Mobile Device Security: Be Careful With Public Wi-Fi Hotspots!

In conjunction with National Cyber Security Awareness Month (NCSAM) we're featuring tips and insights from faculty at our nationally-renowned cybersecurity program. Today Rob Campbell, senior cryptologist and cyber security specialist with the International Association for Cryptologic Research, explains why the convenience of public Wi-Fi comes with significant risks. Campbell teaches courses on blockchain at Capitol and is mentoring a student project designed to set up a blockchain on campus.

Public Wi-Fi hotspots are ubiquitous, and tempting to connect to, especially while on travel; however, these public Access Points (AP) often lack the most basic cyber hygiene. 

APs are found in grocery stores, coffee shops, airports, aircraft, and hotels. Typically, they are vulnerable to a wide range of attacks --- including man-in-the-middle (MITM), drive-by malware attacks, or fabricated Wi-Fi Access Points (AP), which can be constructed in minutes with automated tools in open source operating systems, such as Kali-Linux or BlackArch.  These operating systems are filled with hundreds of Linux -based penetration testing tools for penetration testers and security researchers. They are also used by hackers for malicious attacks on computer systems, including Wi-Fi networks. Hackers can easily use laptops or smartphones to set up a malicious AP that looks nearly identical to the genuine hotspot. Any transmitted data sent after joining a fake network goes to the hacker.

In the scenario of drive-by malware attacks, the mobile device web browser visits a fake or a malicious site, and malware is automatically downloaded and install itself on the user’s devices.  Once the malware is established, it hijacks the mobile device, and it tracks data from applications, monitor network traffic, and gathers other information such as emails, texts, photos, and places visited via GPS information.

Hackers scan Wi-Fi networks, log into them, and redirect traffic to a website that is controlled by them. When the victims attempt to log into what they believe to be a legitimate site, they expose their password and credentials, and the hacker gains access to the victim's accounts -- Gmail, Facebook, LinkedIn, bank accounts, and anything else of interest to them.

Didn't think a hacker would go after your smartphone? Think again. Mobile devices are the newest targets for malware. Hackers increasingly attack smartphones and tablets and other devices to gain valuable information such as login credentials, account information, intellectual property, and additional useful information.

What can you do? 

If you see two nearly identically-named network connections, don’t connect until you determine the correct network connection.  Connect only to trusted Wi-Fi APs, and it is recommended that you use a Virtual Private Network (VPN).  Affordable and easy to use VPN applications are available for Android devices, while iPhones and iPads can protect mobile device users against attackers.  Alternatively, be your own hotspot.  Laptops and smartphones can be configured in minutes and easily be used as a hotspot.