By releasing an information sheet that provides guidance on securing wireless devices while in public (pdf)—for National Security System, Department of Defense, and Defense Industrial Base teleworkers—the NSA has provided useful information on malicious techniques used by cyber actors, and ways to protect against them.
And anyone that does not belong to that group of teleworkers can still take advantage of the knowledge it has shared!
While the NSA's advice and best practices aren't a guarantee of protection, they will hep to reduce the risks you face while you're out and about. The most obvious advice in the information sheet is not to use public Wi-Fi hotspots when more secure options are available. Use a corporate or personal Wi-Fi hotspot with strong authentication and encryption whenever possible, use HTTPS and a VPN when it isn't.
Wi-Fi and encryption
Even if a public Wi-Fi network requires a password, it might not encrypt traffic going over it. And even if the Wi-Fi network does encrypt the data, malicious actors can decrypt the captured data if they know the pre-shared key. In either case, the network traffic (including login credentials) is easily captured using a couple of methods:
Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated to evade defenses and/or observation. For example, in this context it means that a cyber-criminal might broadcast an SSID (the name of a wireless network) that looks legitimate just to trick you into using their Wi-Fi hotspot.
As we have discussed before, anyone can spoof a well-known SSID and your device will happily connect to it again if it’s connected to an open SSID with the same name before. Once you are connected to this malicious hotspot masquerading as one you've used before, its operator can redirect you to malicious websites, inject malware or ads, and spy on your network traffic.
Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. Adversaries can join a network and "sniff" the traffic passing over the wireless network, capturing information about the environment and the traffic of other Wi-Fi users, including authentication material passed over the network.
Please encrypt your traffic
You can't stop masquerading or network sniffing, but you can make the useless to an attacker by adding a layer of encryption to your traffic with a VPN. The NSA strongly advises using a personal or corporate-provided virtual private network (VPN) to encrypt the traffic.
The NSA rightly warns that in addition to Wi-Fi, cyber actors may also compromise other common wireless technologies, such as Bluetooth and Near Field Communications (NFC). The risk isn't merely theoretical since these malicious techniques are publicly known and in use.
NFC is the technology behind contactless payments and other close device-to-device data transfers. As with any network protocol, there may be NFC vulnerabilities that can be exploited although due to NFC range limitations, opportunities to exploit vulnerabilities are limited.
Bluetooth technology transmits data wirelessly over short distances. Keeping a device’s Bluetooth feature enabled in public can be risky. Malicious actors can scan for active Bluetooth signals, potentially giving them access to information about a targeted device.
The NSA highlights a few specific Bluetooth related attack techniques:
- Bluejacking, sending unsolicited messages (often unsolicited anatomical pictures sent to women) over Bluetooth to Bluetooth-enabled devices such as mobile phones, PDAs or laptop computers.
- Bluesnarfing, the unauthorized access of information from a wireless device through a Bluetooth connection, often between phones, desktops, laptops, and PDAs.
- Bluebugging manipulates a target phone into compromising its security, this to create a backdoor attack before returning control of the phone to its owner.
- Blueborne, a Bluetooth vulnerability that can allow malicious actors complete control over a user’s Bluetooth device.
Do’s and don’ts
The information sheet goes on to provide some do’s and don’ts. Most of them are very generic and you will probably have read them many times before. We are sure we have listed them ourselves time and again.
That doesn't mean they're bad advice though, and it suggests that some people aren't paying close enough attention, so here goes:
- Keep software and applications updated with the latest patches.
- Use anti-virus/anti-malware software.
- Use multi-factor authentication (MFA) whenever possible.
- Reboot regularly, especially for mobile phones after using untrusted Wi-Fi. (Rebooting a device will remove non-persistent threats from memory.)
- Do not leave devices unattended in public settings.
- Do not use personal information—like your name—in the names of the devices.
- Disable Wi-Fi when you aren't using it.
- Disable Wi-Fi network auto-connect.
- Ensure your device is connecting to the correct network.
- Log out of the public Wi-Fi network and “Forget” the access point when you're finished.
- Use HTTPS where you can.
- Only browse to, or use, necessary websites and accounts.
- Do not connect to open Wi-Fi hotspots.
- Do not enter sensitive data or conversations.
- Do not click unexpected links, attachments, or pop-ups.
- Do not set public Wi-Fi networks to be trusted networks.
- Do not browse the Internet using the administrator’s account of the device.
- Disable the Bluetooth feature when it is not being used.
- Ensure the device is not left in discovery mode when Bluetooth is activated and discovery is not needed.
- Monitor Bluetooth connections by periodically checking what devices are currently connected to the device.
- Do not use Bluetooth to communicate passwords or sensitive data.
- Do not accept non-initiated pairing attempts.
- Use an allow-list or deny-list of applications that can use the device’s Bluetooth.
- Disable NFC feature when not needed (if possible).
- Do not bring devices near other unknown electronic devices. (This can trigger automatic communication.)
- Do not use NFC to communicate passwords or sensitive data.
More advanced advice for laptops
- Configure Web-Proxy Autodiscovery Protocol (WPAD) to use only corporate proxy servers.
- Enable firewalls to restrict inbound and outbound connections by application.
- Disable Link-Local Multicast Name Resolution (LLMNR) if applicable. LLMNR is a deprecated and vulnerable protocol for quick resolution of names that are on the same subnet.
- Disable Netbios Name Service.
- Turn off the device file and printer sharing on public networks.
- Use virtual machines (VMs) for an additional layer of security.
While it may seem trivial for the NSA to provide guidance in this field, since most security professionals have given up hope that we’ll ever learn, it just may be that when it comes from a source like the NSA people might actually start paying attention. So, while most of the advice will look familiar, hearing it for the umpteenth time might actually persuade someone to follow it.
Stay safe, everyone!