Life Of: A Wi-Fi Security Researcher

Written by

How secure is your Wi-Fi, the Wi-Fi that your device is connected to, and when did you last read a story about a Wi-Fi hack? This week, Infosecurity attended a conference specifically focused on Wi-Fi, and sat down with the sole security presenter from the conference.

Ryan Orsi is director of product management at WatchGuard, where he leads secure Wi-Fi solutions for the company. He talked about the 'layer two levels' of the open systems interconnection model, which he said that, since its inception 20 years ago, has been forgotten about. “If you stop layer two from ever happening, you stop all of the crazy hacks from happening,” he argued.

As we mark 20 years since public Wi-Fi was launched, Orsi said that standards are still being retrofitted, and a phone’s default setting is to connect to a network if a user has been there before and this enables attacks such as Evil Twin, where anyone can broadcast a Wi-Fi name from a pen testing tool like a Wi-Fi pineapple.

“Our devices have not got the intelligence to determine between good and bad,” he said. “Most people miss the fact that the phone is scanning for a network.”

This led to the development of the awareness website Trusted Wireless Environment which defines the six types of Wi-Fi hacks, which cover all of the threats at layer two. “If we were talking about ransomware or a Trojan for 20 years, people would be up in arms, and that is where we are with Wi-Fi security,” he explained. “It is still pretty easy to do these attacks, and those six threats are very simple to test.”

The six threats are as follows:

Evil Twin – an access point in your physical space that is broadcasting the same SSID as your legitimate SSID, but it is not physically Ethernet cabled to your network. These can also spoof the Mac address of an access point.

Rogue Access Point – these are the most commonly known, where an attacker can plug an access point into your network.

Neighbor Access Point – this is a corporate office where staff use tablets and they should only connect to the legitimate SSID, and look for another local or “neighbor” access point to connect to. 

Rogue Client – where your phone connects to a Wi-Fi network, is tracked after you leave the hotspot and can spread malware to a network.

Ad-Hoc Connection – where files are airdropped, and provides a headache for any company where there needs to be an audit trail.

Misconfigured Access Point – where companies ship access points to remote offices and a misconfigured access point can go out without the correct protections and cannot be used until it is correctly configured.

Orsi said that if you stop these six threats, you stop all of the major threats like Krack and Dragonblood which he said all start with mimicking Wi-Fi to get in a man-in-the-middle position “and if you kill that you stop those higher layer attacks.”

Orsi argued that what was missed 20 years ago was the chance to define what security protocol was needed to prevent these attacks from happening, and he said that the industry believes that this has been solved but “there is no standard definition or vendor requirement to be WIPS certified.” He said that when you test devices to the six threats, most fail, and the Wi-Fi industry needs to raise awareness on this.

He said that he would love to see more companies “plaster safe Wi-Fi here” messages, as too many people presume that they know that the Wi-Fi that they connect is safe, and that it won’t monitor their traffic or steal their details.

Following on from that, are we at the stage where the public is demanding better Wi-Fi security? Orsi said that if you ask people one on one, the response will be positive, but if there were a group of people, then they would ask, if there was such a risk, why had it not been dealt with? Orsi said that with the establishment of the Trusted Wireless Environment, people are becoming more aware, and he hoped to see some sort of secure emblem which is more visual to the user.

Orsi concluded that we don’t see articles on these sort of threats day-to-day, and the problem is that as this is happening at layer two, and unless you have access points configured in a certain way and not by default, “no one is watching.” He called it “very rare” that you see headlines on this, as often the breach at the end of the chain gets reported, but Orsi said that Wi-Fi attacks “are a bigger attack surface than email phishing, and you see way more Wi-Fi attacks.”

What’s hot on Infosecurity Magazine?