Geolocation devices are great for keeping tabs on your teenagers or finding the quickest route to the campsite. However, geolocation technology is increasingly a weapon wielded by cybercriminals, and protecting against its use is problematic. Why are geolocation devices a threat? And what should managed service providers (MSPs) do to protect their clients against this latest threat?
An exploding trend becomes a risky business
As IoT, portable and wearable medical devices, and hybrid work environments have exploded, geolocation technology has become embedded in virtually all segments.
“We don’t yet understand all the risks, but having locations of not just devices but people also so highly available is risky,” states James Connor, an emerging threat cybersecurity specialist in Chicago.
The threat of geolocation surfaced in the form of an emerging malware threat discovered by researchers. The program is called Whiffy Recon. It was only detected this month, and its actual purpose is unclear.
“Do I think the middle manager at the local department store has much to fear from Whiffy Recon? Probably not,” Connor replies. “For some verticals, however, Whiffy Recon is a disturbing menace to watch.”
Connor explains that Whiffy Recon is troubling because we don’t understand its exact motivations. “By tracking a target’s movements, they can establish patterns and attack the target in a more vulnerable location. For example, if they decide to tap into a public Wi-Fi network, the hacker could ominously know where a person is and use that information to compromise them,” says Connor.
BleepingComputer describes Whiffy Recon’s infection process in Windows systems as follows:
For Windows systems where that service is present, Whiffy Recon enters a Wi-Fi scanning loop that runs every minute, abusing the Windows WLAN API to collect the required data and sending HTTPS POST requests containing Wi-Fi access point information in JSON format to Google’s geolocation API.
Using the coordinates in Google’s response, the malware formulates a more complete report about the access points including their geographic position, encryption method, SSID. It sends it to the threat actor’s C2 as a JSON POST request.
MSPs and geolocation protection
Protecting against geolocation threats is challenging because geolocation applications have various non-nefarious, crucial uses. This includes keeping track of supply chain movements to managing delivery drivers to implementing conference calls. “Unless you are willing to disable all geolocation capability in all devices completely, protecting clients from geolocation threats is almost impossible,” Connor revealed, adding that there are some basic steps that MSPs can take to mitigate threats.
Steps for MSPs
VPN usage: “Regarding cybersecurity, you always play an odds game,” says Connor. “It’s tough to stamp out threats completely, but you can make things tougher for the cybercriminals, and VPNs will do that.” He also noted using VPNs will encrypt data and hide IP addresses.
MSP monitoring: Implement continuous monitoring solutions to detect unusual or unauthorized geolocation data access. “One of my clients experienced a breach where an outside party accessed a trove of geolocation data, and that is all they access; they entered the system, helped themselves, and left. This could have been detected easily if they had had a system and protocol in place for monitoring,” Connor explains.
Vendor monitoring: MSPs should monitor third-party vendors’ security to ensure their geolocation data is handled according to best practices. “Cybersecurity is only as good as the weakest link, and if a third-party vendor isn’t performing as they should, then the whole system can come down,” says Connor.
User training: Always the cheapest and most effective. “Sometimes just educating users as to how geolocation data can be used if it falls into the wrong hands can do a lot to make users more aware,” Connor expressed. Making people more aware and advising them to turn off their Wi-Fi location settings can go a long way.
Patching: Many patch updates have geolocation protections. MSPs should continue to keep the patching regimen current. “Geolocation technology isn’t going anywhere. It’ll become increasingly ingrained, but that means the bad guys will find more and more ways to use it. MSPs should incorporate geolocation safety measures into part of their regular protocol,” voiced Connor.
Photo: Golden Dayz / Shutterstock