Out of office mobile security

April 2014 Infrastructure

When looking at data security, one of the primary threats all companies and individuals face in today’s mobile society is protecting one’s data and devices while on the road. The ability to work from anywhere and almost any device is not only a risk for on-device data, but also for the corporate infrastructure as malware and access points are easily created once a mobile device, be it a tablet, laptop or smartphone, is compromised.

To obtain advice as to how we can secure ourselves while retaining the ability to work while on the move, Hi-Tech Security Solutions asked two local experts to talk about securing our mobility. On the one hand, we spoke to Riaan Badenhorst, MD at Kaspersky Lab South Africa about securing our smartphones in general, on the other we spoke to Robert Krumm, consulting systems engineer for Ruckus Wireless EMEA about secure Wi-Fi use in public hotspots.

Starting with the ubiquitous smartphone, we asked Badenhorst to give us some insight into the seemingly unstoppable surge of malware for smartphones today and what we can do to protect ourselves.

Badenhorst says the mobile threats we face are divided into two camps:

1. Malware that is loaded onto phones. Malware is a reality in the mobile world, especially for Android devices, and one can’t take security for granted. Using one’s mobile at an open hotspot or carelessly downloading apps without taking proper care, even on a secure network, will more often than not open the door to malware.

2. The impact of unmanaged devices on the corporate network. Companies have a responsibility and the tough task of keeping their data and infrastructure secure. Unmanaged mobile devices undermine this task if the company has no mobile device management system in place that determines who can access what, from what device and so forth.

In the PC world, Badenhorst explains that installing an antivirus (AV) package has become standard and most new PCs come with some form of AV installed. The mobile world is different as, for some reason, people don’t feel it’s necessary to protect their devices. Although this attitude is changing, there are many devices without any protection and these are the easiest targets for malware. Once safely installed, these apps can steal any data or wait until the owner connects to a corporate network and set its sights on that.

Badenhorst adds that traditional AV is not even enough anymore. Simply searching for known signatures is not enough. Kaspersky’s Malware Centre in Moscow processes over 150 000 malware samples per day. No smartphone is updated often enough to keep up. The security one needs must have proactive protection built in to deal with potential malware even if there is no definite signature.

Tips for mobile security

Badenhorst offers the following tips as a starting point for securing your mobile device:

1. Lock your system and use a strong password, not your child’s name or your dog’s name.

2. When you get the device, install a proper security product. There are many free versions available but they generally only provide a few security features. Take the plunge and buy a fully paid version that does a proper job.

3. If you have sensitive data on the device, use the built-in encryption services or install an application that provides for encryption – some security packages may offer this.

4. If strong passwords make you nervous, use a professional password manager to help you. Again, these are widely available and some may even be bundled in certain security packages.

Spotting the hotspot

Ruckus Wireless’ Krumm focuses on Wi-Fi threats and the risks many people take in using open Wi-Fi hotspots. There is a trend to using Wi-Fi wherever possible because it provides greater throughput than 3G or similar cellular connectivity, and it’s generally significantly cheaper. Offloading to Wi-Fi is becoming more common, even for enterprise applications.

While these are good reasons to switch to Wi-Fi whenever possible, Krumm warns that open hotspots are very dangerous and one can easily compromise your smartphone or laptop if you don’t take the correct precautions. Furthermore, we can expect to see a growth in open hotspots as these are more convenient for proprietors – a hotel, for example, doesn’t want to have the hassle of people complaining about accessing secured Wi-Fi access, so it opens its network to one and all.

For those who understand the risks and wish to work securely in hotspots, it’s not that simple because proper authentication and enforcing encryption is a mission that few consumers understand.

To address this issue, the Wi-Fi Alliance, of which Ruckus is a member, has introduced PassPoint (or, unofficially, HotSpot 2). Krumm says the goal is to allow Wi-Fi roaming and easy access to hotspots, but to do it securely without inconveniencing the user. This will allow the user’s device to automatically and securely connect to known networks whenever they are in range.

With the correct knowledge, a user can connect to these networks manually, but the process will be long and complex as you have to identify the network, log in with the correct credentials and make sure the security protocols on your device are in place.

Although PassPoint still has a few issues to work through, such as the user having to authenticate his device at the first log in, work has been done to automate as much of the process as possible and ensure that the connection is secure – and encrypted as default. Of course, the device in question must be PassPoint enabled if it is to work.

Mobility is a risky business, but it is a business that is going to be around for a long time. At the moment, security is an issue users and their companies need to address on an individual basis if they want to keep themselves secure. With PassPoint, some of the Wi-Fi hotspot security issues will be dealt with automatically, allowing users to focus on what they are doing, but there are still many other areas of vulnerability where security applications and user education (and some may say common sense) will be the best way to protect from the ever-increasing malware threats out there.

Wi-Fi vulnerabilities

Robert Krumm, Ruckus Wireless EMEA.

Examples of attacks on open and poorly secured wireless networks that can be prevented by robust encryption and authentication include:

1. MAC Address/IP Address spoofing.

2. SSID spoofing and/or ARP poisoning (using MAC Spoofing) which enable Man In The Middle attacks, which allow:

a. DNS poisoning

b. Website spoofing

c. Phishing attacks/identity theft

d. SSL Strip for cracking/spoofing of HTTPS encrypted websites.

3. Firesheep ‘side jacking’ – When a user logs into a secure website, often a cookie is returned to the user with the supplied credentials inside it. The browser then uses that cookie for all future authentication attempts to the website. All too often the cookie returned to a user’s machine after logging into a website is not encrypted, even if the login page was. If a hacker has visibility of the information in this cookie then it allows:

a. Credential harvesting

b. Identify theft

(NOTE: This attack is only possible on non-HSTS protected websites and browsers that do not support HSTS or RFC 6797).

Some attacks can be mitigated by a user’s choice of Web browser, software or behaviour, but there is no ‘secure by default’ option.

By using 802.1X Authentication along with 256 Bit AES Encryption as specified by Wi-Fi PassPoint, these attacks become considerably harder to execute, simply because the malicious parties cannot spoof or pose as another station on the network and no longer have any visibility into the data being transferred between the client and the AP.

Another major effect of Wi-Fi PassPoint is that as secure hotspots become the norm, clients will probe for open hotspot SSIDs less. Probing for a remembered open network exposes clients to honeypot attacks in which a hacker can capture the probe request and then put up an SSID that matches the one your machine was probing for. Once you associate to that malicious network, you are open to additional attacks to the machine itself.

PassPoint security enhancements

L2 traffic inspection and filtering

L2 inspection and filtering prevents frames exchanged between two mobile devices from being delivered without first being inspected and filtered in either the hotspot operator network or the SP core network. This allows peer-to-peer traffic between clients in the same subnet on the network to be blocked. Such processing provides some protection for mobile devices against attack.

Downstream forwarding of group-addressed frames by APs

By IEEE 802.11 design, all mobile devices in a BSS use the same Group Transient Key so forgery of group-addressed frames is always possible.

A PassPoint capable AP can be configured so that it does not forward any group addressed frames (Broadcast or multicast) to any client devices associated to the Basic Service Set. DHCP traffic is converted to unicast traffic and a Proxy ARP service is enabled.

Proxy ARP service

A common attack in wireless networks involves the use of Gratuitous ARP messages (IPv4) and Unsolicited Neighbour Advertisement messages (IPv6). These can be used for ARP Cache Poisoning attacks which enable a hacker to place a machine between the Client Device and the Access Point which can then capture all traffic exchanged between the two devices, this is referred as a 'Man in the Middle' attack.

PassPoint enabled APs are required to support a Proxy ARP service. The Proxy ARP service keeps track of the MAC addresses of clients and their IPv4/IPv6 addresses. The PassPoint

AP receives broadcast ARP requests and Neighbour Solicitation Packets but does not forward the messages into the network. The AP instead responds to the ARP request or Neighbour Solicitation on behalf of the network device to which the IP Address is assigned with a unicast message.

PassPoint APs may also disable forwarding of Gratuitous ARP Messages and unsolicited Neighbour Advertisements into the network helping to prevent ARP-Cache Poisoning attacks.



Credit(s)




Share this article:
Share via emailShare via LinkedInPrint this page



Further reading:

From the Editor's desk: Apathy is a cybercriminal
Technews Publishing News & Events
      Welcome to SMART Security Solutions’ first print publication of the year, the SMART Access & Identity Handbook 2025. This year’s print issue is smaller than usual, so we include some articles in the ...

Read more...
Federated identity orchestration
Technews Publishing SMART Security Solutions Editor's Choice Access Control & Identity Management Security Services & Risk Management AI & Data Analytics
Understanding exactly who resides at the end of a digital device is key, and simple identity number verification by the Department of Home Affairs is no longer a viable solution on its own.

Read more...
Managing identities for 20 years
Ideco Biometrics Technews Publishing SMART Security Solutions Access Control & Identity Management Integrated Solutions IoT & Automation
Many companies are now more aware of the risks associated with unauthorised access to locations and sensitive data and are investing in advanced identity authentication technologies to mitigate these threats.

Read more...
Balancing security and ease-of-use
Technews Publishing SMART Security Solutions Access Control & Identity Management Security Services & Risk Management
Fraud incidents have financial repercussions and erode consumer trust, leading businesses to become more aware, though this awareness does not necessarily translate into confidence in their identity authentication processes.

Read more...
Identity and authentication
Technews Publishing SMART Security Solutions Access Control & Identity Management Information Security Security Services & Risk Management
Identity authentication is a crucial aspect of both physical security and cybersecurity. SMART Security Solutions obtained insights into the topic and the latest developments from three companies.

Read more...
Integration and IoT made easy
Technews Publishing SMART Security Solutions Access Control & Identity Management
The security industry is built on silos, be it surveillance, access control, alarms and others, but integration has become a critical issue in recent years. SMART Security Solutions speaks to Integr8 Systems about its local hardware and software.

Read more...
SMARTpod talks to Armata’s Richard Frost
Technews Publishing SMART Security Solutions Videos
SMARTpod, the podcast by SMART Security Solutions, recently spoke to Richard Frost from Armata about the company's new 'all-in-one' cybersecurity bundle designed to relieve cyber stress in the SMB market.

Read more...
VPS hosting set to dominate in 2025
Infrastructure
SME market growth and the increasing need for a digital footprint are pushing VPS growth in South Africa, especially since it is now perceived as a viable business tool, scalable by nature, with improved performance.

Read more...
Threats, opportunities and the need for post-quantum cryptography
AI & Data Analytics Infrastructure
The opportunities offered by quantum computing are equalled by the threats this advanced computer science introduces. The evolution of quantum computing jeopardises the security of any data available in the digital space.

Read more...
Highest capacity ePMR HDDs
Infrastructure Products & Solutions
Western Digital has announced that it is now shipping the world’s highest capacity UltraSMR HDD with up to 32TB leveraging the time-tested, reliable energy-assisted PMR (ePMR) recording technology for hyperscalers, CSPs and enterprises.

Read more...