Free Wi-Fi and the dangers of mobile Man-in-the-Middle attacks
We’ve known for a long time that public Wi-Fi is one of the weakest links in mobile security. But what is proving even weaker is public awareness of just how vulnerable that connection technology can be.
According to iPass, which tracks the global growth of Wi-Fi, there are now 54 million Wi-Fi hotspots in the US, representing a 4,414 percent increase since 2013. Many of these Wi-Fi hotspots are insecure, leaving users open to cyber attack and at risk of significant financial loss. In our recent study Uncovering the True Costs of Enterprise Mobility, 28 percent of US companies report having suffered a mobile breach in the last 12 months -- with the cost of remedying the breach at $250,000 to $400,000 in many cases.
Despite this growing threat, a recent Symantec Survey noted how grossly unaware U.S. consumers are to the danger of public Wi-Fi. Specifically, the study found:
- Roughly 87 percent of U.S. consumers have used the public internet (i.e. Wi-Fi hotspots that are readily available at coffee shops, airports etc.)
- More than 60 percent of consumers think their personal information is protected when using public internet.
- Approximately 50 percent of consumers are unaware that they are responsible for securing their own data -- 17 percent believe that websites are responsible for protecting data, whereas another 17 percent believe the Wi-Fi supplier is.
Across industries we’ve seen an uptick in both the frequency and severity of a particular kind of vulnerability called the MitM or “Man-in-the-Middle” attack. A MitM attack is an attack where a hacker uses technological tools to intercept the information a user sends to a website or in an email. Simply put, by listening in and intercepting a mobile device's traffic via a rogue hotspot, hackers can intercept data flowing to and from the device's browser and apps to harvest sensitive information. This lack of public awareness can have serious repercussions for the enterprise. If employees are careless about accessing public Wi-Fi on their personal devices, you can be sure the same is happening on their work devices.
MitM attacks have been on the security radar for years, but in the past, they mainly affected laptops. While IP and data loss is a serious concern, MitM attacks rel-"nofollow" targeting mobile devices is particularly worrying, as they can allow a hacker to identify a person’s location, intercept messages or even eavesdrop on conversations.
For example, earlier this year, Wandera SmartWire Labs identified that both the Android and iOS versions of the CBS Sports app were transferring PII (Personally Identifiable Information) including passwords, zip codes and birth dates over an insecure connection. Since mobile users were vulnerable to man-in-the-middle attacks, this potential data exposure was very sensitive with a high impact surface area, especially during popular sports events like the on-going NCAA tournament.
A MitM attack occurs when a hacker inserts his computer between your device and the web server that it’s trying to communicate with. Mobile apps need to communicate with remote servers in order to function, and most use encryption to do so securely.
Problems arise, however, when apps fail to use standard authentication methods properly. Some, for example, don’t reliably check the certificate that proves a server is what it says it is. Others fail to properly verify their server’s hostname. To be secure, mobile apps have to validate the hostname and ensure the certificate matches the server’s hostname and is trusted by a valid root authority. Without this, there’s no way for the app or device to know if its data is being hijacked and sent to another website.
Apple and Android have made this validation easier for developers with a 'certificate pinning' policy but the additional operational overhead has limited adoption. According to our recent report Assessing the Security of 10 Top Enterprise Apps, 9 of the 10 most popular enterprise apps do not use Certificate Pinning at all and are therefore vulnerable to Man-in-the-Middle attacks. The single application that did use this protection mechanism fails to implement it properly.
Who’s at risk?
Essentially, everyone in the mobile enterprise is a potential target, but the most vulnerable targets are those in senior or executive positions in business and government. Hackers are on the lookout for anyone who deals with sensitive information -- particularly those who might have access to trade secrets or financial data.
The problem is very real. It’s been estimated that nearly three quarters (73 percent) of the top 1,000 free apps in Google Play don’t check server certificates, and more than three quarters (77 percent) of those ignore any SSL errors that pop up when they communicate with the app server.
And before we start wagging fingers too vigorously at Android, Apple iOS devices seem to be just as MitM prone. A vulnerability discovered in April 2015 affected how approximately 1,500 iOS apps established their secure connections to servers. It meant that anyone intercepting data from an iPhone or iPad could access logins and other personal information transmitted via HTTPS.
Some of the suspicious behavior we’ve noted recently has all the hallmarks of previous hacking attempts carried out by certain state actors, and seems particularly focused on strategically important sectors such as aerospace and transport. Even the NSA is rumored to have used MitM methodologies to install spyware on targeted devices around the globe.
So what can I do?
Standard protection methods like secure containers, wrappers and mobile anti-virus solutions just don’t go far enough or deep enough to protect against these emerging threats. New forms of MitM continue to evolve and major new attacks are being discovered frequently. The best protection, of course, is prevention in the first place.
Don’t auto connect. Avoiding the use of free Wi-Fi hotspots and automatic connections is a good start, as is ignoring unexpected communications, not jailbreaking phones and not using apps from untrusted sources.
Michael Covington leads Wandera’s Product team and is responsible for both defining the product vision and overseeing its delivery to delighted customers. Dr. Covington has over twenty years experience in security research and product development-- with roles in academia and industry -- including stints at Intel Labs, Cisco Security and Juniper Networks.