It’s axiomatic that public Wi-Fi is unsecure – as was demonstrated earlier this year when a seven-year-old child hacked a coffee shop network in minutes. Public hotspots are unsecured to allow users to log on, and as an ordinary customer you can’t verify the legitimacy of a network when you’ve only got its SSID (service set identifier) or name to act on. There’s absolutely nothing to say that the network named after your favourite coffee shop corresponds in any way with the outlet in which you sit, supping a doppio, swiping through Twitter. You click and hope – if you even think about it at all. Most people don’t. An Ofcom report last October found that 78% of those who use public Wi-Fi used a free connection. 77% of respondents said they were unconcerned about security when doing so.
In an interesting article published by Business Insider last week, Maurits Martijn describes what happened when ethical hacker Wouter Slotboom demonstrated how to harvest data from such unsuspecting – or unconcerned – users.
Sitting in a café with a laptop and a small device the size of a packet of cigarettes that costs just €70, Slotboom was able to intercept the signals sent from nearby laptops, tablets and phones, and collect a list of remembered networks that these devices had previously connected to. Connecting to the legitimate coffee shop network, Slotboom was then able to masquerade as those trusted networks, and automatically run all nearby users’ connections through his own computer, intercepting personal data as he did so. It was possible to see what each user was doing online – the sites they were visiting, the information they were exchanging, the passwords they were using:
“We can see that many devices are sending documents using WeTransfer, some are connecting to Dropbox, and some show activity on Tumblr. We see that someone has just logged on to FourSquare. The name of this person is also shown, and, after googling his name, we recognize him as the person sitting just a few feet away from us…
“In less than 20 minutes, here’s what we’ve learned about the woman sitting 10 feet from us: where she was born, where she studied, that she has an interest in yoga, that she’s bookmarked an online offer for an anti-snore mantras, recently visited Thailand and Laos, and shows a remarkable interest in sites that offer tips on how to save a relationship.”
If your organisation supports BYOD (bring your own device), then your corporate information could be at risk if an employee’s iPhone is compromised. Does your BYOD policy include requirements for users to keep their devices up to date with the latest version of iOS, to implement the latest patches and updates, or to use specific handsets when accessing corporate information? If you’re not sure, you may be interested in our BYOD Policy Template Toolkit.
It contains a complete, customisable BYOD policy and Acceptable Use Agreement, together with implementation guidance, and is usable either on its own or with any other ITGP Documentation Toolkit.
Fully up to date with the March 2013 official guidance on data management and security from the UK’s Information Commissioner, the BYOD Policy Template Toolkit puts affordable best practice at the fingertips of CIOs and security managers everywhere.