Updated: Apr 10
CISA, issuing an alert pointing to specific cyber vulnerabilities around working from home versus the office
As Coronavirus (COVID-19) continues to spread globally, many companies issued their employees to work from home to curb the spread of the virus. Large tech companies including Twitter, Apple, Microsoft, Google, and Amazon have been the first to instate mandatory work-from-home policy due to Coronavirus.
Since the early ’80s, IT teams are facing a massive loss of control on employees' working environments. Sure, IT can force employees to use VPN products and two-factor authentication technologies. Still, they have no control over their home WiFi network, Access points, or their neighbor open WiFi that may have the best throughput nearby.
How critical is it?
This article's mission is to shed light on the new risk embedded in one of the darkest elements of Corporate IT: Home WiFi.
The Top 7 WiFi Security Threats
When working from home, individuals will need to connect to their home networks that are more vulnerable to malware. Home networks lack measures. Even if they use antivirus software and firewalls which are often built into the company’s network, how will they protect the Wireless LAN? Furthermore, now that the number of individuals working from home is increasing, it is likely that some may ignore the recommended security measures and decide to work outside their homes and connect to public WiFi networks. This presents an ideal entry point for data theft and exposure to unsanctioned monitoring of network traffic.
The National Cyber Security Centre (NCSC) has spotted a number of scams and cyber threats that aim to take advantage of the Coronavirus outbreak to carry out malicious activities.
To curb such activities, the NCSC has taken measures to automatically uncover and eliminate malicious sites run by cyber criminals. As the pandemic escalates, the number of hacking incidents is likely to increase. The Cybersecurity and Infrastructure Security Agency (CISA), the Department of Homeland Security’s cyber agency, underlined the concerns by issuing an alert on Friday pointing to specific cyber vulnerabilities around working from home versus the office. CISA zeroed in on potential cyberattacks on virtual private networks (VPNs), which enable employees to access an organization’s files remotely.
In the U.S, cyber criminals impersonated the Center for Disease Control (CDC) by creating domain names that resemble the CDC’s web address to request passwords and ask for donations to fund a fake vaccine. Several other countries have been targeted by cyber criminals. For instance, in Japan, cyber criminals spread the Emotet banking Trojan by posing as a state welfare provider to distribute infected word documents, and from there, spread the Emotet trojan through Wireless devices and networks. Similar activities have been reported in Indonesia and Italy.
Rogue WiFi network
Many risks that fall into this category, but for clarity, we will only discuss the most independent type of self-contained WiFi network. Basically, there is a criminal involved who creates a WiFi network that looks legitimate, or maybe imitates a trusted network. You can see non-fake networks because they say something that makes them look like "free access" or "no password." Avoid these networks as much as possible. If you access public WiFi at a bar or restaurant, they will have a password at the customer's place.
Hijacking WiFi Camera, Printer and IoT devices (Amazon echo, Google Home etc.)
Attackers can exploit a WiFi device vulnerability to transform a naive device into a Rogue access point.
This saves the need to use a dedicated hardware or to be physically nearby the victim.
Hijacking and taking over a WRT Router
Using public source code and knowledge widely available, unauthenticated attackers can inject code, and use it to execute commands on the operating system of the router with root privileges.
Hens, the attacker can create a backdoor access to take over the router and leak users confidential data.
Using a Captive Portal Attack
This is a common method used when trying to force a user to connect to an open network with the same name as the network they trust (Usually it’s the next stage after performing a rogue access point attack). A captive portal is the HTML screen you get when connecting to an open network at the airport, on a plane, or at a hotel. This screen that usually contains the terms and conditions, is something people are used to seeing, and hackers are using that to their advantage to create a phishing page that looks like the original ones – but can lead to a malicious code execution or a malware downloaded to the machine.
Evil twins are very similar to Rogue APs, An Evil Twin is an exact copy of a legitimate AP. Usually it’s done for a targeted attack. It tries to hook clients to connect to the fake network by “kicking” a user off their trusted network while connecting to a nearly identical fake one. This forces the victim to connect to the fake network and supply the WiFi password to regain internet access. When you contact the AP, you are communicating with the vicious twin, who continues to send information to hackers.
Ad hoc peer-to-peer networks that directly connect two computers. Hackers can create an AP on their PC while the other device is associating with the SSID they created. That way, a hacker can communicate directly with your laptop, or mobile device. Ad-Hoc wireless network features are working as "device-in-the middle", and can be configured on both Windows or Linux devices.
Discovered by ESET researchers, Kr00k (CVE-2019=15125) is a previously unknown vulnerability in WiFi chips. Kr00k causes susceptible devices to use an all-zero encryption key to encode part of the user’s communication. In the event an attack is successful, it enables an attacker to decrypt some wireless network packages conveyed by a susceptible device. Devices with WiFi chips by Cypress and Broadcom that have not been patched yet tend to be affected by Kr00k. Devices that use these WiFi chips include smartphones, tablets, laptops, and IoT gadgets.
Additionally, Kr00k not only affects client devices but also WiFi access points and routers with Broadcom chips. This makes most environments susceptible. Furthermore, Kr00k also affects both WPA2-Personal and WPA2-Enterprise protocols. Other than that, the attackers do not have to know the target’s password to accomplish their malice. In this case, Kr00k potentially allows nearby attackers to access information which should only be sent after being securely encrypted.
From the discussion above, it is evident that working from home comes with many risks and challenges. Cyber attackers will always be on the lookout for easy targets. However, the risk can be reduced or avoided by putting in place security measures, now that most employees are working from home. Cybersecurity is always the combination of people, policies, processes and technologies to protect its infrastructure, data and devices. VPN Anti Malware, Firewall etc. are just a part of the solution. While of course we always recommend backing up your data, the question remains: What about securing the Wireless infrastructure?
Beside the threats mentioned above, there are many other types of threats for users using WiFi networks. These include packet analysers, malwares which use wireless networks to spread (Like Emotet) etc. So what is the solution? Should you stop using the WiFi? Should you only connect to a wired network? Not at all! What you really need is a tool that lets you access wireless networks, and open hotspots without having to worry about security. There are numerous WiFi IDS products, but we are referring to the next generation WiFi cybersecurity system - WifiWall Dome.
The WifiWall Solution
WifiWall Dome is a patent-pending next-generation WiFi cybersecurity solution. WifiWall Dome is delivered as a service to enterprises and corporations globally.
WifiWall Dome intercepts all WiFi traffic (nonintrusive), providing the following values:
Full WiFi visibility
Attacks detection and prevention
History and forensics data
Real-life (endpoint view) network performance monitoring
Attack simulations and red team tools
WifiWall Traveler - is a mobile unit protecting travelers while connecting to any public WiFi network.
About WifiWall LTD.
Established in 2018, Wifiwall LTD. launched the WifiWall Dome product line that is installed and deployed in production networks of corporations globally. WifiWall is a self-funded Israeli startup.
For more information, please visit www.wifiwall.com