9

I'm having some difficulty determining how, or if, MiFi devices on property should be regulated. Personally, I see them as having little difference from any other rogue AP in the environment - the only real distinction being that they're generally not directly connected to the corporate network. However, it is that segregation from the company network that makes labeling them as (and convincing management that they are) an actual threat somewhat difficult.

What are the prime security concerns that a company should be aware of, in regards to allowing these devices to operate on property and unregulated?

Rory Alsop
  • 61,474
  • 12
  • 117
  • 321
Iszi
  • 27,027
  • 18
  • 99
  • 163

2 Answers2

7

A significant threat is around an attacker setting up a hot spot that purports to be a valid company wireless access point. If the SSID is right, and the organisation doesn't use mutual authentication, users may connect to the malicious hotspot, which means all traffic will travel through kit controlled by the attacker.

See this question and this one for some implications.

Rory Alsop
  • 61,474
  • 12
  • 117
  • 321
  • Thanks for the note, Rory. This question is more about non-spoofing MiFis, but you do bring up an important point. It should be noted though, that a MiFi's usefulness in this sort of attack is mostly limited to spoofing wireless APs which do not access the corporate internal network - since the MiFi only connects the WiFi clients to a cellular Internet. A true rogue AP however, can bridge the gap between WiFi and the corporate intranet. – Iszi Jan 27 '11 at 08:41
  • @Iszi - true...however most users are less aware than you might think so may still be tricked into giving credentials, at which point the attacker can turn off their hotspot and the user just thinks their connection failed and tries again. – Rory Alsop Jan 27 '11 at 08:57
5

The main concern would be using one of these devices to bridge networks; for example, connecting a company-owned device to the wired network and to the MiFi-created AP (which is basically unfiltered Internet) at the same time.

There's also the same set of concerns that you'd have with connecting company equipment to public networks (e.g. a coffee shop or home WiFi).

Beyond that, though, there's no appreciable difference between a MiFi and someone having a data phone or AirCard on premises. So long as they don't connect company equipment to it, there shouldn't be an issue.

Proteus
  • 165
  • 2