Earlier this year, we featured the concept of Wi-Fi phishing in a blog titled “Phishing at the Confluence of Identity and Wi-Fi Access.” That blog discussed how failure to implement proper security features could leave the door open for attackers to compromise login credentials for applications using Wi-Fi as an attack surface. Many data breaches occur when malicious parties gain access to legitimate login credentials for applications—also known as the compromise of a user’s digital identity.
Cybercriminals frequently target digital identity in the form of username and password combinations. While email-based phishing attacks are the most common means for stealing such credentials, Wi-Fi phishing as discussed in the above-referenced blog is also a very realistic attack scenario. There is another place where network access security and digital identity intersect, and that’s unencrypted network traffic.
Unencrypted wireless traffic as a risk area for digital identity compromise
Encrypting Wi-Fi traffic in transit between access points and devices is a cornerstone of ensuring that users access the network securely. Otherwise, prying eyes can spy on network traffic using widely available network analysis tools. The presence of a captive portal mechanism does not mean that traffic over the air is encrypted.
When you connect to the Wi-Fi network at your local gym, they may require a password to gain access, and require you to check a box outlining terms and conditions for Wi-Fi access. That still does not mean they are encrypting traffic. Chances are, they are using MAC authentication to get you connected, which is not much better than an open connection because it does not encrypt wireless traffic.
No one would do that in a modern enterprise IT environment though, right? Actually it’s not that uncommon for organizations to use a basic means of getting users connected like MAC authentication. Let’s drill down into how that can lead to the compromise of login credentials for other systems. It takes a combination of factors to make this possible.
How attackers can spy on wireless data traffic
If you are a networking professional, you are already familiar with Wireshark, the popular open-source network protocol analyzer. Despite its many legitimate uses, in the wrong hands, it can also be used to spy on unencrypted wireless data traffic. This (somewhat geeky) video, titled “Wireshark with Social Networks,” shows how this works. As explained in the video, for a site that uses https, a network analysis tool like Wireshark cannot help an attacker view usernames and passwords, even over unsecured Wi-Fi. But when users enter credentials on sites that use HTTP over an unencrypted Wi-Fi connection, those login credentials are just hanging out there to be spied upon. The payoff in the above-referenced video is at around 4:15 when login credentials are viewable over the Wi-Fi connection in plain text.
You might say that most sites are themselves encrypted these days, and you’d be right in that assertion. In fact, Wired Magazine reported in 2017 that half of the sites in the web universe were encrypted at that time. (What, only half? Surely, it’s more than that now—but still.) You’d think any site that gates access with a username and password would be encrypted, but with millions and millions (depending upon how you count, it could even be well over a billion) of websites out there, you never know.
OK, so one of your users has credentials for some random unsecured website stolen over your unencrypted Wi-Fi. Why is this a problem? It’s not as if it’s their login for your customer database, right? This is a problem because users often re-use passwords, and the username for so many sites is simply the user’s email address. (The video referenced above quite rightly points this out at the 5:05 mark).
Users may be using the same username/password combo for sites that are used for business purposes as they are for some random unencrypted site (obviously not a best practice). It’s also not a good idea for employees to use their work email address as a username for non-business-related sites, but it’s easy to imagine that some users will do so.
Even having an employee’s personal digital identity hacked can cause major issues. Imagine a Gmail account is hacked that belongs to a coworker using the Wi-Fi spying tactic discussed above. Suppose they used their Gmail address as the username for an HTTP site and used their Gmail password as the password for that site. The hacker spies on them over the air as they log in, then uses that set of credentials to perpetrate a spear-phishing attack. As an IT professional, you might be wary of a message from an outside account, even if it seems to come from someone you know. But the typical user might not question it as much, especially if the hacked account belongs to someone in authority. As always, user education is very important in these scenarios.
Attackers can take one set of compromised credentials and plug them into dozens or hundreds of sites. And they can do this in an automated fashion, using a technique called credential stuffing. They can use bots to enter stolen credentials to access the user’s personal bank account or your critical business systems. Dark Reading recently reported on this in an article titled “Credential-Stuffing Attacks Behind 30 Billion Login Attempts in 2018.”
Encrypting wireless traffic in your environment obviously won’t stop attackers from spying when a user logs in to unencrypted websites using open Wi-Fi at the local coffee shop. But most modern browsers make it obvious when users are accessing an HTTP site. (Did we mention user education is key?) A VPN service can also help here to protect your digital identity. That way even when accessing an HTTP site at the coffee shop, the traffic goes through an encrypted tunnel and can’t be spied upon.
Hackers can also spy on other things you might not want them to see over unencrypted Wi-Fi. For example, they could reconstruct feeds from social media sites. This might not seem like a big deal. But depending upon the context, it could be. For example, in a primary education context, you really don’t want anyone spying on students’ social media activity. Even if the site is https, some components in the site may not be encrypted.
Mobile apps often do not encrypt the traffic that they generate. Since encryption imposes system overhead on the back end, developers have an incentive to not encrypt that traffic. The best approach is to encrypt the Wi-Fi traffic in your own network environment so that it does not matter whether sites and apps themselves use encryption.
So here we see, once again, where failure to properly secure network access for users and devices intersects with digital identity in a way that can lead to data compromise. Although encrypting wireless data traffic in your environment does not address every security threat in every situation, there is no downside to doing so—and it’s so easy to do. That’s where our own Ruckus Cloudpath Enrollment System can help. It’s our SaaS/software for secure network access. Encryption is only one of the powerful security features in the product. If this sounds interesting, there is no time like the present to learn more by visiting the product page on the Ruckus website.