(6 min read)

Learn how to defend against Wi-Fi Pineapple attacks

A Wi-Fi Pineapple is a portable device that allows cybercriminals to steal data shared on public Wi-Fi networks. For the very low price of $99, anyone can buy a Wi-Fi Pineapple and use it to steal data.

The Wi-Fi Pineapple was developed by a company that creates tools for people who work as pentesters. Organizations hire pentesters to attack their network, in an effort to expose vulnerabilities so the IT team can fix these before they are discovered by cybercriminals.

The problem is that cybercriminals have learned that they can use this device to carry out cyber attacks. The Wi-Fi Pineapple was originally designed to help defend against cyber threats, but is now being used as a honeypot to commit cyber attacks such as man-in-the-middle attacks or spoofing attacks.

For organizations who have employees who work remotely, attend conferences, travel, or work from home, Wi-Fi Pineapple is a real threat. Most people do not think twice about using free public Wi-Fi offered by coffee shops, airports, hotels, or the open networks provided by cities in their public parks and other open spaces.

How do Cybercriminals use Wi-Fi Pineapple to Commit Cyber Attacks?

There are three primary ways that cybercriminals use Wi-Fi Pineapple to commit cyber attacks:

  1. Man-In-The-Middle Attack

The Wi-Fi Pineapple is used to eavesdrop on people using public Wi-Fi. The Pineapple is configured to act as the real Wi-Fi network that people believe they are connecting to. But instead, they’re connecting to a fake network that allows cybercriminals to easily access and capture all data that is shared on the network. There is no way to know if you’re connected to the legitimate public Wi-Fi network or a Pineapple network.

  1. Evil Portal

To take the man-in-the-middle attack to the next level, cybercriminals create websites that look legitimate and when people attempt to connect to the real site, they are redirected to the faked website. This makes it easy for criminals to capture login information, credit card data, and any other information you provide to the website. For example, a faked Amazon website can be used to steal credit card data, addresses, phone numbers, passwords, etc.

  1. Fake HTTPS

HTTPS is used to secure websites and encrypt data. This gives website users protection by providing a secure layer of communication. Websites that collect personal and confidential information such as ecommerce sites, government websites, or videoconferencing websites must use HTTPS. Cybercriminals use the Wi-Fi Pineapple to direct HTTP requests (most people do not use HTTPS when typing URLs) from the real HTTPS server to their Pineapple so they can remove the secure layer protecting and encrypting data. The only obvious difference for the website user is missing “lock” icon in the left corner of the URL bar.

How to Protect Your Organization from Wi-Fi Pineapple Cyber Attacks

To protect your organization from Wi-Fi Pineapple cyber attacks, remember these keys to network and corporate cyber security:

  • Establish strong password rules. Enforce all employees to follow password rules that require at least eight characters, a combination of both upper- and lower-case letters, and a mixture of letters, numbers, and special characters.
  • Make sure all applications, operating systems, network tools, and internal software are up-to-date and secure.
  • Install malware protection and anti-spam software.
  • Regularly scan for unauthorized Wi-Fi hot-spots within your work perimeter.
  • Always configure corporate networks that are WPA-encrypted with a password.
  • For internal Wi-Fi connections, avoid SSIDs that include the name of your organization.
  • Use a firewall to protect open ports from Wi-Fi Pineapple attacks, malware and ransomware attacks, and botnet attacks.
  • Ensure the corporate VPN is configured to use multi-factor authentication. Only allow employees to connect to the network with a secure connection.
  • Schedule regular backups of all data stored on the network and on employee computers and devices.

Most importantly, remember that your employees are your first line of defense against Wi-Fi Pineapple attacks.

Give your employees easy access to security awareness training that includes relevant and real-world topics including working remotely, working from home, and traveling securely best practices.

Subscribe to our Cybersafe & Sound newsletter for the latest updates in security awareness tips and best practices. And remember, to encourage your employees to subscribe as well.

 


This next section is intended directly for users

10 Keys to Staying Cyber Secure and Safe When You’re Away from the Office

Cybercriminals have lots of advanced and inconspicuous methods that make it easy for them to steal your personal and professional information. When you’re working in the office, we know that you’re protected by firewalls, the VPN, data backups, and other security measures.

The threats and risk come when you’re traveling, working remotely, attending conferences, or commuting. These 10 keys to staying cyber secure when you’re away from the office can help protect you and us from cyber attacks:

  1. Never connect to open unsecured public Wi-Fi. Even if this is the only Wi-Fi available, do not connect to it. Providing your email address and accepting the terms and conditions of the Wi-Fi owner does not mean you are connecting to a secure Wi-Fi.
  2. Only use HTTPS protected websites. In the URL address bar, check to make sure the URL uses HTTPS and that the green lock icon is present. Never provide personal confidential information such as passwords, credit card details, or bank information on a website that does not use HTTPS.
  3. Turn off auto-connect. Ensure your mobile devices are not configured to automatically connect to public Wi-Fi that is not password protected.
  4. Configure your mobile devices and laptop to “forget” public Wi-Fi network connections. This prevents you from telling cybercriminals that you have used this public network in the past, making it difficult for them to trick you into connecting to a fake network.
  5. Disable Bluetooth auto discovery. Cybercriminals listen for Bluetooth signals that they can hack to connect to mobile devices.
  6. Shred all documents. Do not discard personal and professional documents in garbage cans or recycling bins. If you don’t have access to a shredder, bring these documents with you to work and shred them in the office.
  7. Do not forward work emails to your personal email account. Many personal email accounts lack the security measures we use to keep our organization safe.
  8. Be aware of your surroundings. Do not leave your laptop open on a coffee shop table or leave your mobile device unattended at charging station. Do not ask someone to “watch” your laptop while you order a coffee or go to the bathroom. Be aware of people sitting too close who may be listening to your conversations or looking at your screens.
  9. Always install the latest updates, patches, and versions. Make sure your computer and mobile devices have the latest applications, operating systems, network tools, and internal software installed. Ask the IT/support team to verify that your devices are up to date.
  10. Always connect to our network with our secure VPN. If you don’t have the VPN details, talk to the IT team for this information. Consider using a personal VPN software for your own privacy. These options can provide some level of security if you have no other choice but to connect to an open Wi-Fi.

As an extra tip, we recommend you subscribe to Terranova Security’s Cybersafe & Sound newsletter. This monthly newsletter gives you timely information on cyber security risks, blog updates, and tips and tricks that can help you stay cyber secure.

 


SECURITY AWARENESS VIRTUAL SUMMIT

May 5, 2020 12pm – 3pm ET

Join Terranova Security and sponsor Microsoft as well as a keynote speaker from Gartner for an illuminating series of virtual sessions on security awareness and phishing simulation training.


 

Harold Walker
CISSP, Global Channel Manager & Cyber Security Evangelist

Connect on LinkedIn