How secure are New York City’s new Wi-Fi hubs?

The first of New York City’s public Wi-Fi hubs went live yesterday, offering free gigabit-fed Wi-Fi to anyone within 150 feet of the stations on Third Avenue. These are the first of 7,500 such hubs, each equipped with USB charging ports and custom-built tablets for web browsing, spread throughout the five boroughs. As part of the LinkNYC project, these hubs will create the largest public municipal Wi-Fi system in the world once they’re completely installed.

A public Wi-Fi network this big also brings a new set of security risks. If anyone were able to plant malware on the network, it would be catastrophic, potentially spreading the infection to any device connected to it. The tablets could track everything users type through a keylogger or other malware. An attacker could even watch all the data being transmitted on the public network to steal logins and credit card credentials. These are worst case scenarios, only possible if the hubs’ security fails dramatically, but the risks are real and they raise an important question: how secure will New York’s public Wi-Fi hubs be?

From afar, the stations seem like an easy target. An attacker could direct the tablets to a malware-laden website, and the nature of public Wi-Fi means the hubs are constantly exposed to untrusted devices. “The first thing that pops into my head when I see public Wi-Fi is if I can access it publicly as a regular user, then hackers can get into it,” Joseph Pizzo, an information security professional, told The Verge.

The good news is that CityBridge, the group that designed the hubs, has built in a number of protections to keep that from happening. Colin O’Donnell, CTO for CityBridge, says they will have a series of filters and proxies to block anyone who tries to download malware during a browsing session. The city also employs a team dedicated to monitoring traffic, and if that team sees a user receiving data from a command-and-control server, it will end the session immediately. Even if a bad piece of software made it on to a LinkNYC tablet, it wouldn’t be able to stay there long. The devices go through a hard reset after even 15 seconds of inactivity, which wipes everything that isn’t installed by the company.

One of the biggest concerns is common to all public Wi-Fi efforts — sniffing attacks. These attacks involve an attacker sitting on the network and watching data being transmitted. If a user is on a non-encrypted webpage and types in a username and password, an attacker could see that information in plain text. While banking, email, and social networking websites typically encrypt data in-transit, the majority of the web is unencrypted, leaving information exposed.

Public Wi-Fi users browsing on SSL-protected pages are safe from these attacks, as well as users connected through LinkNYC’s private network. The private network is only currently available for Apple devices running iOS 7 and above, but offers a more secure connection. It’s still free to the public, but to access it, users will need to accept the network’s key — a minimally more arduous task that’s well worth it. While the public network is available to all devices, its accessibility leaves it exposed to a number of attacks.

Read the full article here

Credit: The Verge

Related posts