Keeping the WiFi public hotspot industry safe

Originally published: 12 March 2009  – Latest update 20 April 2010

There are an increasing number of WiFi wireless hotspots being set up, mainly as a customer-service extra by cafe and bar operators. But there have been a few security issues that are likely to put users, especially business users off benefiting from these hotspots.

This is becoming more real due to netbooks, mobile Internet devices, WiFi-capable smartphones and other easily-portable computing devices becoming more common. The hotspots will become increasingly important as people take these devices with them everywhere they go and manage their personal or business data on them.

The primary risk to hotspot security

The main risk is the “fake hotspot” or “evil twin:. These are computers or smart routers that are set up in a cafe or bar frequented by travellers, business people or others who expect Internet access. They can be set up in competition to an existing hotspot that offers paid-for or limited-access service or on the fringes of an existing hotspot or hotzone. They offer the promise of free Internet access but exist for catching users’ private information and/or sending users to malware-laden fake Websites hosted on the computers.

Standard customer-education practices

The common rhetoric that is given for wireless-hotspot security is for the customer to put most of their effort into protecting their own data without the business owner realising that their hotspot service could be turning in to a liability. This can then lead to the hotspot service gathering dust due to disuse by the customers it was intended to serve.

The typical advice given to users is to check whether the premises is running a wireless hotspot or if there is a hotzone operating in the neighbourhood before switching on the wireless network ability in your laptop computer. Then make sure that you log on to a network identified by a legitimate ESSID when you switch on the wireless network ability.

Other suggestions include use of VPNs for all Web activity, which can become difficult for most personal Web users such as those with limited computer experience. Some people even advise against using public Internet facilities like Internet cafes and wireless hotspots for any computing activity that is confidential on a personal or business level.

But everyone involved in providing the free or paid-for hotspot service will need to put effort into assuring a secure yet accessible hotspot which provides a high service quality for all users. This encompasses the equipment vendors, wireless Internet service providers and the premises owners.

Signage and operating practices

When Intel promoted the Centrino chipset for laptop computers, they promoted wireless hotspot areas that were trusted by having a sticker with the Centrino butterfly logo at eye level on the door and the premises being scattered with table tent cards with that same logo. Similarly hotspot service providers and wireless Internet service providers used similar signage to promote their hotspots.

But most business operators, especially small independently-run cafes and bars, commonly deploy “hotspot-in-a-box” solutions where they connect a special wireless router that they have bought to their Internet service and do their own promotion of the service. This may simply be in the form of a home-printed sign on the door or window or a home-printed display sign near the cash register advising of WiFi hotspot service.

An improvement on this could be in the form of the ESSID matching the business’s name and listed on the signage, which should have the business’s official logo. Similarly, the network could be set up with WPA-PSK security at least with the passphrase given to the customers by the business’s staff members when they order hotspot service. Most “hotspot in a box” setups that list the customer’s username and password on a paper docket also list the ESSID and WPA-PSK passphrase on these dockets. As well, I would modify the login page to convey the business’s look with the business’s logo and colours. A complimentary-use hotspot could be secured with a WPA-PSK passphrase and the customer having to ask the staff member about the passphrase. This could allow the facility to know who is using the hotspot and the organisation who runs that hotspot can have better control over it.

It may be worth the industry investigating the feasibility of using WPA-Enterprise security which is associated with different usernames and passwords for access to the wireless network. Most portable computers and handheld devices in current use can support WPA-Enterprise networks. This can be implemented with the typical “paper-docket” model used by most “hotspot-in-a-box” setups if the authentication system used in these units works as a RADIUS server and the built-in wireless access point supports WPA-Enterprise with the unit’s built-in RADIUS server. The same setup could work well with a membership-based hotspot service like a public library with the RADIUS server linked to the membership database. But it may not work easily with hotspot setups that work on a “self-service” model such as paid-service hotspots that require the user to key in their credit-card number through a Webpage or free-service hotspots that use a “click-wrap” arrangement for honouring their usage terms and conditions.

The organisation who runs the hotspot should also be aware of other public-access wireless networks operating in their vicinity, such as an outdoor hotzone or municipal wireless network that covers their neighbourhood; and regularly monitor the quality of service provided by their hotspot. Also, they need to pay attention to any customer issues regarding the hotspot’s operation such as “dead zones” or unexpected disconnections.

People who own private-access wireless networks should also keep these networks secure through setting up WPA-secured wireless networks. They should also check the quality of their network’s service and keep an eye on sudden changes in their network’s behaviour.

When wireless-network operators keep regular tabs on the network’s quality of service, they can be in a better position to identify rogue “evil-twin” hotspots

Improved standards for authenticating wireless networks

There needs to be some technical improvement on various WiFi standards to permit authentication of WiFi networks in a manner similar to how SSL-secured Web sites are authenticated. This could be based around a “digital certificate” which has information about the hotspot, especially:

  • the ESSID of the network ,
  • the BSSID (wireless network MAC) of each of the access points,
  • the LAN IP address and MAC number of the Internet gateway
  • the venue name and address and
  • the business’s official name and address.

The certificate, which would be signed by public-key / private-key method could be part of the “beacon” which announces the network. It would work with the software which manages the wireless network client so it can identify a wireless network as being secure or trusted if the signature is intact and the network client is attached to the network from the listed BSSIDs and is linking to the gateway LAN IP.

The user experience would be very similar to most Internet-based banking or shopping Websites where there is a “padlock” symbol to denote that the user is using an SSL-secured Website with an intact certificate. It will also be like Internet Explorer 7 and 8 where the address bar turns green for a “High-Assurance” certificate which requires higher standards. In this case, the user interface could use colour-coding and / or a distinctive icon for indicating a verified public network.

The provision of cost-effective wireless-network management software

There are some programs that can turn a laptop computer in to a wireless-network survey tool, but most of them don’t show much useful information, are hard to operate for anyone other than a network technician; or are too costly. They miss the needs of people who run home or small-business wireless networks or wireless hotspots.

What needs to exist is low-cost wireless-network management software that can work with the common Microsoft or Apple platforms on computers that have common wireless . The software should be able to use commonly-available wireless network adaptors such as the Intel Centrino platform to perform site surveys on the WiFi bands and display the activity on these bands in an easy-to-view but comprehensive manner. The software should be easy to use for most people so they can spot interference to their wireless network easily and can “tune” their wireless network for best performance.

An application that is matching this need is MetaGeek’s inSSIDer, a free wireless-network site survey tool for the Windows platform which I have reviewed in this blog. It has the ability to list all the networks receivable by signal strength, MAC address, SSID or channel; or plot a graph of the networks by signal strength over time; or plot a graph of all the access points by signal strength over channel. This may help with managing your hotspot by identifying rogue access points and “evil-twin” hotspots.

Similarly the popular smartphone and PDA platforms like Applie iPhone, Android, Symbian S60 / UIQ, Blackberry and Microsoft Windows Mobile could have low-cost wireless-network management software written for them so they can make a handheld PDA or mobile phone work as a site-survey tool for assessing quality of service.

Once this kind of software is available for small business and home users, it empowers them to assure proper coverage of their network and check for any “evil twin” or other rogue hotspots being set up to catch customers.

Summary

There needs to be more effort put in to setting up secure public-access wireless networks so that people can benefit from portable computing anywhere without forfeiting the confidentiality of their personal or corporate data.

It also will encourage people to gain the maximum value out of their WiFi-enabled portable information devices whether for their business life or their personal life.

Leave a Reply