Viral SSIDs, WiPhishing and wireless reputation

James Lyne
Over the past few days I’ve noted a concerning and unhealthy number of common/dubious wireless access points in the various locations I’ve been working.

As you no doubt all agree, it is very common today for users to work from the road, using a variety of connection types to get work done. Amidst these legitimate services there are a number of particularly concerning wireless access points (from now on I’ll refer to them as SSIDs, which is the term used for the name of a wireless access point – say, ‘AirportWifi’).

What is a viral SSID?
Wireless networks have two modes of operation – infrastructure and adhoc.

Infrastructure mode is most commonly used in managed networks (your corporate LAN) or when accessing a coffee shop hotspot.

Adhoc mode is used to allow a number of computers without a dedicated wireless device to network and share data. It is most often used for tactical computer to computer transfer.

One of the interesting side effects of adhoc networking mode is that computers that join the network will then start to advertise themselves under that same SSID.

Many of you will have run in to the globally viral SSID ‘Free Public WiFi’. If a user connects to this network (in cases of poor configuration, automatically otherwise manually hoping to actually get free wireless) their device will later advertise itself under the same name.

Free Public WiFi

This is problematic as your wireless laptop can end up being casually connected to any number of other computers or an attacker may use it to get ranged access to the laptop without your approval.

There are now a number of these viral SSID names circulating around the globe, ‘Free Public WiFi’ being the best example I have found (I have a GPS map with locations with over 500 dots on it so far!). If you do not need adhoc mode – and most of you probably don’t – you can set group policies to disable it on your devices.

Wi-fi hazardWiPhishing
I’ve also recently noticed an unusual number of wireless phishing points: wireless systems advertising themselves posing as legitimate hotspots that then take your credit card details and sniff all of your traffic or poison replies to include malicious code.

It is important that users are aware of the threat of these access points and that they limit themselves to reputable access points. Outside of phishing for credit card details it’s important to remember with any connection that you simply do not know who is listening.

Using an appropriately configured VPN to secure traffic back to your corporate headquarters (even for personal email browsing) is a good solution if permitted by your business, but if you must use exposed traffic then ensure that your connections are secure. HTTP, IMAP, POP3 and FTP are all sniffed off the wire by automated tools (I should note that it’s very easy to use tools that anyone could download and deploy – it’s not really a targeted or skilled attack).

If an attacker steals your credentials they can often allow an attacker to gain access to even more (after all, the password reset function of most sites resorts to email). There are secure equivalents of these protocols available and they are supported by the majority of vendors with a simple configuration change.

By the way, whilst not immune to attack, data cards (3G, for example) can avoid the risks of frequent connections to wireless access points of unknown reputation for road warriors.

So, here’s my message to the user: watch out for wireless phishing and assume that connections are untrusted. Ensure you are using appropriately secured transport and be mindful of deals that sound too good to be true!

To the CISO, I strongly recommend building out policy and educating users around the risks of using untrusted connections. Some will be able to mandate a policy that only allows use of the corporate wireless, but for the majority this is impracticable. Therefore, make sure your endpoint security policy deploys appropriate network enforcement (firewall and device policy) in the event of viral SSID usage to prevent the attacker compromising the surface area of your machine and stealing data.

There are just too many of these viral SSIDs around now to avoid incident..