The Mercury News
Government urges workers to avoid public networks
The Biden administration would like you to get a vaccine and wear a mask. Oh, and one more thing: It has just proclaimed that it’s time for government employees and contractors to get off public Wi-Fi, where they can pick up another kind of virus.
In a warning to all federal employees, leading defense contractors and the 3.4 million uniformed, civilian and reserve personnel serving in the military, the National Security Agency issued an unusually specific admonition late last week that logging on to public Wi-Fi “may be convenient to catch up on work or check email,” but it is also an invitation to attackers. In an eight-page document, the agency described how, in a year marked by ransomware attacks on pipelines, meatpackers and even the police force in Washington, D.C., clicking on to the local coffee shop’s network was asking for trouble.
Government officials say they are fully aware that getting people to heed the
advice is about as likely as getting them to sit outside at a baseball game fully masked. But the message is a turning point: After a decade in which every restaurant, hotel and airline felt competitive pressure to improve their free Wi-Fi, the nation’s leading signals intelligence agency is trying to throw on the brakes.
“Avoid connecting to public Wi-Fi, when possible,” the warning says, stating that even Bluetooth connections can be compromised. “The risk is not merely theoretical; these malicious techniques are publicly known and in use.” The warning links readers to videos of how easy it is for hackers to use an open Wi-Fi network, one that requires no passwords, to harvest passwords and the contents of passing cellphones.
Cybersecurity experts have long warned about the dangers of public internet in coffee shops, airports, hotel rooms and similar venues. At conferences like Black Hat, where government officials are hunting this week for new recruits, exposing the vulnerabilities of mobile devices is something of a sporting event. Some participants take glee in revealing the contents of a visitor’s phone on a big display for all to see. It is meant as a vivid reminder that hooking on to public Wi-Fi, or enabling Bluetooth connections, or even the capability to make a purchase by tapping a reader with a phone, is an invitation to have nonencrypted data seen by anyone.
Without citing particular incidents, the NSA warning includes a caution that criminals or foreign intelligence agencies can
set up open Wi-Fi systems that look as if they are from a hotel or a coffee shop, but are actually “an evil twin, to mimic the nearby expected public Wi-Fi.”
When State Department officials were negotiating the Iran nuclear accord in 2014 and 2015, many powers — from the Iranians to the Israelis — deployed such systems in hotels where the negotiations were underway, American officials warned at the time.
The NSA warning was not prompted by any recent uptick in criminals or nation-state adversaries using public internet to steal information or stage hacks, officials say. Instead, it appears to be part of a significantly accelerated U.S. government effort to raise awareness about a range of electronic vulnerabilities in recent months.