Cyber thoughts from the train

Sat on the train going on my way back from London and I noticed my Samsung Galaxy phone was displaying a message telling me that it had detected a Samsung Gear device near me and wanted to connect.    The connection it was trying to establish was via Bluetooth which was enabled to allow my phone to connect to my cars audio system.   I hadn’t even thought to disable it.

As I look around the train I can see various people making use of mobile devices including laptops as we speed through the countryside.    The train is equipped with Wi-Fi thereby allowing everyone to remain connected even as they travel.

Two things worry me about the above.  The first worry is that of stray connections such as the one my phone tried to make with another passengers Samsung Gear.    As the various people on the train sit watching their video on their device, listening to music or working away their mobile devices are constantly seeking to make connections.    To connect to Wi-Fi for internet access, to connect via Bluetooth to external speakers, wireless headphones or in car audio devices.    As we use more and more technology our devices become more and more interconnected.    In doing so though we expose ourselves to an increasing risk of inappropriate connections being made either due to device error or due to human error, such as if I had accepted the connection which my phone was trying to make without reading the actual message.    These inappropriate connections may then give rise to unauthorised access and download of our data or to malicious acts being committed via our devices.

The other thing that worries me is the free Wi-Fi.    Now I suspect most people assume that the trains Wi-Fi is sufficiently secure although I cannot be sure of this.   The issue is the ease with which a passenger on the train could bring their own Access Point and set up a dummy Wi-Fi network, pretending to be the train providers network, for other passengers to connect to.   By doing so the owner of the dummy AP could gather data from those on the train who connect to the dummy AP.   This just seems all too easy.

The third thing that worries me is general awareness and consideration of security.    I doubt many people other than myself was giving cyber security of the many devices in use in the train carriage I sat in much in the way of consideration.    I would love to be able to survey people on a train or in another public space where free Wi-Fi is available in order to prove or disprove this assertion.   My belief, until I have any evidence to the contrary, is that we are a little too accepting.

Events such as the recent National Health Service ransomware attack highlights the issue of cyber security however the impact is not limited to big incidents occurring to big organisations like the NHS.   It affects each and every one of us, every day, even when sat on a train.    Also we cannot afford to be outraged and concerned only when a large breach like the WannaCry virus occurs, before almost instantly returning back to normal and forgetting all about security and the potential risks and implications.

We need a societal shift in terms of our perception of cyber security.

Free (or not!) Wi-Fi

lockWhen out and about we consider Wi-Fi to be an essential and as a result of this businesses are seeking to meet the need.    Cafes, hotels, shops and shopping centres, as well as conference venues to name but a few are now generally providing free Wi-Fi.       It’s not a difficult process for them; pay a service provider and buy a few wireless access points and you are up and running, and the general public will connect and use without a thought.

And herein lies the issue as I became aware during a recent visit to a hotel.    During the visit I was provided with a Wi-Fi key in my hotel room so I could access the free Wi-Fi however for some reason something did not quite feel right.   After a few minutes of basic checking I found that the routers management console was accessible via the Wi-Fi connection as opposed to requiring a wired connection.   A rather basic security precaution had not been taken in disabling Wi-Fi access to the console however the worst part was yet to come.    It turned out that the default username and password for the router was still enabled and as such anyone could gain access and reconfigure the router and Wi-Fi network to meet their needs.  For me this represents a grave and serious lapse in the security setup.     Although it had been easy for the hotel to set up its free Wi-Fi provision, they had failed to set it up securely, in a way which I would have considered to have been “properly” set up.

The above highlights the risks associated with free Wi-Fi.    Someone could easily setup a man in the middle attack using the lax security of this Wi-Fi network.   People would then access and use the Wi-Fi unaware of the fact that a threat actor was gathering or monitoring their data.     Truly nothing is free in this world, and in this case the free Wi-Fi may be free of cost but it certainly isn’t free of risk.     And in this risk there may be a future financial cost in fraud or identify theft based on the data harvested.

I do not think this one hotel is unique in its poor Wi-Fi network security.   I suspect that among the many establishments offering free Wi-Fi there will be many where the security is equally poor and that this will be especially common among smaller organisations where an IT department is likely to either be limited or not to exist.

As end users it is our responsibility to look after our own data security when out and about.   We cannot assume that others such as the providers of free Wi-Fi are doing this for us, especially where there is no is financial contribution paid to them towards the costs associated with doing so.    And for those providing free Wi-Fi I would ask that they engage a suitable professional in order to ensure their setup is at least provided with the basic security precautions.   If you aren’t willing to do this then you shouldn’t provide the service!

I also think there is an educational aspect to all this;  Are we adequately discussing the risks and required precautions with the students in our schools.   I would suggest we need to do so with some urgency.