STAY IN CONTACT
SOCIAL
  • White Facebook Icon
  • linkdin-01
  • White Twitter Icon
  • White Instagram Icon

WHY VPN

IS NOT ENOUGH

First, a small warning. This section is a bit long and a little technical. If you want, you can just read the information at the homepage or in the Q&A section. However, if you are interested and continue to the details, this section sheds light on areas of cybersecurity that often go overlooked.

So, is my VPN safe?

Well, some people will tell you that after connecting to the local access point, if you immediately load your VPN client, you are pretty safe from that moment on. This understanding also explains why there are so few WiFi security products out there. After all, if VPN is good enough, then there’s no need for WiFi-specific solutions.

People may also tell you that the only time you may be at risk is during the short period between connecting to a public access point and establishing the VPN tunnel connection.

Is any of this true?

Quite frankly... no. 

While a VPN is very important product, it only does half the job.


Here’s why:

The nature of WiFi protocols is such that when we connect our phone, laptop, camera, tablet or any other WiFi device to the access point, we are exposed to WiFi attacks during the connection process. The 802.11 protocols come with built-in weaknesses that present different opportunities for attackers–before TCP/IP is established, and when the VPN client is not yet active.

As Lary Seltzer explained on Ars Technica, Even with a VPN, open Wi-Fi exposes users: 

“The VPN cannot connect until you connect to the Internet, but the VPN connection is not instantaneous. In many, perhaps most public Wi-Fi sites, your Wi-Fi hardware may connect automatically to the network, but you must open a browser to a "captive portal," which comes from the local router, and attempt to gain access to the Internet beyond. You may have to manually accept a TOS (Terms of Service) agreement first. In this period before your VPN takes over, what might be exposed depends on what software you run. Do you use a POP3 or IMAP e-mail client? If they check automatically, that traffic is out in the clear for all to see, including potentially the login credentials. Other programs, like an instant messaging client, may try to log on.

This gap in coverage may only be a matter of seconds, but that's enough to expose valuable information like login credentials….Even beyond this time gap, sometimes VPN connections go down. At least in the default configurations of most operating systems, the applications on the system will fail over to the open Wi-Fi connection. Don't blame just the public VPN vendors. The same problem is true of corporate VPNs unless they go to the trouble of configuring the system around the problem.”

To summarize, VPN coverage doesn’t commence at the moment of inception. And moreover, established VPN systems are far from being bulletproof.

Shaking the tree- the main problem for VPN’s

One of the most famous weaknesses of the 802.11 protocol is called  KRACK (stands for Key Reinstallation Attacks).  It was discovered in October 2017 by two researchers: Mathy Vanhoef and Frank Piessens (click here for video demo.)  The discovery showed that manipulating the “EAPoL key packet #3” frame allows the attackers to “see” all the traffic from the point of connection — before VPN systems typically become active. This essentially means that the attackers can create the pre-connection vulnerability period of a VPN at any time of their choosing. your established connection is rendered defenceless at their attacks as a connection with no VPN.

Most vendors released and updated the firmware of their WiFi interface cards in order to end this exposure. But in order to be effective, every phone, tablet, WiFi camera, laptop etc. and, of course, every access point in public or private hands, would have to be updated with the new firmware. But this kind of update is tricky–it addresses software layers that are the closest to the hardware and are more difficult to update–they may require special upload tools, for example.

So, the truth is, it will take years to update all of this hardware, and it will probably only happen when people buy new access points and new phones. Which means that in the vast majority of devices and access points, the vulnerabilities will remain intact.

So how can WifiWall help me?

WifiWall can prevent these attacks - and eliminate the need for costly upgrades, software purchases and installations, and IT consultants. WifiWall constantly monitors for attacks from the moment you synchronize your device, and, unlike a VPN, because the connection initiates before you go online, the attack never has a chance to happen.