What hacking RSA access points teaches us about enterprise VPNs
News that multiple access points at the RSA security show may have been hacked made for great headlines, and that’s about it. The attack poses little actual risk to most corporate users, but it does underscore the importance the cloud can play in corporate VPNs.
Security researchers at Pwnie Express discovered the attack when scanning the conference floor. They found a rogue access point posing as a known, trusted network -- what’s called an EvilAP attack. In an EvilAP attack, the attacker impersonates a known wireless network by intercepting the SSID a user’s device discloses when searching for a WLAN. The attack is available from several hacking tools, including KARMA.
With a spoofed WLAN, the attackers can see the traffic traversing their sites as well as modify the HTML and the JavaScript contained in HTTP requests, opening the way for a range of attacks. They can phish unsuspecting users by spoofing familiar sites, such as Starbucks or McDonalds, and picking up their user credentials. Malware can be installed on user devices whether by the access point modifying the HTTP response or by the spoofed site. The real danger is that mobile users will bring the "bad stuff" on their devices into their corporate networks.
Practical Importance
Kudos to Pwnie for spotting the attack, but what wasn’t mentioned was the fact that the attack will be defeated in most cases by standard IT practices and general Internet usage trends.
Most small- to medium-sized enterprises (SMEs) require mobile user to access the Internet through the company’s VPN. With a VPN, the information you really care about, such as usernames and passwords, will be hidden from the attackers. Users are also protected from man-in-the-middle threats, such as EvilAP.
Where VPNs are not being used, HTTPS will achieve the same result. Most Internet sessions these days rely on HTTPS.
Minimally, attackers can intrude on your privacy. They can see the websites you visit by monitoring the domains in session headers. They can also set up phishing sites as well, but those risks are hardly news -- as long as users really do rely on their VPN or use HTTPS.
The problem, of course, is that all too often users disable their VPN clients. Initiating a VPN session through a firewall sitting in a distant office is a good way to ensure that screen refreshes, videos and more slow down to a crawl.
It’s one of the reasons why enterprise VPN clients should enable users to access the web through the cloud -- the performance is so much better. There’s no latency incurred from first backhauling traffic to an "internet choke point", making the web much slicker. Furthermore, by encrypting all device traffic between the user and the cloud, the distinction between HTTP and HTTPs becomes moot.
With better performance comes happier users, and with happier users comes less of a chance of non-compliance and negative impacts, like the hacked access points Pwnie found at RSA.
Photo Credit: Mikko Lemola/Shutterstock
Dave Greenfield is a secure networking evangelist at Cato Networks