The Problems with Public Wi-Fi and Your Internet-Connected Devices

Mario Oliver, DNSFilter’s vice president of customer success, talks with John Lynn, eero security team member, at the dnsUNFILTERED virtual user conference on May 2, 2024 (left to right).

The risks of using public Wi-Fi, internet-connected devices and email for employees who work remotely and AI in cybersecurity and other sectors were discussed at the first quarterly dnsUNFILTERED virtual user conference on May 2, 2024.

Hosted by DNSFilter, the event featured John Lynn, eero’s security team member, DNSFilter customer and Industrial Refrigeration Pros CIO Tom Sweet and Raffaele Mautone, ceo and founder of Judy Security.

During a segment with DNSFilter’s Vice President of Customer Success Mario Oliver, John Lynn, eero security team member, talked about the vulnerabilities with public Wi-Fi networks and IoT devices and how users can ensure their data is secure.

“Yeah, we encounter public Wi-Fi everywhere. It’s a modern necessity, right? And I think the big themes are kind of what we consider everywhere on the internet. It’s privacy. Is what I'm doing being tracked? Are people using my behaviors or my data to mine information about me? And, just security. Am I leaking information? Are people trying to steal important credentials or my identity? Or, my laptop or my phone that's accessing the network — is it vulnerable? Could I be infected with malware or other viruses that could compromise the security of my devices? So, especially in a public Wi-Fi setting where there’s less trust than say, at home or at work that's an important thing to keep in mind,” said Lynn, who leads eero’s cloud infrastructure, data and security teams.

He added that if people are using public Wi-Fi they might be connected to an open network because that network doesn't have a password and their traffic is not encrypted. If it's not encrypted, anyone on that network can see information that they are transmitting.

He shared that bad actors are not going to see bank information (which is encrypted), but “a lot of stuff” like a mobile phone or computer laptop that uses software to conduct remote desktop sessions or connect to an email system or a remote database might not be encrypted and vulnerable to “listening” and exploitation.

“…A very convenient thing that our devices do is when we get home or we go to the office, they automatically connect to the Wi-Fi. Your device sees the network name knows the password, and automatically connects. People can take advantage of that by setting up a duplicate Wi-Fi network that tricks your device into connecting to it. And suddenly what you thought was a trustworthy network is actually not — it’s called the evil twin problem, right? Then, there's just the people who can set up public Wi-Fi networks who are well-intentioned, but they might not actually secure their endpoints very well. Router vulnerabilities are numerous. So, even a remote threat actor could take advantage of a Wi-Fi hotspot in a business or other location and compromise it and use that to kind of snoop on the traffic there. There's lots of ways that people could potentially gain access to either your traffic or your behavior. And in a lot of cases, it, it doesn't really take that much effort.”

Your IoT Devices are Not Secure

During his 10 years with eero, Lynn witnessed the explosion of IoT devices and trends with these devices.

“Every year we see the average number of connected devices in people's homes keeps going up, right? And these devices, they carry a lot of sensitive information — cameras, microphones, television, our tablets, phones, laptops, you name it. And they're in our homes, which are the heart of our security. Home is a safe place. The sad truth is like a lot of these devices don't prioritize security. So there's numerous vulnerabilities in these devices — either vulnerabilities or just kind of, sometimes negligence around security practices — that make them vulnerable. I think the important trends are what are the ways that you can secure your IoT devices — your cameras, your smart speakers and all this stuff in your home — either through really effective firewalls or good networking rules.”

He cited the Product Security and Telecoms Infrastructure Act in the U.K. as one example in which entities are trying to secure IoT devices. Enacted on April 29, 2024, the legislation prohibits default passwords in IoT devices that are sold in the U.K.

“Companies and governments are trying to keep pace to help encourage manufacturers of devices, routers, and otherwise to prioritize security in the designs of their applications,” Lynn said.

How You Can Protect Your IoT Devices

Lynn stated that people should assume that someone is “listening” to their IoT devices and are vulnerable if they are using public Wi-Fi.

“And the good news is though, there at least today in the public Wi-Fi case, there are a lot of solutions out there that help you combat that. I think in the home networking space, there are a lot of upcoming technologies that I’m excited to see evolve more,” he said.

Oliver and Lynn recommended that people update their devices through security patches, implement a multi-layered security approach, use VPNs that encrypt information, visit sites that use HTTPS protocols and use modern browsers with features that protect users from suspicious activity.

Users with doorbell cameras should ensure that they know where their information is going, and whether the camera manufacturer streams video to a device on the owner’s network or to the manufacturer’s servers.

“Never should that traffic travel anywhere else on the internet. And it's possible to configure a routing network environment that enforces those rules. It's probably the case that your doorbell camera should not be talking to your TV. It’s possible to set up a network that enforces those rules. But right now it's really complicated. But there are a lot of different ideas and proposals around how we can apply certain networking security profiles to devices — things that a manufacturer could say, this device only communicates with these servers, this device only has traffic on these ports,” Lynn said.

“If we can build a kind of community set or a public set of security profiles for devices and there are companies that keep track of this and it’s in their best interest to help consumers stay up to date, I think we'll get a long ways towards defeating a lot of these issues that we see where people might be exfiltrating data or turning your devices into botnets. All these bad headlines that you see in the news these days could probably be defeated with just some sensible network security profiles,” he continued.

A Phishing Tale

Industrial Refrigeration Pros CIO Tom Sweet and DNSFilter’s Senior Product Marketing Manager Greg Delaney spoke about Sweet's experience with a phishing attack that contained malware, why phishing is so common and the solutions the CIO implemented at his company to address this problem.

“So as phishing as a service, so you can actually hire people and or companies to do phishing for you. So there are people who are very sophisticated. And we went to a different email security solution, and part of that research, they had different videos and they were showing that some phishing emails are created in text backwards, and then the browser will reverse that text at runtime, right? Or they will create different words in the email and then have different size font. And so if you were to say, I wanna block all emails with the word “salary,” which I've done before. I created a rule that said block any external email except from our HRIS that had the word “salary.” But what they'll do is they'll put different letters between salary with different size font, and so it'll render as the word “salary,” but it won't be detected by a programmatic tool that's as unsophisticated as what I wrote because it's not the word “salary.” It's a bunch of other words mixed in. And then there’s different hominem attacks where there’s Cyrillic letters or other letters that look like an A or an E or a C, but they're not exactly that letter. So there's a lot of sophistication behind it, and unfortunately, people aren't using their brains for good,” Sweet explained.

The CIO discovered that an employee clicked on a malicious link, even though DNSFilter blocked that link and Sweet blocked domains and links from countries his company does not do business with, including Guatemala. Because the employee was expecting an invoice from a customer in this country, the “guard was let down just a bit” and the malicious link embedded in a phishing email went to an employee who clicked on it. Sweet locked the user’s email account, removed their security tokens, isolated the computer and prevented the malicious software from spreading through the company’s computer network. 

“The customer was probably compromised, right?” Sweet explained. “That’s not an uncommon situation for people. For the attackers to sit inside of someone's email and read the emails coming in and redirect them to a folder. And then so the customer doesn't know the emails are coming in because they're being redirected to some folder in Outlook. And then the attacker responds. So that’s what I think happened. It's not that the customer sent it maliciously so much as someone acting negligently inside the customer's account was sending the attack, the threat actor was sending the attack on that customer's account.” 

Delaney and Sweet agreed having multiple layers of security (including DNS filtering), ongoing employee phishing training, multi-factor authentication, filtering and removing administrative rights and different attack surface reduction rules are effective ways to protect computer networks.

AI in Cybersecurity and Other Industries

Mikey Pruitt, DNSFilter’s MSP evangelist, and Raffaele Mautone, ceo and founder of Judy Security, a platform that includes AI in its cybersecurity “pillars” to protect small to medium businesses, closed out the interview part of the gathering with a conversation about how AI can automate and manage certain tasks and increase productivity in the cybersecurity, healthcare, music, law enforcement, government, automotive, software, restaurant, retail and editorial industries.  

They also talked about possible AI regulation in the U.S., the hype about AI, mistakes that AI can create, how musicians and artists are utilizing AI and protecting their intellectual property from it, generative AI and the future of AI.

“We're seeing a lot of actors and musicians getting concerned because their images are being used without their permission. So I think we'll see a lot of regulations that way, where it's considered their property and whether or not AI can or can't leverage it to create something,” Mautone shared.

He said that people should not be afraid to use AI in cybersecurity because malicious actors will.

“I think there's nothing to be scared about in the sense of cybersecurity companies leveraging AI. I think we're going to have to because the bad actors are gonna be using AI to do different forms of breach, even at a faster rate. So AI's still in its infancy. I mean, if you think about it, it's only been five years, and we started with machine learning first. And now it’s only in the last year that it's kind of exploded. And we're seeing it as a revolution across all verticals, all products, all areas, and ways of helping or potentially being a little scary,” Mautone said.

His concerns about AI?

“I think as it relates to children, we need to be a little careful at first, right? And make sure that the AI that's getting in front of them is safe. We've talked about be careful and not necessarily trust everything unfortunately that's on social media now. I've even clicked on something and I thought it was just a news article and it was AI and it was information that was incorrect. My jaw hit the floor. I couldn't believe it. And it was on an article in the state I live in. So you kind of just go, okay, I didn't see that. So I think misinformation will be something we need to worry about, making sure whatever AI is interacting with our children is safe. Then you can only have so many of one thing talking at a human before it turns into white noise, right?” Mautone said.

He also thinks people need to be cautious, understand and know how to read a paper map, memorize a phone number, write a check and do other manual activities if digital devices like mobile phones and other technology — AI included — are not available.

“So, I just think that we should all be careful and not just let AI take over every single thing. I think there’s certain things that we as humans need to control and understand and retain

is the only thing that scares me about all technology, not just AI. That everything is automated, right? Sometimes, something being manual or a learning experience is a good thing, as well.”