From intellectual property to personally identifiable information (PII), credit card numbers, passwords and more, just about every business and government agency has data that, if compromised or stolen, could pose substantial risk and liability.
With more organizations and employees looking for tips on how to effectively work remotely, one topic that has become top of mind is the cybersecurity implications of remote work.
While many organizations have invested heavily in securing their own corporate networks, they have little to no control over the Wi-Fi networks their employees use when working remotely.
One common solution used to address this problem is a VPN, however contrary to popular belief, almost all VPNs do not protect against one of the biggest risks your employees will confront when working remotely – captive portals.
What is a captive portal?
When you go to places with free guest Wi-Fi access, you’ll typically get a popup web page as soon as you connect to the Wi-Fi network that asks you to agree to terms and conditions and/or put in information like your social media accounts, email address, access code, last name, room number (such as in a hotel) or other identifying information before granting you broader access to the network.
This web page is called a “captive portal” and is used by the establishment offering the Wi-Fi for a variety of reasons that may include verifying users, controlling the amount of bandwidth being used, reducing their liability in the event of illegal or otherwise inappropriate online behavior, and confirming that users have agreed to terms of service before accessing the network.
Captive portals can also be used as marketing tools by requiring users to fill out a survey as part of their experience, showing advertisements or highlighting promotions run by the host establishment.
According to research by Intel, 38% of users regularly choose to use unsecured public Wi-Fi (including networks with captive portals) rather than their own cellular data providers in order to save money on wireless access, making it highly likely that remote employees will at some point choose to use a captive portal to gain access to the internet.
What are the risks associated with captive portals?
Captive portals provide an easy point of entry for malicious actors looking to gain access to an individual user’s device and, through that, the larger corporate network.
The fact that users' devices must automatically load the captive portal web page, and the associated java script, directly on their device before accessing the internet means that they are essentially putting their security in the hands of the network administrators who manage that particular public Wi-Fi network.
If the network has already been hacked, or they are running firewalls or other network equipment that is vulnerable, you’re essentially giving hackers direct access to your device when you load that captive portal web page. This kind of access can be used to execute Man-in-the-Middle (MitM) and Man-in-the-Browser (MitB) attacks.
For example, there have been a number of campaigns (including DarkHotel, which was first uncovered by Kaspersky Labs, and a vulnerability in Inngate routers, discovered by Cylance, which was used to target guests at high end business hotels) whereby malicious actors have hacked into networks of hotel chains thereby gaining access to the wireless networks the hotels provide.
This makes it easy for them to access the devices of hotel guests. As soon as the guest connects to the network, the malicious actors are waiting. They still have to find a known exploit or zero day, but they don’t have to go through a VPN or firewall, because all of that isn’t even up yet.
In addition, it is relatively easy for hackers to create their own Wi-Fi hotspots that spoof legitimate captive portals. These phony pages, known as “evil twins”, trick users into connecting to them and then route traffic through their networks where the malicious actor can intercept credentials, and gain access to valuable data and corporate communications. Wired Magazine detailed a recent example of how Russian state-sponsored hackers did just this in a bid to gain access to a wide range of targets relating to the 2016 and 2018 Olympics.
In many cases, hackers aren’t as interested in the user’s laptop or personal information as they are in gaining access to the resources they are connected to, including data on the corporate network.
The lesson here? Assume that all public Wi-Fi networks are insecure and take measures accordingly.
Does a VPN protect you from a captive portal?
Most organizations that prioritize cybersecurity install software VPNs on users’ laptops, mobile devices, or whatever devices they are using for work.
VPNs – or virtual private networks – function as an encrypted tunnel to a server located somewhere on the internet. Because the traffic (data and communications) that passes through that tunnel is encrypted, it is safe from malicious actors.
While VPNs are highly effective in protecting users’ devices and data, they typically take about 60 seconds or more to establish a connection.
In addition, the user's device will be on the network for at least 120 seconds while they attempt to authenticate with the captive portal. The problem here is that this all before the VPN attempts to establish a connection.
It’s during that 180 second “captive vulnerability zone” that is where the risk comes in.
If you look at how much network traffic a Windows or Mac laptop generates in that 180 seconds, it is tremendous. The first step a hacker needs to accomplish to gain access to a victim’s device is reconnaissance, or learning the software and version that user is running. From there, the hacker simply needs to find a known exploit or potential zero day.
Unfortunately, the 180 seconds that it takes for a VPN to go live is plenty of time for a hacker to accomplish these things and compromise the user’s device. Worst case, they can gather the reconnaissance information, find the exploits, reset the user's Wi-Fi connection to bring down their VPN, and then exploit the user's device.
Any time a user logs on to the internet via a captive portal, they have to trust that the location or establishment where they are accessing the internet is protecting its infrastructure properly -- and in many cases, they are not.
That means that during the 180 second “captive vulnerability zone,” the user is completely vulnerable – and it’s during that time that, despite using an enterprise-grade software VPN, malicious Java Script could be loaded onto the user’s device without them even knowing.
Why hasn’t this challenge been solved already?
The main thing standing in the way of solving the captive portal challenge is the lack of standardization in the way that captive portals authenticate users.
Because every hotel, café, coffee shop, airport or train station may be using a different system for its public Wi-Fi network, it’s difficult (if not impossible) to create an automated solution for secure authentication.
The only solution that we at Attila are aware of that completely protects a user from captive portals (other than simply not using them) is captive portal isolation.
What is captive portal isolation?
Captive portal isolation involves the use of a combination firewall and hardware VPN with a built in, stateless sandboxed web browser. It works as follows:
- The user connects, via Wi-Fi or Ethernet, to the hardware VPN;
- They then use the hardware VPN to connect to the internet (in this case, via a captive portal);
- The stateless sandboxed web browser that is built into the hardware VPN is actually what loads to the captive portal, and it then presents a screen capture of the captive portal on the user’s device;
- In this manner, the captive portal web page never actually loads on the user’s device and the firewall prevents the malicious actor from gaining access to user data or communications.
Attila’s GoSilent Cube is an example of a combination VPN, firewall and Wi-Fi hotspot that is capable of isolating captive portals in the manner described here.
What’s the best way to protect your data when using captive portals?
Of course, the best way to protect your data when using captive portals is to not use them at all.
While that is the best solution, it is not the most practical, and in reality, users will likely continue to turn to public Wi-Fi when they are working remotely, and often this is one of the primary reasons government agencies don't allow remote work.
That being the case, there are a few things that you can do to ensure that your employees practice good cyber hygiene when in a remote work environment:
- Make sure that all software on user devices is updated and patched;
- If your employees will be using a software VPN to connect to the internet, make sure it is set to establish a VPN connection as soon as a network or internet access is found (most enterprise-grade software VPNs have a setting for this); and
- Many VPNs offer an option called “split tunneling,” whereby only work-related traffic goes through the VPN and the rest of the data goes through the public internet. Sending ALL traffic through the VPN provides the maximum level of isolation that you can get with a software VPN. If you’re not doing this, you’re effectively pushing your security risk down to whatever Wi-Fi network you’re using -- so your users will only be as secure as the network they’re on.
The bottom line is that it doesn’t take long for a hacker to gain access to a user’s device when they’re using a captive portal. And once they access that device, it can act as a back door to the real prize, which is your corporate network, and potentially the networks of your partners and/or supply chain.
If your employees work remotely, it’s critical that you take steps to ensure they can do so securely from wherever they choose to connect to the internet.