The use of mobile hotspots has skyrocketed over the last couple years, and with the release of 4G, it’s pretty obvious why. Not only for the added mobility, either. I can personally always rely on my smartphone’s 4G service being fasterand more reliable, on top of possibly being more secure than the shared hotel or coffee shop wireless. I say possibly, because just enabling your mobile hotspot feature on your phone doesn’t necessarily make it a more secure option. In fact, if you’re using the default settings for your mobile hotspot, it’s very likely this isn’t the case. This brings about the usual risks with an attacker having unauthorized access, with the addition to risk to data usage. Unless you’ve got an unlimited data plan (do those even exist?), an attacker can potentially cause data usage by going over your allotted monthly limit.
With that, I would like to provide some tips and best practices to ensure that you are secure when using your mobile hotspot. Some of these tips aren’t new in securing access points in general, so they likewise apply, however I have tailored these recommendations to be more specific to hotspots. So, here they are, without any particular order of importance:
1. Use Obscure SSIDs
Before I dive into this, let me explain a little on what I mean by an SSID. SSID is an acronym which stands for “Service Set Identification,” which, as most technical acronyms, doesn’t do a great job explaining what it actually is. Simply put, the SSID is just the name you are going to give your hotspot so that your other devices can identify it. For example, when you go to pick a wireless network, all the wireless network names you see out there are their SSIDs. With that said, most hotsposts will come with defaults, usually on the realm of “Verizon Mobile Hotspot”, for example. It’s best to avoid using the default names such as “Verizon Mobile Hotspot” or even custom ones such as “Tammy’s iPhone” for your SSID, as these names give an attacker some idea of the service and/or model device being used, which in turn allows them to target based on the default settings for these devices. Take this opportunity to use something creative, such as “NSA Surveillance”. Attackers will have a more difficult time profiling your hotspot, plus you’ll probably give some people a good chuckle. Another port to note regarding your SSID is that hiding your SSID isn’t necessary, as an attacker would be able to discover your “hidden” SSID with little effort, anyway.
2. WPA2 Security – Always
Most hotspots will give you the option to change the security encryption being used. This typically ranges from options such as Open, which is no encryption or passcode needed, all the way to WPA2 PSK, which is the latest standard and uses a very high level of encryption. Always be sure to use WPA2 security when setting up a hotspot. All smartphones that provide hotspot functionality should have this as an option, and if they don’t, it’s probably time to upgrade it to one that does. WPA is the only exception to this in that even though it’s not as secure as WPA2, it’s still very secure when combined with a complex enough passcode (which is covered next). WEP encryption should be completely avoided since anyone with $30 and access to Google can gain step-by-step instructions on how to crack the passcode within about 5 minutes. If your hotspot supports the option to use WPS, it’s recommended that this is disabled as well, as there is a known vulnerability that can allow an attacker to obtain the WPA passcode by bruteforcing the WPS PIN.
3. Use Complex Passwords
Even though this is probably fairly obvious, having a complex password is just about the most important component to securing your mobile hotspot. A common myth is that since your hotspot is only on when you need access, its not likely that an attacker will guess your passcode in the allotted time frame. However, with the way WPA works an attacker only needs enough time to capture the handshake, then they can attempt to crack the password offline. There are many different good (and bad) methods to coming up with complex passwords. However given that the nature of a mobile hotspot is to turn it on only when needed, my recommendation is to strive for a passcode that’s complex enough, as well as change the passcode every time you use your hotspot. The goal is that your passcodes are complex enough that an attacker cannot reasonably crack it in the allotted time, and even if they wanted to crack it offline, the cracked passcode would be useless because it will change the next time you use it. The challenge then becomes in coming up with a complex enough password every time you go to use your hotspot. In cases like this, I am a big fan of the strategy put together over at XKCD.com, which is to take four random common words and put them together to form the password. For example, orange + finger + core + sleepy. This makes passwords easy to come up with, as well as remember, while providing enough entropy that it an attacker couldn’t reasonably crack it.
4. Turn It Off When Done
This one may seem a bit obvious as well, but since I’m even guilty for this one, I thought it was worthy enough for its own section. Turning it off when you aren’t using it is not only easier on your data usage (and monthly charges), but lowers the chance a potential attacker might have to attempt hijacking access to your hotspot as well. Now if you’re as absent minded as I am, many hotspots come with an inactivity timeout option, which will automatically shut it off after X minutes of inactivity.
5. Avoid The Defaults
This is more of a blanket statement that touches the other two areas as well, but most of the default settings for setting up your mobile hotspot should be avoided, with WPA2 Security being just about the only exception, it’s good to avoid any of the default settings in general. The default passcode being changed is the most important to note, even if the passcode meets the complexity requirements in step 3, as it’s possible this passcode is re-used and can be a part of an attacker’s dictionary attempts.
That’s it! Follow these tips as a best practice and enjoy the freedom for high-speed Internet anywhere you go (or at least anywhere you have 4G). If you have any questions or comments, feel free to connect with me through Twitter @tehcolbysean.