Mobius delivered on a project to highlight the potential risks of accessing “free” wireless access points and how this can lead to a targeted attack against the user and even the company they work for. The project included the delivery of a proof of concept rogue wireless access point that was deployed at a client conference. The access point allowed free internet access for any client device connected to it. While being enjoyed and used by the participants of the conference, the network traffic was captured and analysed in real-time.
Upon revealing this captured data to the corporate conference clients, the message of the dangers in connecting to “free” wireless access points were highlighted. This concept brings greater awareness as to how the individual user can be targeted as part of the attack chain that leads to an eventual corporate breach. Connecting to a rogue access point not only allowed for capture and manipulation of the user’s traffic, but also the opportunity to attack the device connected to the network from a hacking perspective. A breach of the device could lead to further discovery and capture of sensitive corporate data and configuration details that could aid an attacker in further targeted attacks. This could include sensitive corporate network configuration settings as well as internal documentation and settings relating to the organisation.
A further topic relating to awareness relates to password re-use. Should a password for a seemingly innocuous service that is not designated as sensitive be captured via the rogue access point, the results could in fact be devastating to the organisation. This would be the case if the user in question participated in the fairly common practice of password re-use. This captured password could then be attempted across an array of corporate infrastructure. Should the password be one that is reused, a breach could occur from credentials captured for an entirely unrelated service being utilised on an untrusted network.
The project not only delivered value by creating awareness around the dangers of connecting to insecure and unknown wireless networks but also that of general awareness of how seemingly unrelated services and actions online can in fact put the organisation at risk. The value delivered to the client incorporated a technical description of how wireless access points as well as intrinsic value to all the conference attendees that all actions require a security consideration, even ones that are outside the corporate realm and appear to offer no immediate threat. It’s this improved conscious awareness with regard to security and internet usage habits that forms the basis of the value gained by the client for utilising services, inclusive of our curated list of technical yet understandable steps that allows for all internet users to significantly increase their security posture without the need for deep technical knowledge.