There’s a cottage industry in devices that attackers can use to target peoples’ laptops and phones in public spaces. These devices are purchased and used by legitimate security professionals to test networks, but also by criminal attackers. Open wireless network connections can be intercepted and manipulated, and physical access to computers and phones can be used to install malicious software that allows for remote control and theft of data. These attacks can happen quickly and leave little physical evidence. In target-rich environments like airports and hotels, a single criminal can compromise many potential victims at once. Targeted attacks against specific individuals and organizations can be even easier.
Here are a few pieces of advice for remaining secure and protecting yourself and your organization:
1. Protecting yourself begins with situational awareness and physical control over your devices. It pays to have your head “on a swivel.” Be aware that people behind you, or cameras above you, may be able to watch you type in your passwords or see the contents of your screen. Dual-factor authentication that makes use of a physical token or a fingerprint scanner, in addition to your password can reduce the usefulness of observing your password alone. Be aware of the information you’re viewing on your screen in public spaces, and consider investing in a privacy screen for your laptop that reduces possible viewing angles. Even with a privacy screen, understand that those directly behind you will still be able to read over your shoulder.
2. Never allow your system to leave your line of sight in a public space. In a matter of moments, an attacker can insert a device into a USB port on your computer that will infect your system and begin extracting sensitive data. This can occur even if you have “locked” your laptop to require a password to log back in. Mobile devices can be easily stolen, so have your IT staff implement full-disk encryption on any systems that travel. While it is more convenient to simply close the lid on your laptop, the most secure state for an encrypted system is to be completely “shut down”.
3. When on the road, avoid Wi-Fi networks that are not managed by your IT staff. Wireless networks in public spaces are targets for data collection, and it can often be done completely passively. Active attacks may also pose as secure access points you may be conditioned to connect to out of habit. Make use of cellular networks when possible (using cellular hotspot devices for your laptop), and make a connection back to your office network via Virtual Private Networking (VPN) for an additional layer of security.
Ultimately, much like you should be performing offense-oriented testing of your company’s networks, you should also have a third party take a look at your traveling workers’ operational security. A team that is qualified to conduct penetration tests and red teaming engagements can be tasked with examining common remote work scenarios that you and your employees will engage in. It may surprise you what clever tricks they will use to compromise your mobile devices, and will help you harden your technology and practices to allow you to confidently work from anywhere.
» Dr. Wesley McGrew is the Director of Cyber Operations at HORNE Cyber. Understanding that businesses are under constant cyberattack, and simultaneously held ultimately responsible for their own victimization, Wes stepped away from academic research in order to develop talent and services that help organizations improve their resilience. He has made a career out of studying attacker techniques and applying them in offense-oriented services like penetration testing that identify vulnerabilities before they are successfully exploited by real criminals.