Picture Source: fentons
How Wireless Telecom Companies Are Engineering Us Into Bad Infosec Practices
One trait that is fairly commonplace in the global consumer market is that we all like to pay less for services. With the ubiquity of wireless devices in our personal and professional lives, consumers are constantly striving to find a better deal. Does AT&T offer more data than Verizon Wireless at lower cost? Should you upgrade you device that you've had for several years and risk giving up your unlimited data plan which would no longer be offered under a new service contract? How can you mitigate the cost and avoid those nagging text messages that you're about to go over your monthly allotment of data? With mobile apps not only taking up more physical space on your mobile device, but constantly requiring usage of your data plan along with all your text & picture messages and web browsing, it seems like consumers are always seeking that proverbial "oasis in the desert" - the free WiFi hotspot. But is this social engineering of our behavior with regard to data usage forcing us to make bad decisions with regard to our own information security?
Next time you go into your local coffee shop that offers free WiFi, take a look around. You'll see people camped-out on their laptops and surfing on their mobile devices as if they were at home. Why do they do this? Because it's free, high-speed and open to the public. You can even drive by the same coffee shop at 3 AM and find your local police patrolman using the same open-access wifi to file his reports and access the internet on his mobile data terminal. This service not only increases traffic for these businesses, but provides a free and open outlet for us all to access the internet to do any number of things. But consumers should choose to do so very, very carefully.
Several years ago most large telecom companies starting migrating away from unlimited data plans for individual consumers. To be honest, I'm not really sure why they did this, but experience tells me it has to do with making more money, not the purported increased cost to the wireless providers. Whether a customer uses 2GB or 10GB of data in a month doesn't really cost the provider any additional, nonetheless, this started with one wireless provider and quickly spread throughout the entire industry. While it's true that corporate accounts can still choose unlimited data plans, corporate devices are often now on lock-down with monitoring and security measures firmly in place. This necessitates not only buying a second device for personal use, but also being restricted in your data usage by limits on your personal account. Now, when you're away from home and want to do your personal banking, you stop off at the local coffee shop or connect to the public wireless at the restaurant you happen to be eating lunch at and take care of business. We do this to save on our monthly data allotment. It's free, it's convenient and it's a really bad idea.
The Dangers of Using Open WiFi
I'm not a hacker, but I know that it doesn't take much for a hacker to hack into my laptop and/or mobile device if we're both connected to the same network and I’m choosing not to employ any type of security measures. Now, these likely wouldn't be your OPM or Ashley Madison level of hackers, but they can still do damage on a micro-level. Most people don't give it a second thought when connecting to open wireless because most people aren't that aware of, nor do they have much concern for other people around them. Add into the mix the challenges of connecting when traveling overseas (without paying the telecom company more money) and now you're connecting wherever you can... and leaving yourself wide open to a micro-hack attack. Whenever you connect to a public wifi network without any system security in place, just know that you're leaving yourself wide open to this type of attack. In fact, the level of sophistication needed to facilitate this type of attack is much lower than any of the large attacks we hear about in the media.
So what should you do? Unfortunately, all of the major wireless telecom companies have made the type of internet usage you may be used to at home virtually unavailable through your wireless provider unless you’re reticent to pay per GB overage fees on your monthly bill. If you want to stream movies, play graphic-intense games and download music, the level(s) of data afforded to you by any wireless telecom plan available to most consumers will eat up your basic data within your 30 account cycle (and then some). But you won't lose your identity or have your bank account information stolen from playing games or watching movies. While it's true that streaming video will eat up your data, there's not a lot sent over the network in terms of sensitive information (unless you're purchasing games).
When it comes to the sensitive personal information you throw out across the internet, make sure you're on a private network. Using your allotted data plan from your mobile device is considered a private network, as is "teathering" or using your wireless devices as a mobile wireless hotspot. These options will eat up your data allotment, but they likely won't open you up to a hacker exploit. Is there a way to do it? Sure. But the likelihood of a micro-hack attack is far less when using your own data plan than it is when using an open wireless network.
Users also have the option of setting up their own virtual private network (VPN) when accessing the network over an open wireless connection, but this does require some measure of technical aptitude and setup time.
The bottom line is that reasonable security costs money and/or takes effort on the part of the consumer. Employing security is also inconvenient, whether it’s on your computer or going through the gate at the airport. Consumers either make the decision to employ a VPN when using public wifi to send and receive sensitive information or accept that you'll probably pay more on your monthly wireless bill to ensure security. The alternative is to accept that you'll be leaving yourself open to a security vulnerability every time you connect to public or open wireless. In the end, an educated consumer is the best front-line defense against these types of micro-hacks.
Patrick J. Siewert, SCERS, BCERT, LCE
Professional Digital Forensic Consulting, LLC
Based in Richmond, Virginia
About the Author:
Patrick Siewert is the Principal Consultant of Pro Digital Forensic Consulting, based in Richmond, Virginia. In 15 years of law enforcement, he investigated hundreds of high-tech crimes, incorporating digital forensics into the investigations, and was responsible for investigating some of the highest jury and plea bargain child exploitation cases in Virginia court history. A graduate of both SCERS and BCERT (among others), Siewert continues to hone his digital forensic expertise in the private sector while growing his consulting business marketed toward litigators, professional investigators and corporations.
Email: [email protected]