NSA Reminder: Beware of Public Wi-FiAgency Emphasizes Value of VPNs, Other Security Steps
Teleworking U.S. national security employees are putting sensitive data at risk if they use public Wi-Fi networks without using a virtual private network to encrypt the traffic, the National Security Agency notes in a new advisory.
"As telework becomes more common, users are more frequently bringing themselves and their data into unsecured settings and risking exposure," the NSA says in the new advisory applicable to National Security System, Department of Defense and Defense Industrial Base employees.
NSA explains why it's so risky to access public Wi-Fi networks from laptops, tablets, mobile phones and wearable accessories.
"Cyber actors employ malicious access points, redirect to malicious websites, inject malicious proxies and eavesdrop on network traffic," the agency warns. It also cautions against the public use of Bluetooth and Near Field Communications. "The risk is not merely theoretical; these malicious techniques are publicly known and in use."
A Timely Reminder
A reminder about the dangers of using public Wi-Fi is important in light of the shift to a remote workforce, says John Dickson, a former member of the U.S. Air Force's Information Warfare Center and its Computer Emergency Response Team.
"In a pandemic, more Defense Department, defense contractors and other industry partners are working remotely," he says. "The potential risk of Wi-Fi exploitation against these workers - particularly outside the country and in the Capitol region - is acute. There is no downside to formally restating these protections."
Dickson, now the vice president of security firm Coalfire, says the NSA's tips are helpful for workers in all sectors.
The NSA advises: "Avoid connecting to public Wi-Fi, when possible, as there is an increased risk when using public Wi-Fi networks. Use a corporate or personal Wi-Fi hot spot with strong authentication and encryption whenever possible, as it will be more secure."
The NSA adds: "If users choose to connect to public Wi-Fi, they must take precautions. Data sent over public Wi-Fi - especially open public Wi-Fi that does not require a password to access - is vulnerable to theft or manipulation. Even if a public Wi-Fi network requires a password, it might not encrypt traffic going over it. If the Wi-Fi network does encrypt the data, malicious actors can decrypt it if they know the pre-shared key."
Threat actors can also coerce the network into using unsecure protocols or obsolete encryption algorithms, the agency says. And they can set up a fake access point, known as an "evil twin," to mimic nearby public Wi-Fi and gain access to data.
The intelligence agency also says unencrypted or easily decrypted network traffic can be captured using readily available open-source tools, leading to credential harvesting and additional compromises.
The NSA also advises users to practice proper browsing habits - including accessing only Hypertext Transfer Protocol Secure sites.
"These methods will aid users in better protecting their information from Wi-Fi snooping, man-in-the-middle techniques, server masquerades used to capture password hashes and evil twin mimics," the agency says.
The Risks of Bluetooth, NFC
Keeping Bluetooth enabled in public settings can lead to threat actors scanning for, and ultimately accessing or compromising, devices via Bluejacking, Bluesnarfing and Bluebugging, the NSA points out.
Near Field Communications, which offers close device-to-device data transfers, can also be exploited at close range, the agency adds.
"While the majority of NSA's guidance focuses on Wi-Fi, NFC and Bluetooth are likely riskier areas," warns Jake Williams, a former member of NSA's elite hacking team. "The attack surfaces of NFC and Bluetooth have not been studied as much as Wi-Fi, and there are likely more undiscovered vulnerabilities in those protocols."
Williams, co-founder and CTO at security firm BreachQuest, argues that avoiding the use of public Wi-Fi "is not realistic for most." He adds: "With the rise of ubiquitous encryption, particularly the use of HTTPS, the risks of using public Wi-Fi today are a fraction of what they were even a few years ago. Security practitioners should … be communicating the relative risks of using public Wi-Fi with a laptop versus a cellphone or tablet."
Laptops, he says, use host-name technologies, such as Link-Local Muliticast Name Resolution, or LLMNR, which make using public Wi-Fi even riskier.