Securing Public Hotspots--Protect Yourself And Your Users - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

03:27 PM
Kurt Marko
Kurt Marko
Connect Directly

Securing Public Hotspots--Protect Yourself And Your Users

Encrypting Wi-Fi is critical to keeping it a reliable and safe method of access.

Wi-Fi, not wired Ethernet, is now the network access method of choice for most users, having become so cheap and pervasive, it's even available on $50 text message gadgets aimed at grade-schoolers (which are easily hacked into a Linux-booting, BackTrack-worthy, penetration-testing appliance; see more below). Yet what Wi-Fi offers in convenience, it lacks (in spades) in security, at least in a public setting. In fact, the exposure on an open, unencrypted network is worse than you think--about like taking a swim in a smelly, tepid cesspool. Here's why.

Most IT pros are familiar with Firesheep, the Firefox extension that snoops unencrypted networks (usually open Wi-Fi, but it also Ethernet), filters packets looking for common sites (Facebook is a favorite target), and captures their session cookies, allowing instant impersonation of the victim. But far more nefarious man-in-the-middle Wi-Fi attacks are relatively easy to set up and can not only capture data but transparently redirect the victim to bogus sites, opening the door to all kinds of fun exploits, whether it's making use of old, unpatched browsers to install a keylogger or cloning a banking site and hoping the rube on the other end doesn't notice the missing padlock symbol in the address bar.

The more sophisticated of these types of attacks use a Wi-Fi honeypot, like the deceptively cute Pineapple (essentially a Fon access point running an OpenWrt package), which impersonates any SSID a client might be looking for, such as one the system has previously accessed and has configured to automatically reconnect to, essentially sucking in the Wi-Fi traffic from every client within range. In other words, when accessing unencrypted Wi-Fi APs, it's virtually impossible to know if you're being compromised.

Of course, WPA2 solves these vulnerabilities (although, even here, it's possible to exploit the WPA handshake and crack weak preshared keys), but because secure key management is a hassle, few public hotspots use it.

What's a poor road warrior to do? The best defense is to immediately establish a VPN tunnel, whether to your corporate network (make sure you're not split-tunneling and that all traffic is routed through the corporate WAN) or to a public provider, of which there are many (WiTopia is my favorite), upon making a Wi-Fi connection. Better yet would be for hotspot providers to start using encryption … if only there were an easier way. Thanks to Aerohive, there is.

Aerohive, one of those small, innovative, "we try harder" wireless LAN software and equipment vendors, developed what it calls Private PSKs (PDF) (preshared WPA2 key) two years ago, but the implementation was hampered by the need to individually set up and administer users--not a feasible situation for public networks. It has remedied this in the recent 4.0 release of the HiveOS/HiveManager software with an option for "secure guest self-registration" for PPSKs. While the software is still aimed at enterprises, Matthew Gast, Aerohive's director of product management, says it's also useful for public networks. Here's how it works.

Unlike traditional WPA-Personal (what most people use at home) keys, Private PSKs are unique, time-limited keys created for individual users on the same SSID. Since PPSK credentials are unique, a key from one user can't be used to derive keys for others. Furthermore, uniqueness allows network administrators to set each user's access policies, including virtual LAN, firewall policy, and quality of service.

The latest Aerohive software allows the keys to be delivered via a captive Web portal of the type many public hotspots already employ to get user acknowledgement of terms of service. This means that when people access an Aerohive-powered public hotspot and open their browsers, they are presented with their own, very random WPA2 keys. Getting onto the public Internet requires setting up a WPA2 connection using these private keys. While allowing a user to self-register is fine in many situations where a user's "right" to access a network isn't restricted, such as at coffee shops or airports, in some situations, such as at hotels or conference rooms, WLAN providers might want to verify a user's identity. Here, the Aerohive software allows preassigning a user ID (for example, the customer's last name concatenated with the room number), which that person must correctly enter in the Web portal before getting a private key.

Encrypting Wi-Fi is critical to keeping it a reliable, safe access method, and public hotspots remain the Wi-Fi architecture's Achilles' heel. A simple yet secure means of extending WPA2 security to situations where the user population is unknown and constantly changing is the next step in the evolution of public hotspots. While Aerohive has come up with an innovative and effective system, the industry really needs to develop a standard that can be deployed across WLAN platforms so that open, unencrypted Wi-Fi can become a thing of the past.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
InformationWeek Is Getting an Upgrade!

Find out more about our plans to improve the look, functionality, and performance of the InformationWeek site in the coming months.

Pandemic Responses Make Room for More Data Opportunities
Jessica Davis, Senior Editor, Enterprise Apps,  5/4/2021
10 Things Your Artificial Intelligence Initiative Needs to Succeed
Lisa Morgan, Freelance Writer,  4/20/2021
Transformation, Disruption, and Gender Diversity in Tech
Joao-Pierre S. Ruth, Senior Writer,  5/6/2021
White Papers
Register for InformationWeek Newsletters
2021 State of ITOps and SecOps Report
2021 State of ITOps and SecOps Report
This new report from InformationWeek explores what we've learned over the past year, critical trends around ITOps and SecOps, and where leaders are focusing their time and efforts to support a growing digital economy. Download it today!
Current Issue
Planning Your Digital Transformation Roadmap
Download this report to learn about the latest technologies and best practices or ensuring a successful transition from outdated business transformation tactics.
Flash Poll