Dec. 17, 2010 at 9:00 AM ET
Admit it, you've done it. Despite all the vague warnings you've heard about public Wi-Fi hotspots, you've paid an online bill while surfing at a coffee shop. Or you've purchased something and entered your credit card number into a Web page. When you do that, you know you are sending private information through the air via radio waves, and that someone else in the coffee shop with some clever tools could suck down those waves, decode them and steal your personal information.
Perhaps you've made a perfectly reasonable risk assessment that you trust the people sitting in your local coffee shop. And you know too well how limited the range of your Wi-Fi is. But what if you fired up your laptop, clicked to send your personal information into the air and had to trust everyone within a few miles?
That's the choice a fast-growing segment of consumers is making every day, as usage of mobile broadband services like MiFi explodes. Shrinking prices, the attraction of connecting a laptop to the Web from virtually anywhere and the introduction of new wireless gadgets like Apple's iPad mean the market for mobile broadband will continue to expand from around 6 million U.S. users in 2009 to about 30 million by 2014, according to International Data Corp.
All those users will have to trust that no one nearby will intercept their transmissions. And that has some security experts saying, "Not so fast."
An axiom in computer security holds that hackers go where the people are. As mobile broadband services become more mainstream, attacks will come fast and furious. While the encryption protecting long-range wireless connectivity has so far proven robust, there have been enough cracks around the edges that consumers should act with care when flinging their personal and corporate lives through the air.
Long ago, hackers with programs like Kismet and AirSnort discovered they could sniff and read data sent over coffee-shop style networks, even if wireless encryption like WEP (Wired Equivalent Privacy) was used. The risks, however, are mitigated by the short-range nature of the radio signals. But mobile broadband rides over cellular networks, meaning their transmissions can span up to 10 kilometers, or more than 6 miles. That dramatically increases the opportunity for attacks.
Divided over the risk
Experts on wireless security are divided over the seriousness of the hacker threat.
Patrick Donegan, a wireless equipment analyst for security firm Heavy Reading, said the encryption used in the 3G and 4G networks that provide the new generation high-speed mobile broadband transmission has yet to show a single crack.
"Mobile broadband is secure. Nobody has suggested that the 3G algorithms are vulnerable," Donegan said.
Still, a new report from Heavy Reading, called "Mobile Networks Face a Growing Security Crisis," warned that cellular firms must be ready for a coming wave of attacks from hackers.
"Mobile broadband is a train that has barely left the station. It will get bigger very quickly," Donegon said. "And hackers go where the market is. They look for scale."
Amit Klein, chief technology officer of security firm Trusteer, is considerably more worried about the current risk than Donegan. He said hackers have already demonstrated a Wi-Fi-like attack on the GSM mobile standard, which is used by many current mobile broadband providers.
"GSM is stronger than Wi-Fi, but conceptually it is now proven vulnerable," he said. "It's feasible to decrypt in real time GSM packets, thereby gaining wire-like wiretapping capabilities. ... It has been shown to be practical. Dedicated attackers can intercept and modify data, even an individual with a few thousand dollars to spare."
But Piero DePaoli, director of Symantec's Core Security Group, said he isn't worried at all about GSM eavesdropping. Plenty of contextual factors make successful attacks extremely unlikely, he said. Among them: Cell phone transmissions often move from tower to tower, which make things very difficult for a would-be attacker. In general, encryption attacks require a hacker to initially suck in a massive amount of data, then look for patterns in that data. Cell tower hopping is one of many reasons that attack wouldn't fare well in the real world, DePaoli said.
"It seems very far-fetched," he said. "I'm personally not worried about it."
That doesn't mean MiFi and related hotspot technologies are completely safe, however. As usual, hackers have already found faults by avoiding a direct attack on the encryption and looking for other weaknesses.
Earlier this year, hackers found a flaw in MiFi gadgets made by Novatel that allowed an attacker to connect with the device, turn on its GPS feature and trick it into disclosing its location. The vulnerability was quickly patched and the attack did not put transmitted data at risk, but it did show that software flaws at the endpoints of mobile broadband networks offer enticing targets to hackers.
DePaoli said he also is concerned about user error with mobile broadband gadgets. MiFi devices combine Wi-Fi and mobile broadband technologies, and where they connect, vulnerabilities can exist. Incorrectly configured MiFi devices -- some consumers might be tempted to turn off the included wireless encryption used between the laptop and the gadget – can allow easy access for hackers.
Also, the password for hopping onto most gadgets is printed on an attached sticker. Someone who obtained that password and then logged in would then be on the same physical network.
"They you have the same risk as using a coffee shop network," he said. So turning off MiFi encryption would be "a huge mistake."
On the more complex end of the spectrum, analysts have always worried about attacks that have dogged all wireless networks: "man-in-the-middle attacks" involving so-called "rogue access points." Criminals could set up a fake network access device and trick a mobile broadband user into connecting to it, rather than the legitimate network. The attacker could thensteal data, then pass along requests to the appropriate network, thereby evading detection.
Man in the middle attacks have been well-documented in the Wi-Fi world, because equipment required is inexpensive and the data easy to decode. While it's also possible in mobile broadband, DePaoli isn't very worried, because impersonating a cell phone tower is difficult and expensive -- and, as previously mentioned, intercepted data would be useless to attackers without encryption keys.
Donegan is more concerned about the massive transition that is going on with mobile infrastructure equipment, and the vulnerabilities that could be created. Telecom equipment is rapidly being changed from proprietary software to more off-the-shelf, Internet Protocol-based software, making Internet telephony traffic more common. That only makes life easier for hackers: few knew their way around old telecom networks, but IP-based networks are their playground. A simple flaw in a server, switch, or access point could mean big headaches for consumers and providers.
"There is evidence of nasty things happening out there," said Donegon. "As mobile firms are become true ISPs (Internet Service Providers), I'm telling operators that up until now security has been something of a tick box issue for their vendors, not high up on their priority list. You will see it creep up in their agendas now."
While use of mobile broadband hotspots to connect laptops, tablets and other gadgets is a new and emerging technology -- suggesting it's a new arena for hacker attack -- DePaoli points out that the very same technology has been used for years without incident by mobile telephones accessing the Internet. So far, the only practical risks for consumers with those gadgets have been theft of the actual device.
"The main risk there is that people don't do very much to secure those devices," he said.
RED TAPE WRESTLING TIPS
For now, there's not much consumers can do about threats to mobile broadband, other than a bit of heightened awareness. As with cell phones, the greatest practical risk at the moment comes from theft of service through theft of the device -- either a MiFi gadget or a dongle that connects to the laptop. Because data overages can be very costly, lost or stolen gadgets should be reported immediately.
Klein said consumers should be aware that they are sending their data through the air, and act accordingly. While cellular networks are inherently much safer than coffee shop networks -- I always switch from one to the other when I'm doing my online banking -- nothing is 100 percent safe. Even mobile broadband might not be suitable for transmission of very critical personal or corporate information.
Employees working remotely should tunnel in through a virtual private network to provide an added layer of security, Klein said. Trusteer, his company, also sells a browser security product named Rapport, which creates a temporary "tunnel" between Web users and critical Web sites like online banks, preventing eavesdropping and warning off other attacks. Traditional SSL encryption used by consumers when connecting to banks through web browsers will also add a layer of protection against sniffing, Klein said. That can be easily recognized through the presence of the letter "s" at the beginning of Web addresses, like this: https://bank.com