• United States




Time to close the gate on open wireless networks

Dec 14, 20174 mins
Mobile SecurityNetwork SecurityTechnology Industry

Trusted networks are not always what they seem. Ask a hacker. They love your employees’ casual use of open wireless networks.

Future Wi-Fi
Credit: Thinkstock

Consider this typical scenario.  One of your company employees has a meeting across town.  They arrive a bit early and go into a local coffee shop to connect to their wireless network because there is an email they just have to send.  They may have heard somewhere that “open” wireless networks are bad and we should not connect to them, but this email is really important.  The employee composes the email and sends it and says, “nothing blew up, so it must not be as bad as I’ve heard.”  So, is that right?  Is it safe?  How can you know?

An open wireless network is one that does not have any wireless security protocol running on it.  When you see your device’s list of wireless access points, these will show up with saying “open” instead of “secure” or the padlock icon is missing.  Even if an open wireless network shows a webpage and asks an employee for a password upon connection, it is still an open network.  Good examples of open networks are at hotels, airports and coffee shops.  With holiday travel upon us, the frequency of using an open network may certainly increase as an employee sends off one last email before journeying home.

Open networks are a hacker’s dream

Looking for convenience, your employees probably aren’t spending much time thinking about the easy connection to an open network, they just made on their mobile device.  They need to know why open networks are dangerous.  It is because our devices remember the connection.  Not only do they remember these networks, they broadcast, looking for those trusted networks.  It’s almost like your device is saying, “Here is a list of all the networks I trust.”  Most of our devices have dozens or hundreds of these known ‘good’ networks that the device is constantly looking for – some are secured, but others are open. 

Hackers know about this behavior of our mobile devices and try to exploit it.  There are several hacker tools that scan an area, looking for devices that are trying to connect to known networks.  The hacker tool then pretends to be the network access point your device is looking for.  Your mobile device will actually connect to the hacker tool, thinking it has connected to the hotel or airport network that you indicated was trustworthy several months previously.  Where the open network issue comes in, is that if the hacker tool masquerades as a secured device, your phone/tablet will compare the previous certificate with the hacker tool’s certificate.  Your device will notice that the certificates don’t match and will not try to connect.  With an open network, there is no certificate, only the name. 

To open networks:  forget you!

The biggest danger of open networks doesn’t happen when an employee connects on purpose. It happens when their device continues to try to connect long after they have left the area.  Long after they approved to connect to an open network, the device is still hard at work trying to connect to that network. 

So how do we fix this problem?  It starts with educating employees and contractors that open wireless networks can be a great pathway for hackers, and attacks.   Employees need to be instructed to go into their device and tell it to forget all the open networks.  For Windows, Android devices and MacOS this is a matter of going to the network area, listing out the wireless networks and removing or “forgetting” the open networks.  On the iPhone and iPad, they will need to perform a more dramatic reset of the network settings in order to remove all the open networks. Once they’ve done this, you can breathe a bit easier about your company’s vulnerability to open network attacks.


Phil Richards has both breadth and depth of security experience. He currently is the Chief Information Security Officer (CISO) for Ivanti. He has held other senior security positions including the Director of Operational Security for Varian Medical Systems, Chief Security Officer for Fundtech Corporation and Business Security Director for Fidelity Investments.

In his security leadership roles, he has created and implemented Information Security Policies based on industry standards. He has led organizations to clean PCI DSS and SSAE SOC2 compliance certifications, implemented security awareness training, and established a comprehensive compliance security audit framework based on industry standards. He has led the organizations through GLBA risk assessments and remediation and improved the organizations risk profile. Finally, he has implemented global privacy policies, including addressing privacy issues in the European Union.

Transforming an organization requires focus on the objectives, clear communication, and constant coordination with executive leadership, which is exactly what Phil has focused on during his security career.

The opinions expressed in this blog are those of Phil Richards and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.