ContinuityFocus has been warning clients and prospective clients regarding the risks of traffic tampering and interception over unsecured WiFi networks for many years. Our concerns have been based on the fact that many wireless attacks are trivial to execute and would likely go undetected by most users.
One of the difficulties in conveying this risk has been the lack of empirical evidence describing the prevalence and impact. Many security organizations prefer to consider less quantified risks as theoretical, and wait for a general consensus within the larger IT and business community before taking action.
It appears that larger security community and print media is beginning to acknowledge the risks of traffic manipulation both on public wireless networks and via compromised network equipment.
On May 26th, 2015, American Banker ran an article on the risks of “Comjacking.” Comjacking is the act of hijacking a network in order to intercept or manipulate traffic. The article described a several year investigation involving over 5,000 high end hotels. The default behavior of most mobile devices combined with the requirement for ease of use leaves hotel, coffee shop, and other public wireless networks highly vulnerable to traffic hijacking and a broad range of traffic manipulation attacks. Another example of the pervasiveness of this threat is the discovery that about 300,000 home wireless routers in Europe were Comjacked to divert traffic to Russia.
The article indicates that over 120 methods of Comjacking have been identified. Combining the variety and ease of the attack with the fact that mobile devices are unable to detect that it is occurring makes this a significant threat.
Avivah Litan, vice president of Gartner, a large and generally well regarded Information Technology advisory firm was quoted by American Banking as saying, “I haven’t had a single conversation with a business or bank around comjacking. That doesn’t mean that it is not a threat, but it does mean it’s not a top of mind threat. “
We feel that it is our responsibility as security professionals to help clients understand important risks that may not be “top of mind,” as opposed to only discussing the topics that are of popular interest. While we agree that not every risk warrants action; we recommend that easy to execute, difficult to detect, and high potential impact attack vectors be proactively mitigated.
The goal of traffic manipulation attacks is often to steal information such as user credentials. Once a users’ account information has been intercepted, the attacker can then use those credentials to gain access to the users’ corporate systems, bank, email, and other online accounts.
One example of how this works is called a “Man in the Middle” or MITM attack. In this scenario, the attacker inserts themselves (and their tools) between the user and the system they are attempting to access. If we use a bank as an example, the attacker could redirect the user to a fake website that looks like the intended destination. Then the user passes the fake website their actual username and password. This information can be stored by the attacker and presented to the actual website to sign the user in so they never know their credentials were intercepted. Another variation of this attack involves tricking the user into accepting a fake security certificate and simply decrypting the HTTPS session they have with the banking website.
This type of attack is highly effective against a variety of other systems including email.
So what countermeasures can be used to mitigate this threat?
There are a few countermeasures that can be used against this type of attack. One countermeasure is to stay off of networks that are not well secured. This can be done by avoiding open WiFi and just using your cellular connection or mobile hot spot. This is probably not feasible for all users. The most comprehensive, and in our opinion feasible, countermeasure is to use a secured, tamper resistant private network to encrypt all your traffic. If implemented properly, this approach renders traffic (and therefore data) inaccessible to those attempting to intercept it.
We often implement this by deploying an Always-On VPN. This VPN creates a secure private network connection from the users’ device to our secure data center. Once the traffic arrives at our data center, we then forward it out to the Internet. This approach protects the traffic while it travels over the portions of the network that are the most susceptible to comjacking.
The VPN technology we use protects both the confidentiality as well as the integrity of the traffic, thus preventing interception as well as manipulation. This is an extremely effective way to mitigate a variety of wireless security risks.
We welcome comments and questions about information security and risk management. Please use the contact us from on our website if you would like to connect with us.