The National Security Agency (NSA) is addressing the general population with an information sheet containing guidance on securing wireless devices while out and about. The guidance also addresses government workers, critical infrastructure workers, and everyone else.
NSA’s guidance on Securing Wireless Devices in Public Settings covers “malicious techniques used by cyber actors to target wireless devices and ways to protect against it.”
“To ensure data, devices, and login credentials remain secure and uncompromised, cybersecurity is a crucial priority for users and businesses. This includes identifying higher-risk public networks and implementing security best practices while in public settings, whether connecting laptops, tablets, mobile phones, wearable accessories, or other devices with the ability to connect to the internet,” according to the document.
Using public WiFi, for instance, may open data and devices to compromise, as cybercriminals employ malicious access points, redirect to malicious websites, inject malicious proxies, and eavesdrop on network traffic, the agency notes.
“If users choose to connect to public Wi-Fi, they must take precautions,” the document reads. “Data sent over public Wi-Fi—especially open public Wi-Fi that does not require a password to access— is vulnerable to theft or manipulation. Even if a public Wi-Fi network requires a password, it might not encrypt traffic going over it. If the Wi-Fi network does encrypt the data, malicious actors can decrypt it if they know the pre-shared key.”
Malicious actors may coerce the network into using insecure protocols or obsolete encryption algorithms, or they can set up a fake access point, also known as an evil twin, to mimic the nearby expected public WiFi, giving the actor access to all data sent over the network.
Unencrypted network traffic or traffic that is easily decrypted can also be captured using open-source tools, exposing sensitive data, the NSA warns.
“If connecting to a public Wi-Fi network, NSA strongly advises using a personal or corporate-provided virtual private network (VPN) to encrypt the traffic,” the guidance reads. “In addition, users should incorporate secure browsing methods, such as only accessing websites that use Hypertext Transfer Protocol Secure (HTTPS).”
The document also covers the secure use of Bluetooth and NFC protocols, and offers a comprehensive list of Do’s and Don’ts as “complete security is never guaranteed,” according to the agency.
These tips include patching devices and their underlying software with the latest fixes, enabling multi-factor authentication, and using security solutions. Users are also told to consider additional security measures, including limiting/disabling device location features, creating strong device passwords, and only using trusted device accessories, such as original charging cables.