Summarizing WiFi security revelations for the year 2010

Written by

WiFi security remained in focus with noticeable and widely discussed incidents and revelations happening all throughout the year. These events will surely provide strong testimony for advocating the importance of secure WiFi deployments/usage in coming years. The importance can be judged against the backdrop of the fact that WiFi now empowered with latest 802.11n revision is advancing more and more toward the status of the default network access option. Here is the brief summary of all such revelations carrying the message of secure WiFi usage to masses:

Insecure WiFi networks are vulnerable to eavesdropping: This is a well known fact, at least for security experts, but this issue was highlighted multiple times due to repeated incidents during 2010 that were subjected to this vulnerability. The first of such incident was Google’s WiFi snooping controversy where Google’s Street View cars accidentally collected private data from insecure WiFi networks. People considered this collection a privacy breach and therefore lawsuits were filed against Google. The second concerned a Minnesota man who hacked a neighbor’s insecure WiFi to send threatening e-mail to the Vice President of the United States. The third incident happened at India where terrorists hacked an insecure residential WiFi network to send terror e-mails after bomb blasts. And the fourth one relates to the release of a Firefox extension called Firesheep by a software freelancer that can turn the layman into a WiFi hacker, capable of hacking popular social networking websites over insecure WiFi networks. 

All these incidents made headlines and attracted attention of WiFi users around the world, reminding them of the potential dangers of eavesdropping over insecure WiFi networks.

Potential insecurity due to private/personal WiFi networks: There were several incidents in 2010 that signaled increased insecurity concerns due to the presence of personal/private WiFi inside the corporate premises. The two incidents were related to a WiFi malfunction experienced at two major trade shows; one was the Google’s first public demo of Google TV and second was the iPhone 4 launch at the Apple Worldwide Developers Conference. At both trade shows, several MiFi devices (capable of hosting an independent private WiFi network) owned by the various attendees were operating at the same time. The operation of such MiFi devices interfered with the host WiFi and thus caused malfunction of the latter. Another incident was the use of private WiFi networks in adhoc mode by Russian spies in the US for data transfer between two WiFi enabled machines. Also, virtual WiFi capabilities of Windows 7 (released in late 2009) that allows hosting of a software Access Point on a machine became very popular. Software such as Connectify exploiting this capability in an easy-to-use form also witnessed a large number of downloads.

All these related incidents shown that people are increasingly using personal WiFi for various purposes either with the help of MiFi like devices, software AP functionality or the special adhoc (peer-to-peer) WiFi mode. Such personal WiFi networks can be easily carried at various places and hence danger of infiltration of corporate airspace with such networks is rising and becoming the cause of concern for IT administrators.
 
‘Hole196’ uncovered fatal insider attack for WPA/WPA2 networks: ‘Hole196’ was one of the most important revelations in WiFi security space by Airtight Networks in wake of increased instances of insider threats from disgruntled employees and corporate espionage. WPA2 (AES encrypted) and 802.1x authentication based WiFi networks were considered as one of the most secure WiFi deployments, but ‘Hole196’ has created a hole in this perception in 2010. Let’s see if WLAN market vendors will take effort in patching their upcoming products from Hole196 vulnerability or not. But, at least security experts are now increasingly realizing the need for additional and independent layers of wireless security, also called as WIPS, to effectively protect private airspace.
 
WiFi consumerization raising security concerns for corporates: With the increased consumerization trend of WiFi enabled devices in the workplace continuing in 2010, security experts have started realizing security concerns arising out of this phenomenon. These devices include high-end smartphones and tablets (such as the iPad) that are owned by employees or provided by the employer, in order to achieve business objectives such as high productivity, low attrition, etc., by allowing them to share the common pool of corporate resources. But, because these devices still lack strong security controls, capabilities such as WiFi included in these devices can lead to new intrusion scenarios for the corporate network and hence added security concerns for businesses. An attacker with knowledge of these scenarios can use the same to execute his/her malicious intents without getting noticed, because organizations are still not ready to tackle these new WiFi risks introduced by the consumerization surge. 
 
Smartphones are becoming new attack vectors: Computing power, popularity of open source mobile operating systems, and the adoption rate of smartphones has seen tremendous growth in 2010 also. However, security experts have realized of late that the trend has resulted in use of WiFi capable smartphones to launch attacks and exploit vulnerabilities of WiFi networks and WiFi devices. This was demonstrated at CSI 2010, one of leading security management conferences. Use of a smartphone instead of notebooks/laptops to launch an attack helps the attacker take advantage of small form factor of the smartphone and thereby possibly skip physical security surveillance.

What’s hot on Infosecurity Magazine?