Combating ‘The Hack Attacks’: Why Public Wi-Fi Isn’t Secure Enough

People often search for Wi-Fi whenever they’re outwith the comfort of their homes and offices, or when they’re travelling for any particular reason. The trouble is that public Wi-Fi is often insecure, and this could allow someone to hack into their laptops, their tablet computers and their smart phones without them knowing what’s going on until it’s too late, writes Michael Wakley.

All of this can be done from just a few yards away, or even from miles away – enabling hackers to take control of computers as well as steal passwords and sensitive data that may eventually lead to financial or reputational loss for the unsuspecting victims.

Wi-Fi isn’t sufficiently secure for a number of applications, including water leak detection. A report published by Positive Technologies claims that, in 92% of cases, its researchers were able to externally penetrate 92% of companies’ internal networks in penetration tests conducted last year. The researchers also found that, at 87% of its tested clients: “Wi-Fi networks were accessible from outside of the client premises, such as from a nearby cafe, car park or public waiting area.” The culprit was often weak Wi-Fi security, which on 63% of systems enabled access to resources on the given company’s local network.

Positive Technologies finds that many firms are either failing to encrypt their Wi-Fi traffic or neglecting to implement Wi-Fi authentication. They’re using weak protocols such as WPA2/PSK or WPA/EAP. Even firewalls, which are used to protect web applications, strong Wi-Fi authentication, strong and unique passwords or employees trained to recognise phishing attacks are not enough. Unpatched systems can often leave at least one door open to the cyber attackers.

Many water leak detection devices use Wi-Fi as their means of connectivity to the Internet, and so the threat of being hacked is a real concern for users such as commercial building owners, insurers, property managers and facilities managers.

IoT threatened

In the age of the Internet of Things (IoT), devices such as water leak detection systems are not immune from hacking. Tom Jowitt, writing for Silicon UK in March this year, found ‘IoT Devices Under Constant Attack’.  He cites research by Cyxtera and the Singapore University of Technology and Design, which discovers that there a number of sustained cyber attacks on IoT devices coming mostly from China. IoT devices, including water leak detection systems, must therefore be secured.

“They detected more than 150 million connection attempts to 4,642 distinct IP addresses of IoT devices, and it seems that most of the attacks are stemming from China,” said Jowitt. The paper, entitled ‘Detection of Threats to IoT Devices Using Scalable VPN-Forwarded Honeypots’ states that attacks on ‘honeypotted’ IoT devices have intensified over the last few years. This is because they’re open to be discovered and exploited on the Internet, thereby revealing unknown vulnerabilities.

Jowitt added: “Over a couple of years, researchers detected more than 150 million connection attempts to 4,642 distinct IP addresses…And the researchers said that all of their honeypot IoT devices saw attempted logins immediately upon coming online, and the number of login attempts increased steadily over time…to make matters worse, within days of new malware campaigns going public, those malware families were used to attack IoT devices from the honeypot.”

Technopedia describes a honeypot as: “…a decoy computer system for trapping hackers or tracking unconventional or new hacking methods. Honeypots are designed to purposely engage and deceive hackers and identify malicious activities performed over the Internet. Multiple honeypots can be set on a network to form a honeynet.”

Wi-Fi signals

It’s also worth remembering another weakness of Wi-Fi: if it goes down, so can IoT devices such as water leak detection. Therefore, it’s important to consider the alternatives to public Wi-Fi, or even to some private Wi-Fi offerings. For example, Vodafone’s White Paper ‘Narrowband-IoT: Pushing the Boundaries of IoT’ claims: “Security is important in any IoT deployment. Narrow band Internet of Things (NB-IoT) inherits LTE’s strong security features, making it the safest choice.”

The company, which is working with water leak detection service providers, adds: “Securing ultra-simple devices is challenging. The limited bandwidth and processing power make even foundational security practices like authentication and encryption non-trivial. Proprietary LPWA technologies don’t do enough. While LoRa encrypts its traffic, Sigfox doesn’t. Both are vulnerable to jamming. NB-IoT inherits LTE’s authentication and encryption. NB-IoT mutually authenticates the network and the device and it encrypts traffic between the device and deep within the core network.”

By using LTE, which is a 4G mobile communications standard for connectivity, water leak detection devices will remain live, whether or not any Wi-Fi is working. This means that a greater level of uptime can be achieved. Subsequently, this reduces the risk of a leak going undetected.

With a Wi-Fi-based water leak detection system that’s gone down, and as Wi-Fi often has to be switched on and off to restore a connection, or if it needs more serious work to have it back up and running, there’s always the risk that a burst pipe could go undetected. This could cause a significant amount of damage.

Limitations of buildings

Not all Wi-Fi systems will work well with certain buildings, too. Some buildings are built in such a way that the signals can’t pass through. Security is but one of the concerns – even for applications such as water leak detection.

We recently completed a trial with a large American insurance group. The trial involved installing 20 water leak detection systems linked to Wi-Fi. It took us two hours to install the systems, and Wi-Fi specialists two days to configure the Wi-Fi in a high net worth house. We all know in our own properties that our Wi-Fi system has dead spots. All you can do is put boosters in around the property, but you cannot resolve dead spots.

In contrast, using alternative technologies like NB-IoT devices can gain deep in-building penetration. The aim is to deliver a good customer experience from a good piece of kit, otherwise you’re in danger of losing your customer.

While many companies and even some insurance firms are offering water leak detection solutions that run on Wi-Fi, his firm has opted to use NB-IoT and low-power Wide Area Networks (LPWANs) to optimise security, and data accessibility from the perspective of being able to monitor any water leaks within a building – whether that be an office or a private home.

We use a standalone network because Wi-Fi is insufficiently secure and, if your Wi-Fi goes down, your leak detection also goes down. NB-IoT has nothing to do with your Wi-fi network at home. With leak detection, it’s important to have an independent system that doesn’t rely on a Wi-Fi connected home.”

Insurance companies are understandably concerned about protecting data. With public, unprotected Wi-Fi, hackers can launch an attack and gain access through the back door. It’s crucial to ensure that your Wi-Fi’s protected. Hackers love gaining access to unsecured PCs, laptops and device cameras. The prospect of this is quite scary because once they’ve hacked into your Wi-Fi network, they can access everything on it and potentially gain access to any cameras in the building.

We’re using LPWAN and NB-IoT networks to ensure that water leak detection systems are easily secured and accessible from any device.

Network security tips

As the reliability of water leak detection has insurance implications, the first tip is to install either LPWAN or NB-IoT solutions that enable leaking water to be monitored and turned off remotely. Avoid public or even private Wi-Fi because of its security and in-building coverage shortcomings.

Michael Wakley

Michael Wakley

As a third tip, it’s important to explore low-powered WANs as a more secure way of transmitting water leak detection data. It may also be wise to consider whether an individual sitting in a cafe and using a non-secure public Wi-Fi to control their leak detection system is covered from an insurance policy perspective. They could leave their organisation’s data exposed to attack. It’s important to ensure that all bases are covered.

The fourth tip is about making sure that insurance companies support any installed leak detection solutions – particularly so to consider whether they offer any cost-savings. Having leak detection systems installed in a property or development will reduce the insurance risk, and this may translate as lower premiums or excess.

Ultimately, with regards to Wi-Fi it’s important to realise that firewalls are not always able to protect data from a hacker’s attack. Organisations therefore need to consider how to protect their applications, data and networks whenever they’re in the field – even if this is for monitoring and preventing water or gas leaks remotely.

Without stringent security, even a hacked Wi-Fi-based water leak detection solution could lead to data protection failures. It could even lead to a calamity such as water being turned on to flood a property rather than being turned off to protect it. Wi-Fi simply isn’t secure enough for water leak detection and remote risk monitoring when considered in comparison to NB-IoT or LP-WAN based systems.

Michael Wakley is CEO of LeakSafe

About the Author
Brian Sims BA (Hons) Hon FSyI, Editor, Risk UK (Pro-Activ Publications) Beginning his career in professional journalism at The Builder Group in March 1992, Brian was appointed Editor of Security Management Today in November 2000 having spent eight years in engineering journalism across two titles: Building Services Journal and Light & Lighting. In 2005, Brian received the BSIA Chairman’s Award for Promoting The Security Industry and, a year later, the Skills for Security Special Award for an Outstanding Contribution to the Security Business Sector. In 2008, Brian was The Security Institute’s nomination for the Association of Security Consultants’ highly prestigious Imbert Prize and, in 2013, was a nominated finalist for the Institute's George van Schalkwyk Award. An Honorary Fellow of The Security Institute, Brian serves as a Judge for the BSIA’s Security Personnel of the Year Awards and the Securitas Good Customer Award. Between 2008 and 2014, Brian pioneered the use of digital media across the security sector, including webinars and Audio Shows. Brian’s actively involved in 50-plus security groups on LinkedIn and hosts the popular Risk UK Twitter site. Brian is a frequent speaker on the conference circuit. He has organised and chaired conference programmes for both IFSEC International and ASIS International and has been published in the national media. Brian was appointed Editor of Risk UK at Pro-Activ Publications in July 2014 and as Editor of The Paper (Pro-Activ Publications' dedicated business newspaper for security professionals) in September 2015. Brian was appointed Editor of Risk Xtra at Pro-Activ Publications in May 2018.

Related Posts