Top 7 Risks of Tethering and WIFI Hot Spotting
At the time of writing I am sitting in a lovely town in the middle of Saskatchewan. Where I currently find myself without access to WIFI. That's ok though because I have my phone and I can tether.
As I do with most tech I work with I ask myself "how do I break this?"
In this post I am not breaking something, but more raising awareness to the risks.
There are risks involved with all tech and with that you have to consider whether those risks are worth it.
Here are my top 7 risks of tethering and WIFI hot spotting
1. Piggy Backing:
If you are foolish enough to leave your hotspot available with no password you are inviting trouble. Its fine to share your network as long as you trust the other party. When people have access to your network you are introducing a lot of risks. Putting your black-hat on what are some things you could do in a network? Do you really want those kinds of activities on your network instance?
2. Reflection:
This is a loaded one and I have assigned it the label "reflection" because it represents activities that occur by a party towards a target but using your network. To be clear this is different from a DDOS Reflection Attack.
Reflection risks would be activities like this scenario:
A) I (attacker) have connected to your (victim) network.
- From here I could launch a DOS on a different victim (still not a reflection attack)
- Plant exploits on connected machines
- Collect data on victims connected
- Launch anything and everything they want. I was thinking of a list of bad things to put here, but the list is so long that I summed it up with "Fire all the missiles!"
If an unknown entity is using your private network they are masquerading as a trusted person on your network.
3. Shadow IT:
Shadow IT in itself is a big topic. It has a lot of aspects that are quite interesting to consider when you are developing your security plan for your client.
I will provide a definition here in a nutshell.
Shadow IT = When assets are being utilized in a way that is not approved by IT Policy/Procedure or IT Admins are just unaware of personal assets tapping into corporate infrastructure.
I am desperately trying not to rant about Shadow IT here but if you are accessing work assets (Data or anything else) the device you are connecting with should be considered in the security planning. Obviously IT cannot predict every device that will touch company assets but what you can do is ensure that access is managed and appropriate.
4. Wide and Narrow Path:
For this one I am thinking as an IT Admin. Our capabilities may have the infrastructure to support employees working remotely, but what you cannot control is the shady things people do on their networks. It is not even intentional stuff people are doing that is "bad" it is all the nefarious things people will accidentally invite onto their computers.
Now think generally about the things that people can do on their phones. The entire spectrum of human capabilities can be realized via a phone. Let's say your phone is infected with malware, it happens. Now that phone is hosting network that you are connecting your work asset to. It's entirely possible that you are bringing along a slew of malware with you as you connect via your infected phone. Comparable to sneezing in your hand and opening a public door to a store.
5. Financial
This may seem obvious and honestly is less of a risk for those with amazing plans. If you are not vigilant to watch your data usage you could sap your month's data allotment before your time is up. Thankfully blogging takes up little to no data usage ;)
6. Big Brother
This one is not so much for the benefit of corporations, it is more a personal risk. I thought of this one specifically because when I was answering tickets back in the day, I can't even tell you how many people came to me asking me to clear their browsing history from their phones.
I had to politely tell them that it doesn't matter if I wipe it or not. Looking at naughty images on our company phone is not a good iea, and getting the IT guy to clear the history does nothing. Truth is we already know what you are doing with your phone because it is a managed device.
Oh man I could tell you some stories. lol
Generally if you don't want your employer knowing what you look at in your private time, save your work devices for work....only.
7. Data Loss
I will be honest here, I would like to do some more tests around this. In theory I believe it would be possible to accidentally allow unknown actors access to your data via your tethered network.
Stay with me here, because I am stretching.
It is a known fact that some App developers intentionally add code that allows them to monitor what you do on your phone. This is fact.
It is also proven that that people when given the option of allowing a random app access to their mic, even if the app really doesn't need it, will give access because it allows them to continue playing their free game they just got.
If an App has no business accessing your geolocation, your mic, your contacts etc. why give it permission to do so?
Anyways.
It is conceivable, that if a developer built into their app a way to spy on you using other apps, why not also add an ability to snoop on your tethered connections.
Conclusion:
So there you go, my top 7 risks for of tethering and WIFI hot spotting. Like anything else, you have to manage your risks appropriately. Is what you are doing worth the risk? Are you inviting unnecessary risk into your work environment?
At the very least, be aware that risks exist and being even moderately aware of those risks puts you in a better situation then someone who has no clue.
Good luck and Happy tethering!
Reference:
