New revelations of the cyber threat to government and business identify the risk of attack even when stopping for a cup of coffee. The solution is not to restrict the use of mobile computing devices but to enable access in a safe, controlled and informed manner.
Earlier this year a government department hosted a conference in a central London hotel on cyber-security. It is probably not surprising, therefore, that this event, which was attended by government ministers, senior government security officials and a range of cyber security experts, vendors, media and other professionals, came under cyber attack itself. The attack was perpetrated through the use of the hotel's free-to-use WiFi internet access and involved the use of a technique known as ARP poisoning to intercept and, in some cases modify, communications over that network. The event's organisers have investigated this attack and have advised delegates who used the WiFi network that their log in details, and consequently their communications, may have been compromised by the incident.
This attack was made possible because, in common with many such access points, this network provided open access without any security. Many other such networks are not secured or use only very limited security, with ease of access having greater priority than security of access. A similar risk arises from the easy availability of mobile wireless routers. For very little cost a 'hacker' can set up a free WiFi hotspot and mount a 'man-in-the-middle' attack to obtain valid user names and passwords, which can then be used to gain access into corporate computer systems. As a result, the value of valid credentials to a cyber criminal is eight times greater than current credit card details. Such attacks can even be used to defeat the security around SSL and SSH encrypted traffic.
This might have seemed unlikely only a year ago until you consider the exponential growth in the use of mobile computing through a variety of tablet devices and smart phones. These devices are programmed to find the strongest signal and the greatest bandwidth for the transmission of data, and will switch automatically to WiFi where this is available. With the free and open availability of hacking tools on the internet, complete with guarantees and video guidance published on YouTube, it is a very simple task for a 'hacker' to obtain these details by masquerading as a hotspot for the local high street coffee shop or other retail outlet to intercept traffic.
Gaining unauthorised access to a mobile or static computing device is a criminal act under the Computer Misuse Act 1990. But 'shutting the stable door' does not resolve the consequences of industrial espionage or repair the reputational harm done by such activities. The key to this problem for users, then, is to raise awareness of the inherent risks of using an unsecured network. Event organisers and venues could also help by providing information about the security settings of their network and could even provide access to secured networks to protect customers against the more common forms of wireless attack. Some already do this.
Mobile communications are a pervasive and necessary part of every day life and the convergence of technology means that domestic and business communications are becoming increasingly inseparable. It is quite clear that anyone who had taken reasonable precautions to secure their own communications at the conference (ie by using properly implemented security protocols) would not have been vulnerable. The solution, therefore, is not to restrict the use of such devices but to enable their use in a safe, controlled and informed manner. In the meantime, users should avoid accessing unsecured WiFi networks or at least change the settings on their device to ask permission first.
DLA Piper has a dedicated team of cyber security experts who have assisted clients across a broad range of sectors address cyber security and information assurance questions. For more information please contact Stewart James or Patrick van Eecke.