Beware Public Wi-Fi Insecurity – Part 1: Reviewing the Neighborhood

Jordan Drysdale //

ADVISORY: The techniques and tools referenced within this blog post may be outdated and do not apply to current situations. However, there is still potential for this blog entry to be used as an opportunity to learn and to possibly update or integrate into modern tools and techniques.

Our community’s downtown district is approximately a five block by four block area. There are art stores, toy shops, candy retailers, restaurants, bars and hotels. Significant investment has been made in revitalizing and adding an area called “Main Street Square.” Almost all of these businesses offer some form of public wireless network, whether it is wide open or “protected” by some pre-shared key.

As a network contractor paid by many of these businesses to keep track of their networks over the last several years, I have witnessed calamity and chaos come to life. Walking through our city’s center, there were just short of 500 radios broadcasting some form of wireless signal. About 200 SSIDs were wide open and another 40 or so were running WEP or WPA. WPS is also way too common on the streets; considering Reaver, Bully and various other applications are designed to pull passwords from this protocol. For those WPA2 networks, the majority are broadcasting a name similar to CompanyName_Staff. While every business in our downtown district is swiping credit cards and signing off their PCI SAQs, gathering this amount of data clearly shows a lack of regard for even simple security.

In connecting to a few of these public Wi-Fi networks, the problems with one deployment seem to span the entirety. “Client Isolation” appears to the check box that every installer misses when deploying these networks. If a client device is infected or malicious, they have access to every other client attached to these public networks. Another common flaw in design (and failure in PCI compliance) is to change the default credentials on the Wi-Fi device providing access. Without knowledgeable technicians deploying these Wi-Fi devices, guest users now have access to these internal business networks as if they were connected directly. Business owner beware: your guest wireless is probably a threat to your internal network A local ISP in our area asked our city council for the privilege of deploying what they believe to be “City Wide Wi-Fi.” After tentative approval, the ISP then offered our mutual client something like “…better bandwidth, second internet line, you will not have to worry about your guest Wi-Fi anymore, and we spend lots of money sponsoring downtown stuff….” Our client went ahead and approved the installation against our recommendations.

Due to the nature of our relationship with this client, we were given the privilege to “investigate.” A quick device scan was run after connecting as a public Wi-Fi guest. The other clients on the public Wi-Fi network were reachable, meaning simply that “guest isolation” was not enabled and any miscreant or infected device could steal data. We also determined the ISP’s Wi-Fi device was using a DHCP lease from the internal network. This internal DHCP address was used to NAT guest wireless users out to the internet over the internal business network. Finding other internal devices was trivial at this point. We were able to access a firewall login page and create a Remote Desktop session to their Exchange server. The bottom line here is that this is not an acceptable solution for 21st century Wi-Fi deployments. Public Wi-Fi insecurity represents another facet of the seemingly insurmountable deficit of basic IT security knowledge. Business owners have zero idea whether or not the firms they hire to install new solutions understand access controls, routing, firewall zoning or any of the other fundamental requirements of deploying public Wi-Fi properly (or even what firewall zone based access controls are)!

So how do we as IT Professionals assist the general business community make better decisions regarding their wireless networks? First – Small Office, Home Office [SOHO] products are generally not an acceptable solution for providing guest Wi-Fi. If your vendor is installing something you can purchase at Best Buy, you should express concern. Second, be very aware of guest access privileges. If they have too much privilege you may be responsible for providing the medium (wireless) over which data theft occurs. Lastly, awareness matters. If we, as IT Pros, can expand the understanding of basic security, we can improve the results of “Reviewing the Neighborhood.”