Fraud Management & Cybercrime , Fraud Risk Management , Governance & Risk Management

NSA Reminder: Beware of Public Wi-Fi

Agency Emphasizes Value of VPNs, Other Security Steps
NSA Reminder: Beware of Public Wi-Fi

Teleworking U.S. national security employees are putting sensitive data at risk if they use public Wi-Fi networks without using a virtual private network to encrypt the traffic, the National Security Agency notes in a new advisory.

See Also: Live Webinar | The State of Security 2021

"As telework becomes more common, users are more frequently bringing themselves and their data into unsecured settings and risking exposure," the NSA says in the new advisory applicable to National Security System, Department of Defense and Defense Industrial Base employees.

NSA explains why it's so risky to access public Wi-Fi networks from laptops, tablets, mobile phones and wearable accessories.

"Cyber actors employ malicious access points, redirect to malicious websites, inject malicious proxies and eavesdrop on network traffic," the agency warns. It also cautions against the public use of Bluetooth and Near Field Communications. "The risk is not merely theoretical; these malicious techniques are publicly known and in use."

A Timely Reminder

A reminder about the dangers of using public Wi-Fi is important in light of the shift to a remote workforce, says John Dickson, a former member of the U.S. Air Force's Information Warfare Center and its Computer Emergency Response Team.

"In a pandemic, more Defense Department, defense contractors and other industry partners are working remotely," he says. "The potential risk of Wi-Fi exploitation against these workers - particularly outside the country and in the Capitol region - is acute. There is no downside to formally restating these protections."

Dickson, now the vice president of security firm Coalfire, says the NSA's tips are helpful for workers in all sectors.

Recommended Precautions

The NSA advises: "Avoid connecting to public Wi-Fi, when possible, as there is an increased risk when using public Wi-Fi networks. Use a corporate or personal Wi-Fi hot spot with strong authentication and encryption whenever possible, as it will be more secure."

The NSA adds: "If users choose to connect to public Wi-Fi, they must take precautions. Data sent over public Wi-Fi - especially open public Wi-Fi that does not require a password to access - is vulnerable to theft or manipulation. Even if a public Wi-Fi network requires a password, it might not encrypt traffic going over it. If the Wi-Fi network does encrypt the data, malicious actors can decrypt it if they know the pre-shared key."

Threat actors can also coerce the network into using unsecure protocols or obsolete encryption algorithms, the agency says. And they can set up a fake access point, known as an "evil twin," to mimic nearby public Wi-Fi and gain access to data.

The intelligence agency also says unencrypted or easily decrypted network traffic can be captured using readily available open-source tools, leading to credential harvesting and additional compromises.

The NSA also advises users to practice proper browsing habits - including accessing only Hypertext Transfer Protocol Secure sites.

"These methods will aid users in better protecting their information from Wi-Fi snooping, man-in-the-middle techniques, server masquerades used to capture password hashes and evil twin mimics," the agency says.

The Risks of Bluetooth, NFC

Keeping Bluetooth enabled in public settings can lead to threat actors scanning for, and ultimately accessing or compromising, devices via Bluejacking, Bluesnarfing and Bluebugging, the NSA points out.

Near Field Communications, which offers close device-to-device data transfers, can also be exploited at close range, the agency adds.

"While the majority of NSA's guidance focuses on Wi-Fi, NFC and Bluetooth are likely riskier areas," warns Jake Williams, a former member of NSA's elite hacking team. "The attack surfaces of NFC and Bluetooth have not been studied as much as Wi-Fi, and there are likely more undiscovered vulnerabilities in those protocols."

Williams, co-founder and CTO at security firm BreachQuest, argues that avoiding the use of public Wi-Fi "is not realistic for most." He adds: "With the rise of ubiquitous encryption, particularly the use of HTTPS, the risks of using public Wi-Fi today are a fraction of what they were even a few years ago. Security practitioners should … be communicating the relative risks of using public Wi-Fi with a laptop versus a cellphone or tablet."

Laptops, he says, use host-name technologies, such as Link-Local Muliticast Name Resolution, or LLMNR, which make using public Wi-Fi even riskier.


About the Author

Dan Gunderman

Dan Gunderman

News Desk Staff Writer

As staff writer on the news desk at Information Security Media Group, Gunderman covers governmental/geopolitical cybersecurity updates from across the globe. Previously, he was the editor of Cyber Security Hub, or CSHub.com, covering enterprise security news and strategy for CISOs, CIOs and top decision-makers. He also formerly was a reporter for the New York Daily News, where he covered breaking news, politics, technology and more. Gunderman has also written and edited for such news publications as NorthJersey.com, Patch.com and CheatSheet.com.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.