Wi-Fi has serious security issues. As my colleague Carl Weinschenk wrote last year in a blog post discussing the vulnerability problems of Wi-Fi, particularly in the age of BYOD and working from anywhere, “… the world outside the firewall simply isn’t as secure as the world within.”
If we needed a reminder about the insecure world outside of the firewall, we got it last week with the news of a vulnerability discovered in hotel Wi-Fi. The flaw was discovered in ANTLabs InnGate devices, which provide in-room access for hotel guests, as well as the type of temporary Wi-Fi connections used in other public places such as convention centers. As explained by Wired:
The vulnerability, which was discovered by the security firm Cylance, gives attackers direct access to the root file system of the ANTlabs devices and would allow them to copy configuration and other files from the devices’ file system or, more significantly, write any other file to them, including ones that could be used to infect the computers of Wi-Fi users.
The researchers with Cylance compared it to last year’s discovery of DarkHotel, with one major difference. Where DarkHotel was a sophisticated attack, this recently discovered flaw, known for now as CVE-2015-0932, is simple but potentially devastating. Not only are the guest users at risk, but so is the organization’s computing system.
The vulnerability was found in 277 devices in 29 countries, and this includes some of the most popular hotel chains used for business and pleasure travel. On the plus side, a patch has already been released to fix the vulnerability, but of course, the average guest will have no idea if the patch was applied.
No one should assume that the Wi-Fi they are using is secure, including (perhaps especially) in hotels. Instead, IT departments should support and encourage business travelers to use VPN connections and to turn off auto-Wi-Fi on devices. Also, anyone planning to use public Wi-Fi should remember to make sure all patches and upgrades are installed, that AV protections are up-to-date, and to use multi-factor authentication to log into any applications whenever possible (and don’t forget to log off when you are done with a session). Yes, this advice is pretty standard but it is surprising how many people still don’t follow the most basic security functions – or worse, think that because they need a passcode for their hotel Wi-Fi connection, it is secure. With this latest vulnerability story, we know that’s not true.
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba