are downloaded or uploaded, while users are connected to the evil twin access point.

Users are unaware that they are connected to evil twin hotspots because the perpetrators use the SSID (network name) of the legitimate access point. The whole experience is transparent to the victim. Most of the time users reach their intended Internet destinations, unaware that someone is secretly eavesdrop on the network traffic and stealing information, such as logins, credit card numbers and data files.

Simply put, mobile workers connecting to evil twin hot spots is one of the biggest nightmares for those IT workers supporting a mobile workforce. Regrettably, there aren't a lot of ways to defend against this type of attack. Some may think that wireless encryption prevents that type of attack, however technologies such as Wi-Fi Protected Access (WPA) doesn't encrypt user data until after the association between the victim's network device and the access point has already been established.

The situation has created a conundrum, how can IT managers still allow the use of public hotspots and still keep information secure, if evil twin hotspots are so difficult to detect. It all comes down to authenticating the user and adding an extra level of encryption. Simply put, two factor authentication coupled with a VPN can take the bite out of evil twin hotspot based attacks. What's more, enforcing HTTPS connections can also prevent interception of data.

In the past, two factor authentication and VPNs would only fit into the budgets of large enterprises, making the extra level of security unaffordable to most businesses. Today, many online (cloud based) services have hit the market that only charge a few dollars a month for VPN services that could potentially solve the evil twin hotspot attack.

Simply put, two factor authentication and encryption can make any Wi-Fi connection safe, regardless of the user - location or corporate application being accessed.


Frank J. Ohlhorst is an award-winning technology journalist, author, professional speaker and IT business consultant. He has worked in editorial at CRN, eWeek and Channel Insider, and is the author of Big Data Analytics. His certifications include MC...

Editor's Picks

Free Newsletters, In your Inbox