Sharing internet between landlords and tenant businesses — or among companies in the same building — might seem thrifty, but cybersecurity experts warn it’s fraught with danger.
Many companies that share internet are on one subnet together, said Rodney Gullatte Jr., founder of Firma IT Solutions & Services. Because the network isn’t segmented, they’re unprotected from each other. Anyone connected to the network can potentially see everyone else’s unencrypted data — and an attack on one business can spell disaster for all.
“A lot of these businesses aren’t secure — if you’re secure you’re never going to set your office up like this in the first place,” Gullatte said. “So when one of them gets hit with a cyberattack, it’s going to affect all those other businesses that are connected to that same network, because there’s no walls between them. None.”
Attitudes to cybersecurity can differ dramatically between businesses. Different policies on information system security mean that more diligent businesses are vulnerable to attacks and outages via less-conscientious businesses on a shared network, said MainNerve Cyber Security Engineer Jon Ford.
“If one company uses a combination of antivirus, spam filters, regular education of its users, and periodic testing of its systems, and another company on the same network does not, then the less diligent company lowers the overall level of security of the more diligent company (this assumes a shared network and not just a shared uplink),” Ford said in an email.
Sharing a network also raises questions of liability.
“If a breach occurs,” Ford said, “who is ultimately responsible?”
Gullatte has seen it too many times.
“I don’t want to give away too much about these businesses, but there’s one business that leases space to the other businesses and in their lease agreement they give them internet. In that lease agreement they’re not giving them security — they’re just saying, ‘Yeah, you can use the internet with us,’” he said. “In some cases I’ve seen, the tenant business will go to OfficeMax or Best Buy and buy one of those consumer model routers that you buy for your house, and they’ll build their own little network off that because they think it will be better than sitting on the same network.”
The problem is, that router still shows up in the list of connected devices, Gullatte said, and he was not only able to connect to the Comcast cable modem from the tenant’s router, he also could log in to that cable modem using the default username and password. And that default username and password can be found with a quick Google search.
“That’s a problem,” he said. “When I’m in there I can see all the computers, I can see the other person’s router, I see all the network — and so can everybody else outside of that network.”
In that case, when Gullatte and the tenant pointed out the “huge vulnerability” to the business owner sharing the internet, he was unconcerned.
“He’s like, ‘I’m not interested in doing anything about that — we’ll just take the risk,’” Gullatte recalled. “They are exposing their tenants to a risk, and they’re OK with it.”
Gullatte is a certified ethical hacker, but these vulnerabilities are so glaring he doesn’t need to use hacking skills to locate them.
“I don’t even have to do a penetration test,” he said. “I don’t even have to go that far.”
Many business owners don’t understand the risks and don’t understand how networks function, Gullatte said, adding that the practice of sharing internet without correctly segmenting it is widespread in the Springs.
“I saw one where all three of the businesses handled sensitive information for people in our community,” he said. “There were three independent businesses, and they all shared the Comcast modem together — so I could see all the computers for each business when I went to look at the network. … And none of them were running any type of cybersecurity software. They all had free Avast or free Windows Defender, and one of them had all of their data just in Dropbox. No encryption — just in Dropbox.”
Another business had all their data in Google Drive, where sensitive information can be hacked and sold on the black market.
“It’s crazy,” Gullatte said. “This is people’s personal information you’ve just got willy-nilly in Google Drive, getting sold.
“They said, ‘Nobody’s messed with us in the last 10, 15 years, so we see no reason to invest in anything now.’ I said, ‘You know, the cyber threat has significantly increased in the last 10-15 years.’ I think they don’t understand how bad a breach is for them.
Ford shared tips on safely setting up shared internet:
• Use a core switch to receive the uplink and set each entity behind its own firewall with its own public-facing IP address connected to the core switch.
• In cases where a specific space, like a conference room, requires access by multiple entities, consider strictly wireless access or establish a DMZ/Guest network that has no access to internal networks.
“If created properly, a guest network will give a business the ability to provide clients, guests and partners access to the internet (safely and securely) without introducing a potentially infected system into the internal network,” Ford said.
“This gives visitors a safe uplink to check their emails or browse the web with less potential for eavesdropping attacks like those often occurring at public wifi spots.”