The Coffee Shop Problem

Summary

IT security teams think about the so-called "coffee shop problem". That is, with employees and contractors working from coffee shops (or any public places with some sort of public wifi), some new security considerations start to crop up. Even working from home can present some similar problems.

This page describes the problem and some of the ways it can be mitigated by workers and security teams.

The Problem

When you're in a coffee shop, you connect your phone or computer to the wifi. To do this, you need a network name (SSID) and (hopefully) a password, which are supplied by the coffee shop owner. This is all fine, except your computer can't differentiate between the actual wifi operated by the coffee shop and a "fake" wifi service operated by the guy sat in the corner which has the same name and password. Unless you really investigate, you probably won't be able to tell the difference - both give you access to the Internet. Also, just to say, it needn't really be a guy sat in the corner, it could be an "evil" coffee shop owner, or a van parked outside packed with hackers, or it could be a completely remote hack which exploits problems in the coffee shop's security.

If your computer does connect to the "fake" network instead of the real one, then the hackers get to see all the places your computer connects to. These days with HTTPS and other encryption they can't probably see what you're saying, but still know where you're going. It gets complicated, but it is also possible for the hacker to modify or disrupt the traffic between your computer and whatever its talking to. Either way, you're giving away information that has no business going to the people looking at it.

There's another problem too: other network users can have access to your computer. Some networks take steps to prevent this (via "station isolation"), but an attacker's network won't do this. This allows the attacker an opportunity to attack the computer itself. In most cases, the computer's firewall will prevent problems, but there is an ever present risk of a misconfiguration or a bug somewhere that the attacker can exploit to gain access to the computer in some way.

Solutions

In an ideal world, you'd never connect your computer to any networks that you (or your employer) don't control. This of course isn't very practical. Instead, the worker can connect to (more or less) any wifi network and immediately start a VPN (either to the employer, or to a trusted provider).

The VPN will "cover" all the traffic from the computer in an extra layer of encryption, so now the hackers can only see that you're using a VPN - not what you're doing with it. This is by no means impenetrable security, but it's a significantly better situation with minimal effort from the user.

The intention here is that the computer will now only communicate via the VPN. This captures all outgoing traffic, but adds a layer of protection to the firewall too - even if an attacker tries to contact the computer directly, any responses will be "captured" by the VPN and won't be delivered to the attacker.

Implementation

Some IT teams may be able to implement an entirely automatic solution, where the user has to log on to a VPN as soon as a wifi connection is established. For less sophisticated or smaller IT teams, the same sort of solution can be achieved by training and security policies.

Pre-Emptive can help with security policies, VPNs or indeed a range of other IT related problems. Contact us to see how we can help you.

More reading

• https://www.independent.co.uk/life-style/gadgets-and-tech/news/wifi-hotpots-coffee-shop-dangerous-security-risk-report-a7750091.html
• https://www.arrowcommunications.co.uk/coffee-shop-wi-fi-presents-severe-security-risks/
• https://wrtecup.wordpress.com/2020/02/28/the-facts-about-coffee-shop-wifi/