US Agency now warns that attackers targeting teleworkers to steal corporate data.
The US National Security Agency (NSA) is offering advice to security teams looking for wireless best practices to protect corporate networks & personal devices. The recommendations, while pedestrian in scope, do offer system administrators a solid cheat sheet to share with their work-from-home crowd and mobile workforces.
The NSA, in a public service announcement posted on Thurs. (PDF), urged security teams to be mindful of the wireless threats employees face when using Wi-Fi networks. It also puts Bluetooth technology & Near Field Communications (NFC) into its list of worrying protocols.
Vulnerable to Theft
Café-based workers have now likely mastered both public bathroom & Wi-Fi hotspot clean usage. For those who haven’t the NSA advises: “Data sent over public Wi-Fi—especially open public Wi-Fi that does not require a password to access— is vulnerable to theft or manipulation.”
Advice also includes warnings of fake access points that can hoover up user credentials & skim other personal data retrieved on the “evil twin” access points.
NSA Warns of Bluetooth
The agency mentions Bluetooth as a useful protocol for private use, but when used in public settings it can be a nasty security liability. The NSA advises turning off Bluetooth in public, to stop a user being open to a range of attacks such as BlueBorne or BlueBugging – both used to access & exfiltrate corporate data on targeted devices.
In May, security researcher Fabian Braunlein with Positive Security identified Apple’s Send My Bluetooth exploit which allowed data to be exfiltrated from a device to an attacker-controlled Apple iCloud server.
The NSA also commented on Near Field Communications (NFC), a useful tool for contactless payments. It warned that data transfer between devices using NFC can be a cyber-security minefield. With just a tap, data is moved across a radio network from one device to another.
Andy Norton a Cyber-Risk Officer with Armis explained that security teams are ‘lagging behind’ when it comes to securing NFC communications.
“Radio connected devices represents a huge risk blind spot for organisations,” Norton said. “These are very much the ‘soft underbelly’ of information security controls –– the majority of energy, focus, & money from a cyber resilience perspective is spent on preventing attacks coming through the internet connected attack surface. Very little is being done to access the risk from near field radio connections.”
He added on just about every job his team finds a “rogue antenna device & shadow IT activity from antenna-enabled IoT devices.”
In its security bulletin, the NSA suggests:
- Disable NFC feature when not needed (if possible).
- Do not bring devices near other unknown electronic devices. (This can trigger automatic communication.)
- Do not use NFC to communicate passwords or sensitive data.
“Users should consider additional security measures, including limiting/disabling device location features, using strong device passwords, & only using trusted device accessories, such as original charging cords,” stated the NSA.
Biggest Cyber-Security Challenge
The NSA’s wireless warnings, while basic, still go unheeded by many. Sadly, the practical & basic advice still needs promoted, experts observed.
“My fear is that the don’ts are ingrained, existing behaviours that are not easy to change and at times unavoidable,” Setu Kulkarni with NTT Application Security explained. “For example, while it is easy to say, ‘Do not bring devices near other unknown electronic devices,’ is that practical?”
1 Key Employee
Kulkarni added in an ideal world 1 key employee cyber-security rule companies should have in place is keeping personal material off their business devices. Enforcing compliance gets much trickier.
“These tips are as relevant in 2021 as they were in 2015, but with the shift to more remote work, there are more people using public Wi-Fi,” stated Tim Erlin with Tripwire.
“While these tips are useful, it can be hard for the average user to understand how to implement them. There’s really a substantial amount of work here for the average user to comply with the recommended settings.”