How secure are New York City's new Wi-Fi hubs?
The first of New York City's public Wi-Fi hubs went live yesterday, offering free gigabit-fed Wi-Fi to anyone within 150 feet of the stations on Third Avenue. These are the first of 7,500 such hubs, each equipped with USB charging ports and custom-built tablets for web browsing, spread throughout the five boroughs. As part of the LinkNYC project, these hubs will create the largest public municipal Wi-Fi system in the world once they're completely installed.
A public Wi-Fi network this big also brings a new set of security risks. If anyone were able to plant malware on the network, it would be catastrophic, potentially spreading the infection to any device connected to it. The tablets could track everything users type through a keylogger or other malware. An attacker could even watch all the data being transmitted on the public network to steal logins and credit card credentials. These are worst case scenarios, only possible if the hubs’ security fails dramatically, but the risks are real and they raise an important question: how secure will New York’s public Wi-Fi hubs be?
From afar, the stations seem like an easy target. An attacker could direct the tablets to a malware-laden website, and the nature of public Wi-Fi means the hubs are constantly exposed to untrusted devices. "The first thing that pops into my head when I see public Wi-Fi is if I can access it publicly as a regular user, then hackers can get into it," Joseph Pizzo, an information security professional, told
The Verge.
The good news is that CityBridge, the group that designed the hubs, has built in a number of protections to keep that from happening. Colin O’Donnell, CTO for CityBridge, says they will have a series of filters and proxies to block anyone who tries to download malware during a browsing session. The city also employs a team dedicated to monitoring traffic, and if that team sees a user receiving data from a command-and-control server, it will end the session immediately. Even if a bad piece of software made it on to a LinkNYC tablet, it wouldn’t be able to stay there long. The devices go through a hard reset after even 15 seconds of inactivity, which wipes everything that isn’t installed by the company.
One of the biggest concerns is common to all public Wi-Fi efforts — sniffing attacks. These attacks involve an attacker sitting on the network and watching data being transmitted. If a user is on a non-encrypted webpage and types in a username and password, an attacker could see that information in plain text. While banking, email, and social networking websites typically encrypt data in-transit, the majority of the web is unencrypted, leaving information exposed.
Public Wi-Fi users browsing on SSL-protected pages are safe from these attacks, as well as users connected through LinkNYC's private network. The private network is only currently available for Apple devices running iOS 7 and above, but offers a more secure connection. It's still free to the public, but to access it, users will need to accept the network's key — a minimally more arduous task that's well worth it. While the public network is available to all devices, its accessibility leaves it exposed to a number of attacks.
The private connection not only protects against sniffing, but also another unfortunate Wi-Fi concern: "spoofing" attacks. During this type of attack, a person renames his or her personal Wi-Fi network to the same name as New York City’s in order to dupe people into connecting to their phony network. If people who previously connected to the city’s public Wi-Fi keep their device’s Wi-Fi active, it will automatically connect to any wireless network under the same name. Devices don’t differentiate between wireless names by default and can end up connecting to a network that’s both insecure and purposely created to deceive. If that were to happen, an attacker would see everything a connected user does over the malicious network, including the data they send.
"[Spoofing] is simple to do, and as we move to Wi-Fi wherever people happen to be, it's a huge threat to consumers who don't know if they can trust the network," according to Shane Buckley, CEO of Wi-Fi company Xirrus. Ultimately, there’s not much LinkNYC can do to prevent this type of attack, and the group readily acknowledges that. Spoofing really can only be thwarted if a user turns off their wireless when they’re not looking to connect. LinkNYC, however, is attempting to counter this threat with the offering of a private version of its Wi-Fi network.
The new hubs’ USB ports present their own security challenges, as they are notoriously difficult
to defend against infection. The USB ports in LinkNYC hubs are meant to charge devices, and they’re set up to be incapable of transmitting data. Still, the ports could be at risk from skimmers — devices installed over the top of legitimate ports to suck up a connected device's data. Skimmers are most often installed
on ATM machines to steal debit card information, but attackers might try to install a modified version over LinkNYC’s USB ports to infect any devices plugged into them. To protect against physical tampering, the LinkNYC hubs are equipped with more than 30 sensors that can detect even the slightest of vibrations. The sensors can even pick up on vandalism, like someone stuffing gum into the port.
CityBridge also plans to check each hub in-person twice a week to clean and check for vandalism, but the sensors will be the hubs’ main protection between visits. However, even if the sensors work to detect tampering, Pizzo points out that too many of them could trigger false positives that might overwhelm the network monitors. "Thirty sensors tells me [there will be] 30 times the number of alerts that go off each time a truck passes," he said. "This is New York City, every time a truck passes, the street rumbles [and so do the hubs]."
For users, the best advice is to approach the hubs the same way you’d approach any public Wi-Fi point: carefully. Use the private network if possible, turn off Wi-Fi unless you're using it, turn off file sharing, pay attention to SSL and ensure visited sites are using it, consider deploying a VPN, and if things feel strange or look strange, try a different hub. And as a rule, don't access online banking or other sensitive accounts on a public tablet or open Wi-Fi. LinkNYC is taking security seriously, but safe browsing and use of the hubs requires thoughtful users, too. New York’s new mode of internet access will come with new threats. "I understand what the goal is [of the booths] — free access for people — and it's incredibly noble and powerful," Pizzo said. "But people need to be aware of the risks."
http://www.theverge.com/2016/1/20/10773014/linknyc-public-wifi-access-security-citybridge
