First, a small warning, this post is a bit long and technical (not too much). You may just read the introduction. However, if you continue to the deeper dive, this post sheds lights on the area which is grievously ignored but answers questions that bother us all. Questions about our WiFi security.
So, is it safe?
Well, some will tell you that “after connecting to the local Access Point, if you immediately load your VPN client, you are pretty safe from that moment on”.
This is also the answer to the question: why there are no WiFi specific Security products? - well “if VPN is good enough, no need for WiFi specific solutions…”
They may also tell you, that the only time “you may be under a risk is the time between connecting to the public Access Point and establishing the VPN tunnel (connection)”.
Is this right?
Well, no it's not.
The nature of WiFi protocols is such that when we connect our phone, laptop, WiFi camera, tablet or any WiFi device to the access point, we are exposed to WiFi attacks. The 802.11 protocols contain built-in weaknesses that present different opportunities for attackers. This vulnerability occurs when the VPN client is not yet active (meaning TCP/IP is yet not established).
Should I feel safe when my VPN is already up and running?
Unfortunately, still no. when the VPN client is alive and active, A hacker can "shake the tree". This means that the attacker can force a disconnection of your device from the access point you are connected to and re-establish a brand new connection, only this time, the attacker intercepts the requests to connect and creates a connection with a Rogue Access Point. Now the attacker can spoof the WiFi router authentication page. This is the page where our hotel requires our last name and room number, or the restaurant's WiFi requests a passcode, etc. Now the user is connected to the Rogue Access Point which is extremely dangerous. This process allows the attacker to use the authentication page (HTML, script, etc.) and inject malicious code, ransomware or a Trojan horse. This Trojan horse can now intercept the user's data even after the VPN is installed as it is located behind the VPN, where the user's data is decrypted.
A deeper look at the connection process of a station (phone, tablet, laptop or any WiFi device) to an Access Point reveals management frames that go back and forth between these entities. Most of the initial frames are not encrypted by definition of the protocol. It may look like this (don’t be scared):
I know, this doesn't mean much for those who are not networking engineers, however, this means that the station and the access point are engaged in a “discussion” which is mostly not encrypted- To agree on the connection of the station, the used frequency (WiFi network means all data goes to the air in radio waves) and many other parameters. As one can guess, this process posses an inherent weakness, that offers different opportunities for attackers to act.
One of the most famous weaknesses of the protocol is called a KRACK (stands for Key Reinstallation Attacks), published in October 2017 by two talented researchers: Mathy Vanhoef and KU Leuven, click here for a video demo. The discovery shows that manipulating the “EAPoL key packet #3” frame allows the attackers to “see” all the traffic from that point on.
While most vendors did release an update for the firmware of their WiFi interface card in order to end this exposure, every phone, tablet, WiFi camera, laptop etc. and every Access Point in public or private hands must receive and install the “firmware” update. BUT this kind of update addresses the software layers that are the closest to the hardware and are more difficult to update (may required special upload tools). As this special procedure should be done by every owner of the Access Point, phones, tablets, etc.
This may require years, and probably will only be solved when people buy new Access Points and phones. This means that in the vast majority of devices and access points we will encounter in the coming years, that vulnerability will be available for the attackers.
How bad can this be?
Well, a quick google search for the phrase “WiFi attack tools” will show you just the tip of the iceberg of the arsenal hackers possess. There are actually many more tools in the dark-web that us ordinary people have no access to and are not aware of. These major security vulnerabilities mean that when an attacker targets a public WiFi network with his attacking toolbox- he will easily and undisturbingly be able to use his malicious tools as he pleases.
Here's a video of a 7 yr old hacking a WiFi access point with a man in the middle attack we found on youtube.
How Are Corporate Access Points managed when compromised?
Or what do they do when we suspect that our WiFi network is under attack?
It is fair to assume that a place that give free WiFi do not make cyber security their top priority. Safe to say that if you got hacked in your public library, they won't the cyber security force in the police. But big companies spend millions of dolars of their income in order to keep their data private. wheter it's to protect their cutomers, or their own trade secrets. So how does the corporate world handle WiFi breaches?
They bring the expert, internal or external, and what they usually start with: Sniff the network traffic.
This means they bring their network analyzers and capture every 802.11 management and control frames to perform a deep analysis of the WiFi traffic. In their search, they will check if someone tried to exercise the KRACK attack, tried to hijack Access Point connections, send unexpected De-authenticating frames to the stations & etc.
The experts will run their library of attack discovery which naturally targets the library of the attacker toolbox mentioned above.
So what can I do?
Or in other words... What WifiWall actually does?
WifiWall does exactly what the experts do, only it does it all the time. And we mean all the time. It is not someone you call only after you get hacked. It constantly monitors your devices from the moment you turn it on- so when an attack attempt is happening in real time, it's cut off immediately. It even monitors your traffic from before you are connected to a WiFi network- hence remedying the vulnerability of a VPN.
So, WifiWall is your personal expert always online and protecting you in real time. Whenever WifiWall detects an attempt to re-association the connection to an attacker's Access Point or an attempt to use one of the other WiFi attacks, its sends a 'disconnect now' command to your station which immediately detaches you from the danger, while sending you a notification on your smartphone and showing an alert on its OLED screen.
So ladies and gentleman.....Please stop getting hacked.