Imerja’s CTO, Matt Hampton was recently interviewed on 5 Live Drive about the recent article reported in the Guardian on the security risks associated with ‘Evil Twin’ access points. In this blog Matt describes the experience, and provides further insight into the threat and measures which individualsand businesses can take to minimise the potential threat.
- – - – - – - – - -
Tuesday 26 April – afternon. Just got off the phone after Imerja recevied a call from Radio 5 Live to provide expert comment on a breaking story on the use of Evil Twin access points and the impact to smartphone users.
The whole process was quite interesting – being interviewed by a researcher first (I assume to make sure that I was a suitable interview subject) and then arranging how they were going to call me back shortly for a live broadcast on drive time news. Apparently mobiles are out and landlines are the preference. This caused a small issue as I was working from home and our house only has a landline to support the Internet connection and is in our lounge which was in use by three small children having their tea! The compromise was Skype.
In the event everything went fine, but I found there was more I wanted to say that time allowed – so the focus of this post is to expand on the main points during the on air interview; here is what I really wanted to say:
Q – what do you make of this investigation?
Nothing new was found by the investigation – the same issues have been reported on numerous times - I am aware of reports as far back as January 2005, which was covered by the BBC and was the subject of a BBC Three TV “The Real Hustle” (I can’t confirm the first airing of the episode but Google suggests it may have been as early as January 2007). It was then covered on BBC Watchdog in October 2009 but with a slightly different slant.
What is new is the prevalence of devices that connect to Wifi networks – including mobile phones – and the fact they will probably configured to automatically connect. In addition there are now network providers who are shipping mobile pre-provisioned (or are pushing updates to their customers) to automatically use Wifi networks in range.
Q – how do these cloned hotspots work exactly?
I didn’t really get a chance to explain this one – it is quite well explained here on Wikipedia.
To summarise – there are two attack vectors:
- the device sees a network it recognises (same name) and automatically connects. It will then try and connect to it’s services (e.g. Email) and most of these will use unencrypted protocols allowing passwords to be collected.
- the User connects to a “well known” provider and enters credit card details to obtain access when the system is actually harvesting credit card details.
Q – is this a well known problem in the industry?
I think the first question covers this – but the answer is yes. So much so that CESG issue guidance that Wifi hotspots that require you to authenticate via a captive portal should not be used by (effectively) any public sector worker.
Q – why is there no permanent fix?
This is a question of ease of use versus security. There are ways of securing the infrastructure however this would require users to take extra configuration steps before using the services. This in turn will increase the cost of provision.
This issue is down to how the protocol was originally designed – remember that this is the lowest common denominator of connectivity support as various new authentication schemes have been added in response to increasing levels of threat.
Q – what can people do to protect themselves?
As I said in the interview, there is nothing a “normal” user can do at present as most handsets are not capable of verifying the Access Points. The Guardian article suggest that WiFi should be disabled until you need it as at present the service providers can’t solve this issue.
It should also be noted that Business Users are at risk as well – any unsecured connection (e.g. POP3 or IMAP) could be intercepted and used to access email accounts (note this could happen on any unsecured network whether an Evil Twin or not). To reduce the risks to the business technology such as those provided by Good Technology and RIMs Blackberry reduce the risk of exposing business information but still expose the user (entering credit card details) to risk.
To be clear – this is a a user education issue and also an industry problem which requires handset/mobile device manufacturers and network providers to work together to build a level of assurance in to their systems.
For more information on the Evil Twin threat and steps you can take to protect yourself from being a victim of data theft please contact Imerja on 0844 225 2888 or email us at [email protected].