There’s been a lot of news in recent weeks surrounding the Sony PlayStation Network breaches. One of the questions that I have received multiple times since this started is whether or not this was a wireless breach or if wireless was in any way part of the Sony vulnerability.
From what we understand, no. It sounds like web servers were compromised. But could these types of attacks happen over Wi-Fi? You bet.
“Hacktivists” essentially volunteer to participate in these coordinated attacks. The tools used are often easy to use and freely available. They just need people willing to join the cause to create the distributed denial of service. Firewalls are supposed to keep the “bad guys” out, but there is nothing stopping anyone from putting these same tools on a smartphone and carrying out these same attacks from INSIDE an organization, not just remotely from the Internet.
These same techniques used against Sony, MasterCard, and Visa as well as the type of attack that breached TJX can now be launched from personal smart devices (Iphones, Ipads, Androids, etc.) inside your network. In fact, Gopinath K.N., Director of Engineering at AirTight Networks has demonstrated just this type of scenario at various security conferences and on-line presentations. See his demo here.
Additionally, smartphone malware can be distributed in the form of an application easily downloaded from the Internet (think of all the gaming and social media apps available for iPhones and Androids). Its really no different than how PCs become infected with worms, viruses and malware by visiting untrusted sites and downloading insecure applications.
Once the malware is installed, if that compromised smart device attaches to the corporate network, the malware can be used to launch a stealthy attack from inside the corporate network – with or without the knowledge or consent of the smart device owner . Sensitive data could even be sent off-site via the device’s own Wi-Fi or 3G radio.
Considering that smart devices and tablets now outnumber PCs in new sales, this may not be so far fetched. A major difference between PC security and smart devices is that the tools to detect and defend PCs from these vulnerabilities is significantly more mature and widely deployed then smartphone security in practice today. Organizations need to determine whether or not unauthorized smartphones are allowed to attach to their Wi-Fi networks (guest and corporate), and how they will enforce wireless security policies to keep themselves secure.