We’ve been hearing for years that users need to take precautions when using public WiFi services in coffee shops, airports and the like, because it’s all too easy for intruders to sniff the wireless signals and steal credentials. And guess what, it is ridiculously easy.
Yet I wonder if we’ve become somewhat immune to the dangers, and lackadaisical about following good security practices. I hope not, because as we move to an increasingly IP world, the dangers are only becoming more prevalent.
As unified communications applications increasingly target mobile users, and pundits predict they will, companies will have to pay attention to how they’re securing all those mobile and remote users.
Yes, It Is Quite Easy to Steal Data from WiFi Connections
To get a sense for just how easy, or difficult, it is to intercept data carried over WiFi networks, I did a quick search on “intercepting WiFi traffic.” As expected, it quickly turned up any number of articles detailing how simple the practice is.
I clicked on one that had a headline that looked promising for my purposes, a blog post titled, “Stealing data over WiFi is easier than you think,” from Authentic8, which makes a secure web browser.
It goes through the three main ways that intruders steal data:
- Sniffing: This entails little more than using a browser plug-in or readily available apps that can turn even a cell phone into a sniffer. Or, “a more powerful dedicated sniffing device can be purchased at a low cost at almost any electronics store,” the post says.
- Rogue access point: These are used to set up “man-in-the-middle” attacks where the intruder sets up a fake access point (AP) with a name that sounds real. The fake AP is also connected to the real one, but all traffic passes through the rogue AP first, enabling the intruder to capture every packet.
- Evil twin attacks: Such attacks take advantage of the fact that devices generally remember networks to which they’ve connected in the past. The bad guys publish the name of such a network “and trick the victim’s machine into connecting to the evil twin, while appearing to be connected to the legitimate hub instead,” the Authentic8 post says. Then, as with the man-in-the-middle attack, the intruder can capture traffic as it flows through the fake AP.
The scary thing is that none of these attacks are particularly difficult to pull off. The post goes on to describe the process in some detail, making note of a device called the WiFi Pineapple and a program called Karma that, together, make the job pretty straightforward.
“The whole process was simple. The total cost was less that $100 and within an hour we were up and running, ‘stealing’ data,” the post says.
How to Secure Remote Workers and Agents
You can warn users ad nauseum about the dangers of such attacks – and you should – but it’s better to take steps to protect them from themselves without even having to think about it.
With respect to real-time UC traffic, the key to that will be encrypting the traffic as it flows to and from remote users. You’ve got a couple of options for how to do that, says Mykola Konrad, VP of Go To Market and Strategic Alliances for Sonus Networks.
Some IP PBXs, such as Microsoft Lync, will encrypt phone calls, but others don’t. If you’ve got an employee working from home, maybe an in-home call center agent, perhaps there’s no big deal if that agent lives in a quiet suburb where it’s pretty unlikely that an intruder will be sitting in the driveway with a sniffer. But what if the agent lives in an apartment building or condo complex? That could be a different story entirely.
And if the user is a salesman or company executive taking a break at Starbucks when he gets a call, that’s a legitimate concern, given there’s no telling what kind of sensitive issues may be discussed.
To protect these kinds of IP-based voice and video conversations requires a session border controller, which will encrypt each call, every packet coming in or out, Konrad says. Just as a VPN protects users as they access sensitive data and applications, an SBC does the same for real-time voice, video and presence data.
Solving NAT Traversal Issues for Remote Workers
As a side benefit, the SBC will also enable remote workers to deal with network address translation (NAT) devices that help companies stretch their IP addresses to more users. That’s important because any SIP application needs to know the IP addresses of users on each side of every conversation, the very addresses that NAT devices are intended to hide.
“Our SBCs come with servers built in to get through NAT issues,” Konrad says. Combined with the encryption capabilities, the SBC enables remote workers to go about their business “without doing anything special,” he says.
Intruders know how easy it is to tap into wireless connections. Using an SBC will ensure intruders don’t get anything valuable from your employees, while employees will be blissfully unaware the SBC is even there.