Last week a
cyber security consultant called me to ask if Mojo Networks (the company I
co-founded) can provide WiFi jammers. He mentioned the need was to protect
Electronic Voting Machines or EVMs from WiFi based attacks. These EVMs from
recent legislative assembly elections in Maharashtra and Haryana were placed
inside a facility with physical security. Apparently, someone was concerned
about the possibility that WiFi may be used to hack these machines. As I
understand, these machines are not connected to any network; were kept lock
& key and are very difficult not easy to access. Anyway I reminded him that
civilians cannot deploy radio jammers. More important, there is no need to use
jammers to create protection against WiFi based attacks. It can be achieved by
deploying a state of the art wireless intrusion prevention system (WIPS).
However,
knowledge of WiFi security is feeble even among computer networking
professionals. In addition, there is lack of awareness on the regulatory
guidelines that exist in India such as Ministry of Communications &
Information Technology (MCIT) regulation, Ministry of Home Affairs (MHA)
guidelines, and RBI IT Governance guidelines, to name a few.
Fundamental to
wireless security is the sensor technology. WIPS sensors detect all WiFi in the
air; figure out which networks are authorized as well as those those that are
external. The system then prevents internal users from connecting to external
networks and quarantines devices that are un-authorized but are on users’ network.
While a single sensor can scan entire WiFi radio spectrum, sensors can be
dedicated to select channels to massively strengthen the security cover.
The notion of
“No WiFi” is an interesting use case. In a “no WiFi” environment there is no
WiFi access point on users’ network and none of the users are connected to WiFi
network of any kind. Such an environment is often required in data centers,
military locations and even organizations with high security posture such as
banks, IT/ITES companies. Besides creating a blanket “No WiFi” scenario inside
a data center or a military installation, interesting situations can emerge in
case of WiFi in Smart Cities where a No WiFi and public WiFi will need to coexist
at the same time.
Among above
regulations, MHA seems to be specific about the use of WIPS. A News item
appeared on MHA guidelines in Express Computers in 2009 (https://indianexpress.com/article/india/india-others-do-not-use/citing-safety-govt-bans-wifi-in-key-offices-missions/).
According to the News item, MHA mandates use of WIPS is
in sensitive Central Government ministries and missions. Another article appeared in the December 2009
issue of the Indian Police Journal on “WiFi Network - A Challenge to Security
Agencies”. (http://www.bprd.nic.in/WriteReadData/userfiles/file/5493026775-oct-dec.pdf).
It is
noteworthy that neither of these asks for radio jamming. On the contrary, some IT
administrators often ask if they can use jammers. That's like saying can I go
thru a RED Light. Its not allowed unless there is a regulator of traffic (like
a traffic cop) there and allows you to go. I must mention that security
consultant who called me was fully aware of WIPS and how to use it.
WiFi has
evolved a great deal since these articles appeared, has become ubiquitous and a
de-facto mode for end users to connect to their network and Internet. WiFi is
also making great strides in public arena. However, preparedness of business
and Government remains far from adequate. And, there have been attacks using
WiFi. While we are fixated on security threats emanating from backdoors in
3G/4G/5G network equipment, we are leaving front doors open by not deploying
WIPS at sensitive locations be it corporate, Government and even public.
Network and security administrators carry the primary responsibility for this.
It also necessitates a policy intervention on this front.
Coming to EVMs, they have done their job well. It is now for the political parties to
figure out Government formation, a non-trivial activity given the fractured
mandate and those with smaller share of seats aiming for bigger slice of the
Government pie.
No comments:
Post a Comment