Wi-Fi: a weak link in the home working comms chain

When the COVID-19 pandemic hit earlier this year, businesses struggled to transition large numbers of staff to remote working.

Eighty five per cent of chief information officers responding to the global 2020 Harvey Nash/KPMG CIO Survey said they had moved their workforce to remote working, and 53% said they expected more than half their staff to remain working predominantly from home.

The move to home working has imposed many security challenges, such as enabling secure external access to corporate data applications at scale and securing access from uncontrolled employee devices in uncontrolled environments.

One of the weakest security links in a home working situation is an employee’s Wi-Fi network. These networks can be accessible from beyond the bounds of their owners’ homes and are vulnerable to compromise, despite the use of passwords and encryption.

The bad news is that the encryption technology used in almost every Wi-Fi device in the world, WPA2 (Wireless Protected Access v2), has a fundamental flaw that a skilled hacker can easily exploit using free software and a cheap wireless adaptor for a laptop computer.

A new protocol WPA3 has been developed, but it will be many years before its use becomes widespread, and it too has been found to be flawed.

The best way for employees to guard themselves from an attack on their Wi-Fi network is to use a virtual private network (VPN). A VPN ensures all the traffic going through a Wi-Fi router is encrypted.

A simple rule: make passwords complex

Another crucial defence against hackers is using a long and complicated password — one that is at least 14 characters, with upper and lower case letters, numerals and symbols. And no password should ever be used for more than one device or service.

Hackers can easily obtain free software that enables them to try millions of passwords which have been exposed through cyber attacks across the world, in order to find one that works. If the password to an employee’s Wi-Fi network is commonly used and easy to guess, it’s likely a hacker could breach their network in a matter of minutes.

Even if an employee has a strong password, other tools can be used to trick them into revealing it. Attackers can use free software that disconnects users from their Wi-Fi network and creates a fake login page for their router, which asks them for their Wi-Fi password to re-establish connection.

From there, hackers can listen in to the Wi-Fi network and capture the data exchanged when a device logs on.

Beware of open Wi-Fi networks

Having an employee’s home network compromised is one risk. If they are using free Wi-Fi in a coffee shop or public place, there are other risks involved. Many such networks are open access — they require no password. If an employee sets up their phone or computer to remember one of these public networks, it will automatically join any other non-password-protected network with an identical name.

A hacker can set up such a network, and then use it to gain access to an employee’s computer and see their internet traffic. An easy way to prevent this from happening is to make sure employee devices do not remember any Wi-Fi networks that are not password protected.

It is also possible for an attacker to gain direct access to the router function of an employee’s Wi-Fi access point, which manages connection to the internet. It has its own password.

Some manufacturers ship products with a default username and password set up, for example ‘admin’. This makes it possible for a hacker to access, and gain control, of the router over the internet, if that router has remote access enabled. So all employees should be required to turn that off.

There’s safety in separation

Wi-Fi connected smart home devices — security cameras, lighting, heating controls etc — are increasing popular. Many of these are notorious for poor security, made worse by people not changing default passwords. If one of these devices is compromised, it can potentially give the attacker access to any other device on an employee’s home Wi-Fi network.

Many Wi-Fi access points enable the creation of multiple Wi-Fi networks. If so, employees should put all of their smart home devices on a separate network from the one they use for their work computer. Then, if one of those devices is compromised, the hacker can’t use it to get access to the main Wi-Fi network.

Restrict access

Even if employees take all these precautions, sooner or later, they are likely to fall victim to a successful attack. But there is one key thing that companies can and should do to limit the damage — ensure every user only has access to the files required to do their job. In particular, a company should identify its ‘crown jewels’ — its most important and sensitive data — and strictly limit access to only those employees who need it.

It is surprising how many companies don’t take this basic and essential step.

A 2019 study by Varonis found 53% of companies had more than 100,000 sensitive files open to every employee. Further, on average, every employee had access to more than 17 million files overall.

The good news is, companies can complete free data risk assessments to help them easily identify the risk or exposure they face with their data.

Adam Gordon is Country Manager ANZ at Varonis.

Image credit: ©stock.adobe.com/au/sdecoret