Healthcare Risks Point to Rogue Access Points

Rogue Access Points

Healthcare facilities, specifically hospitals, often perform critical, life-saving operations. Technology has developed in a way that it now assists in these operations. And the introduction of the Internet of Medical Things (IoMT) has proven to be mission-critical. However, the reliance on a Wi-Fi connection has left the healthcare industry extremely vulnerable to Evil Twin attacks. And even more worrying is that such attacks go undetected.

Evil Twin

In an Evil Twin attack, a malicious actor creates rogue access points (AP) that impersonate a legitimate access point (AP) by perfectly spoofing its SSID and BSSID (MAC address). To have users connect to it, the rogue access point will either send stronger signals than the legitimate AP or shut down the legitimate AP and replace it. Unknowingly connected to the rogue AP, the user’s traffic is now exposed to the adversary. This allows further malicious activity. A perpetrator can perform interception, traffic manipulation and man-in-the-middle (MiTM) attacks to hijack the session and access sensitive information. Evil Twin attacks might even provide the perpetrator with complete control over the entire network. Healthcare entities are an extremely appealing target due to the data collected; healthcare information is highly sought after on the dark web. It brings large financial rewards to the seller.


Attackers will be eager to carry out an Evil Twin attack on healthcare delivery organizations (HDOs). Moreover, the industry’s increasing dependency on technology means malicious actors can get their hands on an extensive amount of sensitive data. And several industry vulnerabilities increase the chances of a successful attack.

Rogue Access Points infographic

Complex Wi-Fi infrastructure

Research by Zingbox found that there is an average of 10-15 connected medical devices per hospital bed. The importance of internet-connected devices within the healthcare industry has meant that wireless networks are a fundamental component of the healthcare industry. According to Aruba Networks Product Marketing Manager Rick Reid, “In a healthcare setting, the network has to be extremely reliable because it’s literally life or death… Once a hospital moves to that critical communication method you have to make sure it works in the stairwell and it works in the hallways, and you can’t have any dead spots.” This heavy reliance calls for a very complex, interconnected Wi-Fi infrastructure to ensure access is available everywhere.

However, HDOs tend to be expansive facilities, so ensuring coverage over the entire area can be a challenge. Gaps in coverage provide space for rogue access points, configured with the same SSID and BSSID as the legitimate AP. Appearing genuine, users and devices will not hesitate to connect to the rogue AP since it is sending stronger signals.

Rogue Access Points infographic

Public facilities

The initiation of an Evil Twin attack requires relatively close proximity between the rogue and the target network so that the rogue AP gets detected. HDOs are open to all members of the public, meaning the perpetrator can easily achieve this. Importantly, gaining control over the network is simpler when the network is public, as is the case in many HDOs’ infrastructure. Even with a password restriction, the relevant credentials are typically openly displayed to enable easy access for patients and visitors.

Lack of cybersecurity

As an industry that performs life-saving operations, patient safety is the priority for HDOs. Not only does this mean cybersecurity is an afterthought, but it is sometimes even considered a hindrance to operations. It is, therefore, no surprise that the healthcare industry lacks good cyber hygiene practices. Foremost, connecting to an AP will be done without a second thought due to employee negligence. As rogue access points perfectly spoof the legitimate AP, it is almost impossible for staff members to detect the illegitimacy of rogue access points. Moreover, research by Forescout found that security measures such as encryption and network segmentation are insufficient in hospitals, with many IoTs connected to the same network as critical IoMTs. Without these security measures, an Evil Twin attack can cause substantial damage.

Sepio Systems’ Solution

With Sepio’s Hardware Access Control solution (HAC-1), HDOs can be sure that they will not fall victim to an Evil Twin attack. By constantly monitoring and analyzing all wireless communication in real-time through Machine Learning, HAC-1 identifies all devices operating within the enterprise’s environment, including MAC-spoofed devices which otherwise go undetected. HAC-1’s policy enforcement mechanism allows the solution to instantly detect suspicious connections and trigger a mitigation process through integrated Network Access Control products.

Sepio platform uses a novel algorithm, a combination of physical layer fingerprinting module coupled with a Machine Learning module – providing the sought-after visibility and enforcement level, it is further augmented by a threat intelligence database – ensuring a lower risk hardware infrastructure.

Hardware Assets Control solution for iot security

Sepio Hardware Access Control HAC-1, provides 100% hardware device visibility.

HAC-1 enables Hardware Access Control by setting rules based on the devices characteristics.

HAC-1 instantly detects any devices which breach the set rules and automatically block them to prevent malicious attacks.

The idea is to Verify and then Trust that those assets are what they say they are.

With greater visibility, the zero-trust architecture can grant access decisions with complete information.

Thus, enhancing the enterprise’s protection within, and outside of, its traditional perimeters.

The Hardware Access Control capabilities of HAC-1, block Rogue Devices as soon as they are detected

Our HAC-1 solution stops an attack at the first instance, not even allowing such devices to make network access requests.

Sepio Hardware Access Control HAC-1 provides 100% hardware device visibility. No device goes unmanaged. Rogue Devices are block as soon as they are detected. HAC-1 solution stops an attack at the first instance, not even allowing such devices to make network access requests.

Physical Layer Fingerprinting

Sepio is the only company in the world to undertake Physical Layer fingerprinting . HAC-1 detects and handles all peripherals; no device goes unmanaged.

With this total visibility, a stronger cyber security posture is achieved. There is no longer needed to rely on manual reporting or employee compliance. Sepio manage security and provides answers to questions such as:

  • Do we have an implant or spoofed device in our network?
  • How many IoT devices do we have?
  • Who are the top 5 vendors for devices found in our network?
  • Where are the most vulnerable switches in our network?

Having visibility across all hardware assets provides a more comprehensive cyber security defense. Reduce the risk of a hardware attack being successful and our private health data being stolen.

Founded in 2016 by cybersecurity industry veterans from the Israeli Intelligence community, Sepio’s HAC-1 is the first hardware access control platform that provides visibility, control, and mitigation to zero trust, insider threat, BYOD, IT, OT and IoT security programs.

Sepio’s hardware fingerprinting technology discovers all managed, unmanaged and hidden devices that are otherwise invisible to all other security tools. Sepio is a strategic partner of Munich Re, the world’s largest re-insurance company, and Merlin Cyber, a leading cybersecurity federal solution provider.

Heavy spending on cybersecurity should bring a high return on investment, yet gaps in visibility limit this. Sepio Hardware Access Control (HAC-1) solution provides a panacea to gaps in device visibility to ensure you are getting the most out of your cybersecurity investments. HAC-1 integrates with existing solutions, such as NAC, EPS, SIEM and SOAR, to enhance the organization’s cybersecurity posture. HAC-1’s deep visibility capabilities mean no device goes unmanaged; the solution identifies, detects, and handles all IT/OT/IoT devices.

Moreover, HAC-1’s policy enforcement mechanism and Rogue Device Mitigation capabilities instantly block any unapproved or rogue hardware. In doing so, ultimately, HAC-1 enables a Zero Trust Hardware Access approach which stops attackers at the first line of defense.

Sepio supporting compliance

Sepio Hardware Access Control (HAC-1) solution provides entities with the Physical Layer coverage they need to obtain complete device visibility. And, in doing so, also provides protection against hardware-based attacks. As the leader in Rogue Device Mitigation (RDM), Sepio’s solution identifies, detects and handles all peripherals; no device goes unmanaged.

HAC-1 uses Physical Layer fingerprinting technology and Machine Learning to calculate a digital fingerprint from the electrical characteristics of all devices and compares them against known fingerprints.

In doing so, HAC-1 is able to provide organizations with ultimate device visibility and detect vulnerable devices and switches within the infrastructure. In addition to the deep visibility layer, a comprehensive policy enforcement mechanism recommends on best practice policy and allows the administrator to define a strict, or more granular, set of rules for the system to enforce. When a device breaches the pre-set policy, HAC-1 automatically instigates a mitigation process that instantly blocks unapproved or Rogue hardware.

Furthermore, HAC-1’s RDM capabilities support compliance with Section 8 of the EO, which concerns the government’s investigative and remediation capabilities. Section 8 focuses on enhancing data collection efforts in order to improve the investigation and remediation processes following an incident. HAC-1 logs all hardware asset information and usage and maintains such data for a period defined by the system administrator.