printer friendly version

Out of office mobile security

When looking at data security, one of the primary threats all companies and individuals face in today’s mobile society is protecting one’s data and devices while on the road. The ability to work from anywhere and almost any device is not only a risk for on-device data, but also for the corporate infrastructure as malware and access points are easily created once a mobile device, be it a tablet, laptop or smartphone, is compromised.

To obtain advice as to how we can secure ourselves while retaining the ability to work while on the move, Hi-Tech Security Solutions asked two local experts to talk about securing our mobility. On the one hand, we spoke to Riaan Badenhorst, MD at Kaspersky Lab South Africa about securing our smartphones in general, on the other we spoke to Robert Krumm, consulting systems engineer for Ruckus Wireless EMEA about secure Wi-Fi use in public hotspots.

Starting with the ubiquitous smartphone, we asked Badenhorst to give us some insight into the seemingly unstoppable surge of malware for smartphones today and what we can do to protect ourselves.

Badenhorst says the mobile threats we face are divided into two camps:

1. Malware that is loaded onto phones. Malware is a reality in the mobile world, especially for Android devices, and one can’t take security for granted. Using one’s mobile at an open hotspot or carelessly downloading apps without taking proper care, even on a secure network, will more often than not open the door to malware.

2. The impact of unmanaged devices on the corporate network. Companies have a responsibility and the tough task of keeping their data and infrastructure secure. Unmanaged mobile devices undermine this task if the company has no mobile device management system in place that determines who can access what, from what device and so forth.

In the PC world, Badenhorst explains that installing an antivirus (AV) package has become standard and most new PCs come with some form of AV installed. The mobile world is different as, for some reason, people don’t feel it’s necessary to protect their devices. Although this attitude is changing, there are many devices without any protection and these are the easiest targets for malware. Once safely installed, these apps can steal any data or wait until the owner connects to a corporate network and set its sights on that.

Badenhorst adds that traditional AV is not even enough anymore. Simply searching for known signatures is not enough. Kaspersky’s Malware Centre in Moscow processes over 150 000 malware samples per day. No smartphone is updated often enough to keep up. The security one needs must have proactive protection built in to deal with potential malware even if there is no definite signature.

Tips for mobile security

Badenhorst offers the following tips as a starting point for securing your mobile device:

1. Lock your system and use a strong password, not your child’s name or your dog’s name.

2. When you get the device, install a proper security product. There are many free versions available but they generally only provide a few security features. Take the plunge and buy a fully paid version that does a proper job.

3. If you have sensitive data on the device, use the built-in encryption services or install an application that provides for encryption – some security packages may offer this.

4. If strong passwords make you nervous, use a professional password manager to help you. Again, these are widely available and some may even be bundled in certain security packages.

Spotting the hotspot

Ruckus Wireless’ Krumm focuses on Wi-Fi threats and the risks many people take in using open Wi-Fi hotspots. There is a trend to using Wi-Fi wherever possible because it provides greater throughput than 3G or similar cellular connectivity, and it’s generally significantly cheaper. Offloading to Wi-Fi is becoming more common, even for enterprise applications.

While these are good reasons to switch to Wi-Fi whenever possible, Krumm warns that open hotspots are very dangerous and one can easily compromise your smartphone or laptop if you don’t take the correct precautions. Furthermore, we can expect to see a growth in open hotspots as these are more convenient for proprietors – a hotel, for example, doesn’t want to have the hassle of people complaining about accessing secured Wi-Fi access, so it opens its network to one and all.

For those who understand the risks and wish to work securely in hotspots, it’s not that simple because proper authentication and enforcing encryption is a mission that few consumers understand.

To address this issue, the Wi-Fi Alliance, of which Ruckus is a member, has introduced PassPoint (or, unofficially, HotSpot 2). Krumm says the goal is to allow Wi-Fi roaming and easy access to hotspots, but to do it securely without inconveniencing the user. This will allow the user’s device to automatically and securely connect to known networks whenever they are in range.

With the correct knowledge, a user can connect to these networks manually, but the process will be long and complex as you have to identify the network, log in with the correct credentials and make sure the security protocols on your device are in place.

Although PassPoint still has a few issues to work through, such as the user having to authenticate his device at the first log in, work has been done to automate as much of the process as possible and ensure that the connection is secure – and encrypted as default. Of course, the device in question must be PassPoint enabled if it is to work.

Mobility is a risky business, but it is a business that is going to be around for a long time. At the moment, security is an issue users and their companies need to address on an individual basis if they want to keep themselves secure. With PassPoint, some of the Wi-Fi hotspot security issues will be dealt with automatically, allowing users to focus on what they are doing, but there are still many other areas of vulnerability where security applications and user education (and some may say common sense) will be the best way to protect from the ever-increasing malware threats out there.

Wi-Fi vulnerabilities

Robert Krumm, Ruckus Wireless EMEA.

Examples of attacks on open and poorly secured wireless networks that can be prevented by robust encryption and authentication include:

1. MAC Address/IP Address spoofing.

2. SSID spoofing and/or ARP poisoning (using MAC Spoofing) which enable Man In The Middle attacks, which allow:

a. DNS poisoning

b. Website spoofing

c. Phishing attacks/identity theft

d. SSL Strip for cracking/spoofing of HTTPS encrypted websites.

3. Firesheep ‘side jacking’ – When a user logs into a secure website, often a cookie is returned to the user with the supplied credentials inside it. The browser then uses that cookie for all future authentication attempts to the website. All too often the cookie returned to a user’s machine after logging into a website is not encrypted, even if the login page was. If a hacker has visibility of the information in this cookie then it allows:

a. Credential harvesting

b. Identify theft

(NOTE: This attack is only possible on non-HSTS protected websites and browsers that do not support HSTS or RFC 6797).

Some attacks can be mitigated by a user’s choice of Web browser, software or behaviour, but there is no ‘secure by default’ option.

By using 802.1X Authentication along with 256 Bit AES Encryption as specified by Wi-Fi PassPoint, these attacks become considerably harder to execute, simply because the malicious parties cannot spoof or pose as another station on the network and no longer have any visibility into the data being transferred between the client and the AP.

Another major effect of Wi-Fi PassPoint is that as secure hotspots become the norm, clients will probe for open hotspot SSIDs less. Probing for a remembered open network exposes clients to honeypot attacks in which a hacker can capture the probe request and then put up an SSID that matches the one your machine was probing for. Once you associate to that malicious network, you are open to additional attacks to the machine itself.

PassPoint security enhancements

L2 traffic inspection and filtering

L2 inspection and filtering prevents frames exchanged between two mobile devices from being delivered without first being inspected and filtered in either the hotspot operator network or the SP core network. This allows peer-to-peer traffic between clients in the same subnet on the network to be blocked. Such processing provides some protection for mobile devices against attack.

Downstream forwarding of group-addressed frames by APs

By IEEE 802.11 design, all mobile devices in a BSS use the same Group Transient Key so forgery of group-addressed frames is always possible.

A PassPoint capable AP can be configured so that it does not forward any group addressed frames (Broadcast or multicast) to any client devices associated to the Basic Service Set. DHCP traffic is converted to unicast traffic and a Proxy ARP service is enabled.

Proxy ARP service

A common attack in wireless networks involves the use of Gratuitous ARP messages (IPv4) and Unsolicited Neighbour Advertisement messages (IPv6). These can be used for ARP Cache Poisoning attacks which enable a hacker to place a machine between the Client Device and the Access Point which can then capture all traffic exchanged between the two devices, this is referred as a 'Man in the Middle' attack.

PassPoint enabled APs are required to support a Proxy ARP service. The Proxy ARP service keeps track of the MAC addresses of clients and their IPv4/IPv6 addresses. The PassPoint

AP receives broadcast ARP requests and Neighbour Solicitation Packets but does not forward the messages into the network. The AP instead responds to the ARP request or Neighbour Solicitation on behalf of the network device to which the IP Address is assigned with a unicast message.

PassPoint APs may also disable forwarding of Gratuitous ARP Messages and unsolicited Neighbour Advertisements into the network helping to prevent ARP-Cache Poisoning attacks.

Share this article:

Further reading: