Public Wi-Fi: Bad Habits, Long-Term Risks February 7 2017 In a world of increasing interconnectivity, the use of wireless internet and public networks can wreak havoc in other areas of one’s personal life and business environment. Public wireless networks are a potential playground for hackers who use them to tap into other users’ personal information and to install malware programs that damage or disable the device or the system. “There are a tremendous amount of things hackers can do once they have a physical connection to a public network,” says Ryan Weston, the manager of security and connectivity for ACS. This can range from identity and credit card theft to exposure to personal account passwords. The risk extends beyond the immediate. Use of these networks can endanger not only your personal devices and assets, but your business resources as well. This happens because more and more “smart” devices communicate with one another to create what is referred to as the “Internet of Things.” This includes everyday objects that are embedded with network connectivity, electronics, software and sensors, which allows them to send and receive data. Let’s walk through a few examples of how a seemingly harmless activity with your personal devices can affect your business assets through the Internet of Things. Anyone who decides to use a public wireless network should be mindful of any internet activity they perform while connected to it. Weston advises against connecting to any accounts where a username and password are required or logging in to any email or social media accounts. If a user has applications such as Facebook or Yahoo Mail that continually run in the background of their cellphone, those accounts are vulnerable to hackers once connected to the public network as well. You don’t have to physically log in to an application for it to be compromised. Example 1: James attends an after-hours networking event at a local bar and restaurant. While there, he connects to the free Wi-Fi to check the latest stock exchange numbers. James has his personal and work-related email accounts connected to his phone through apps that automatically sync his inbox so that he doesn’t have to sign in each time he views or sends an email. Across the bar, a hacker is also connected to the public Wi-Fi network. Once James accesses the public network, the hacker can identify James’ device and quickly access his files and applications. Because James’ email accounts are automatically synced to his phone and do not require a password, the hacker has instant access to his email account — including his corporate email. Once James’ corporate email account is compromised, the hacker can send emails containing viruses and other malicious programs to his unsuspecting co-workers, enabling him to further penetrate the company’s systems and compromise their information, possibly even hold their data for ransom. “I don’t recommend using public Wi-Fi,” Weston says. “With public Wi-Fi, you never know who’s going to be listening to your traffic.” He also advises that internet users have separate accounts and unique passwords for any account they use and avoid any applications that ask the user to log in through another application such as Facebook. The transfer of malicious programs between devices and networks doesn’t always occur through an actual physical or wireless connection. Sometimes something as simple as transferring files from one device to another through a USB flash drive can take down an entire production line. Example 2: Janet works for a manufacturing company and took her family to Puerto Vallarta, Mexico, for spring break. While there, she took photos with her phone and connected to the resort’s complimentary Wi-Fi to research and reserve fishing and whale watching excursions. While on the resort’s Wi-Fi her phone was compromised by a hacker. When Janet returned home, she downloaded her vacation photos from her phone to her personal laptop and saved a few photos to a USB flash drive. She then took the USB to work, connected it to her corporate laptop to set the photos as the background image for her desktop, thus infecting her laptop. She then used the same USB to copy program files from one computer numerical control (CNC) machine on the production line to another. The infected USB transferred the malicious program to the CNC machines and stopped production. To rectify the situation, the CNC machine’s operating system had to be completely scrubbed and re-installed, costing the company hundreds of thousands of dollars in lost revenue and production time. In this scenario two hazardous activities culminated to compromise the company’s system: connecting to an international network and transferring information from an unprotected personal device to a corporate device. Weston suggests that anyone traveling outside the United States not connect to any network with their smartphone because there are fewer safeguards. The safest precaution is to purchase a prepaid phone that could be used for international travel and discarded afterward, Weston says. The risk of having a business’s network compromised can mean the loss of trade secrets, customer and confidential information, and production time and productivity from inoperable gear, as well as damage to the business’s reputation. “Consumers are more aware of the risks than ever before. They expect the businesses they deal with to take the necessary precautions to protect their data,” Weston says. Example 3: Brad works for a health care facility and recently welcomed a new baby girl into his family. To keep a watchful eye on his bouncing baby girl, he purchased a video baby monitor that connects to the internet and allows him to view the baby’s crib through an app or website. When installing the baby monitor, Brad did not change the default username or password. A hacker has discovered that an easy way to infiltrate home networks is by targeting households with this specific type of baby monitor. The hacker can quickly infiltrate IoT devices through a site that locates and identifies insecure IoT devices using the manufacturer name, model name and connectivity status. Once he finds the baby monitor and its login page, he can enter the default password and, voila! He now has access to their baby monitor, and from there can attack the home network. One day, Brad’s daughter is sick, so he decides to work from home, not knowing his home network has been compromised through the baby monitor. He logs on to his work computer and in to the clinic’s network through a virtual private network (VPN) connection. Once his computer connects to the clinic’s network, the virus spreads, and his clinic’s network also becomes infected. This infection could compromise the patient’s confidential information, such as social security number, financial accounts and insurance premium information — all highly sought-after information on the black market or “dark web.” Weston says the spread of a virus from device to device is comparable to how germs are passed during cold and flu season. All devices should have an antivirus and malware safeguard installed when possible. If an individual thinks his or her device may have been compromised, a qualified technician should examine it. Businesses need to account for employees who connect to their system remotely through a VPN connection. Those connections are usually considered more trustworthy and don’t go through the same layers of security as other connections, but Weston says businesses need to increase their level of security for VPNs and add additional layers that will block outer edge risks. A layered security approach will protect the entire business network and allow for multiple ways to authenticate a user. Next month, we'll discuss how to create a layered security approach and how to protect a business if its outer edge network is compromised. Interested in IoT? Read our blog "The Internet of Insecure Things". *This blog was featured in the Des Moines Business Record.