Low-cost man-in-the-middle attacks are becoming all too common in the wireless world as nefarious types increasingly take advantage of the inherently trusting nature of wireless technologies. Startup CoroNet promises an intriguing new weapon in the war against those who hijack either WiFi or cellular connections to eavesdrop and steal data..
For highly- skilled hackers, it's easy to pull off man-in-the-middle attacks, which deceive unsuspecting network users into using bad-guy gear as a pass-through to the original network destination. Worse yet, a lack of hacking acumen is no longer a barrier to less-capable snoopers. With inexpensive hardware sets such as Hak5 WiFi Pineapple or software (think Open DTS as used in fake cell tower intercepts), even amateurs can get in the man-in-the–middle game for between $50 and $1,500, depending on the goals of the attack. CoroNet calls these attacks that work at the physical communications layer “commjacking” and cites a number of far-ranging and costly cases.
Among these is the Dark Hotel attack that targeted traveling executives in 5,000 luxury hotels over seven years, and a cellular commjacking vulnerability that forced BMW to recall over two million susceptible vehicles. Perhaps the most high-profile example happened at the last Emmy Awards, when more than 150 devices belonging to celebrities were commjacked, resulting in data loss and distribution of pictures harvested from victims' devices.
CoroNet’s target market is the enterprise (including government) where a lot is on the line during these kinds of attacks. The solution as CoroNet sees it is unique, and has nothing to do with encryption or added hardware on a given network. The company's technology secures the radio level by not allowing a client device to connect to malicious signals regardless of how carefully crafted the signals may be.
In short, the CoroNet agent that installs on virtually any common OS acts as a sensor that is constantly learning the RF environment it’s located in, uses sophisticated algorithms to detect threats and route around them. If the only signal in a given area is deemed malicious, the mode that CoroNet is running in (either regular or executive) determines whether the user can acknowledge the threat and proceed anyway.
When a threat can be operationally bypassed, the connection feels normal to device users, who have no idea they were kept off of a worrisome network. Should the threat be such that routing around it isn’t possible, CoroNet doesn’t allow connectivity until a safe alternate wireless path is found, providing the user with an on-screen message that explains the status. Security administrators also can whitelist signals as they choose.
Architecturally, CoroNet consists of device agents, a cloud dashboard, and partnership with the company’s NOC. An organization’s security officer can monitor and report on device threats detected and avoided via the dashboard, though no details are available to the end user device. As device agents detect threats, they feed that back to the NOC for push-out to other subscribers in the area as the global threat data base grows and adjusts.
CoroNet executives told me that the presence of the agent has no perceptible performance penalty on client devices, and the agent has been optimized for minimal battery consumption.
Based in Israel, CoroNet is working with European carriers in wide-scale testing (in Europe, carriers often provide endpoint security directly to business customers). Expansion to the US is expected in the near future, likely via an MSP business model. Given that consumers can’t directly purchase the CoroNet service, pricing varies since companies will reach their own discounts. But there will be two tiers of service: one that protects just data of WiFi and cellular, and an all-encompassing agent for voice, data, and SMS.
Whether CoroNet can make a successful business go remains to be seen, but there is elegance to a technology that forces clients to avoid trouble to begin with as opposed to typical expensive IPS systems that just report on nearby threats in complicated dashboards.