Tag: wireless hotspots

Introduction

You might be considering setting up that complimentary hotspot for your guests to use but there are certain risks to be aware of concerning the security of your business and your guests’ data and identity.

Risks that have been highlighted include confidential-data and identity theft performed against customers as they work this data from their portable devices; as well as clandestine computer activity like the downloading or serving of illegal content; or the distribution of spam email, performed using computers connected to public Internet networks like wireless hotspots.

As well, there may be other imperatives required of people who provide Internet access to the public. These imperatives, asked for by various local, state / regional or national governments may include requirement like keeping a log of whom you provide Internet access to or requirement for session tracking. Therefore I am not therefore in a position to explain how to satisfy these needs and it is best to seek local advice on this topic.

Therefore, your business should know who is using the hotspot service and be able to make sure that the people who benefit are the business’s customers or guests. This means that the customers or guests are actually going to be operating the network device that they use when connecting to the service and also operate it on your premises. As well, your customers know that they are going to actually benefit from your hotspot service when they log in to this service.

The cafe or bar as a “second office”

This is more important for the cafe as an increasing number of businesspeople use these places as “second offices” where they can work without unnecessary office-borne distraction or as places where they meet their colleagues or business partners. Here, these people will be working on workplace-confidential data and most of these workplaces place high value on the security of this data as it travels between the laptop and the workplace’s main computer systems.

In fact, the reason I have decided to publish this article was because a cafe that I regularly visit in Camberwell (Melbourne, Australia) had just started to offer free public Wi-Fi access but I had wanted them to provide a free Wi-Fi service that is safe for their customers. Here, they had an ordinary wireless router as the Internet service but they needed help in getting this service working properly and safely. They also wanted to make sure that this resource was available just to their customers as part of their customer service.

Your equipment

When you start out with your complimentary-use hotspot service, you may use a wireless router hooked up to a separate Internet service or use one with a “guest-access” or hotspot function and is connected to your common Internet service.

This should be set up to cover your public area such as the bar areas in your bar or the dining room in your cafe. In some situations, you may need to use an additional access point to cover larger areas or get your signal past thick walls. This is something I have covered in this site as a separate article.

As well, if your equipment works on 802.11n technology, it should be set to work in compatibility mode where it can work with 802.11g and 802.11n devices. This is to cater for the fact that most devices that are in circulation, especially smartphones, are likely to work with 802.11g technology and people may operate battery-operated 802,11n-capable devices in 802.11g mode in order to conserve battery runtime.

Dual-band setups

It may be an asset to consider a dual-band setup for your wireless hotspot. This will use a radio presence on the 2.4GHz band as well as the newer 5GHz band and is supported by an increasing number of newer laptops, tablets and smartphones. The new waveband comes in to its own for multimedia applications like video conferencing or photo and video uploads to social media as well as taking some pressure off the 2.4GHz band for legacy equipment to use.

This can be achieved with a router / gateway or access point that implements simultaneous dual-band operation or you can add a 5GHz access point or a dual-band access point set up for 5GHz operation to your existing network.

Here, you need to make sure you still have your network set up for 802.11b/g/n operation for the 2.4GHz band and 802.11n operation for the 5GHz band. If your equipment supports 802.11ac Wi-Fi, you may have to make sure that the 5GHz aspect works in a compatibility mode for both 802.11n and 802.11ac equipment. As for the SSID (Network Name) which is talked about below, you can use the same SSID for both bands and the clients’ computer equipment switches between the bands automatically.

Your SSID or Network Name

The SSID or network name is very important to your hotspot’s identity. Here, it should reflect your business’s name and have a reference to public or guest Wi-Fi service. An example that I used for a basic complimentary-use Wi-Fi hotspot that I set up at a coffee lounge just recently was MORAVIA-PUBLIC-WIFI. Here this reflected the coffee lounge’s name (MORAVIA) as well as stating that the service was a public Wi-Fi hotspot service hosted by this business. Therefore, you can then identify any “evil-twin” or “fake-hotspot” devices left on or near the premises that exist to capture customers’ sensitive data.

This SSID must be used in all signage advertising your hotspot and the signage must reflect your company’s identity. This means that it either has your company logo and name or be in your company’s styling. In this case, the signage about the hotspot should at least exist beside the cash-register and the door, preferably at eye-level or near the main handle or pull.

Hotspot security

Basic security

Your hotspot network should be secured with a WPA-PSK passcode which your staff should give out to customers who want to use hotspot service. As well, the network should have wireless-client isolation enabled, so that customers who are using the hotspot cannot browse on to each others’ computers.

Previously, there wasn’t any wisdom in implementing link security on a public-use wireless network but now that most computers and handheld devices support WPA-based link security for wireless networks, adding this function to WPA-level is still worth it for achieving some control and security in a public-use wireless network.

It is still important to change the WPA-PSK passphrase regularly such as at least twice a month. Some environments may require the passphrase to the changed every week. This is so that it becomes hard to set up a “fake hotspot” using your service’s credentials or keep a computer logged in to the hotspot service without you knowing.

People who use “open-frame” computing devices based on recent versions of Android or Windows may find that this job may be simplified. One method, which works with both the operating systems, is to use WPS push-button setup on consumer routers that are suitably equipped and are serving as dedicated hotspot devices. But another method is to make a QR code representing the SSID and WPA passcode as a machine-readable form and print this out on to a card that you hand to your customer. Then they scan this code with their Android or Windows 10 device with the appropriate reader software.

As well, your hotspot should properly support VPN pass-through for all protocols so that business users can log in to their workplace VPNs  without any headache.

Special hotspot-gateway devices

It may be worth knowing that if you want greater control over your public Internet service, it may be worth implementing a “docket-printer-based” wireless hotspot gateway like the Netcomm HS-1100, Solwise WAS-105R or Zyxel N4100.

Here, these devices direct users to a login page where they have to key in a session login and password that they transcribe from a paper docket that is printed from a docket printer attached to the hotspot gateway. If you intend to offer a paid service, these devices put you in a position to use the payment methods and paths that you use to accept payment for your goods and services.

This is unlike some other hotspot gateway setups that require the potential user to pay another company directly using their credit card or an account maintained by that other company using a payment form hosted by that hotspot. Typically, a lot of these setups are managed in a manner where you don’t have much control over how the service in provided and the service may be provided in a manner not dissimilar to how most vending and amusement machines are provided where you don’t own the equipment, representatives visit the premises to maintain the equipment and you get a small “cut” from the takings.

As well, the session login parameters that your users type in from these dockets exist only for a particular time limit. This is also important for people who run a paid service, but can be useful for managing complimentary service so you can be sure that the people who are using your service are your customers or guests who are in your public areas.

If you do run one of these dedicated hotspot gateway devices, such as a “docket-printer-based” device, the wireless network that these devices operate should still have WPA-PSK security with the passphrase changed regularly. The “docket-based” devices will list the WPA-PSK passphrase on that same docket so your customers can still log in to your hotspot from their device.

Hotspot 2.0 / Wi-Fi Passpoint functionality

Hotspot-gateway devices that supports Hotspot 2.0 or Wi-Fi Passpoint operation, including firmware updates that bring this functionality to existing equipment, is also worth its salt. This provides for improved login experiences including the ability to have your venue described in the list of available Wi-Fi networks when your customers use compatible along with a simplified signup or login procedure. It also supports link-level security between the user’s computer or phone and the access point.

When you enable Hotspot 2.0 or Passpoint functionality on your hotspot gateway device, make sure that your establishment’s details are properly entered when you fill out the setup form for this function. Here, if your users have equipment that supports this technology to the letter, they can identify your establishment in a more qualified manner so they are sure that the Wi-Fi service they are connecting to is the one you are providing at your business.

Of course those of us who use devices that don’t support this functionality can still benefit from Wi-Fi hotspot service on these services as long as “universal” authentication is enabled on the gateway device.

Branding options

If you do implement these devices, make sure that you know how to brand the customer-facing user interfaces.

Most of these devices can allow you to upload a graphic and integrate it in to the login interface or they can allow you to upload customised login screens or point to a Web server for the login interface graphics. The latter option may appeal to you if you have a good hand with creating basic HTML Web pages.

Here, make sure that you have your business name and logo and, if you can do it, set the colour scheme to your business’s colour scheme. As well, make sure that your business name appears on the access dockets that your hotspot gateway prints out.

Power outlets

With a hotspot, always expect that some of your customers will use the power outlets on your premises to power their laptops or smartphones from AC power to avoid compromising battery runtime. This is more so with customers are operating older equipment that has batteries that are “on their last legs” or are working VPN sessions in order to “pick up” files from work and want to be sure this is done properly.

Here, a few double outlets near the tables can work wonders here and if an outlet is used for powering a device like a lamp, the device could be connected to the outlet via a multi-socket power-board with extra outlet space for a few appliances.

Conclusion

Once you know how to choose and set up your public-use wireless network properly, you can make sure that this is a service that your customers and guests will benefit from fully. This may even put your business “on the map” as far as customer-service extras are concerned.

UPDATES

I have done some revisions to this article which was originally published in August 2011 to reflect the arrival of newer technologies like 802.11ac dual-band Wi-Fi wireless technology, Wi-Fi network credentials via QR codes, and Wi-Fi Passpoint technology.

News article

MetaGeek releases updated inSSIDer | SmallNetBuilder

From the horse’s mouth

inSSIDer 2 Preview – Blog article on MetaGeek site

Download inSSIDer from here!

My Comments

InSSIDer is a free but highly-capable Wi-Fi site-survey tool for use with Windows-based computers that works with any Wi-Fi network adaptor including the integrated Wi-Fi network subsystems in most laptops. I have reviewed this program on this site and cited it as a preferred tool for small-business owners and householders to manage Wi-Fi networks and tune wireless routers. I have also mentioned it as a piece of software you can have in your arsenal for keeping your wireless hotspot secure and free from fake “evil twin” hotspots set up to catch your customers’ data.

This program has just been taken to the 2.00 version level and has had some key improvements added to it.

User-defined filters

An improvement that I am pleased with is the ability for the user to define filters that show up wireless networks that match or don’t match certain criteria. A good use of this would be to determine if any access points are using your SSID and not matching other criteria like security specification or BSSID (wireless MAC address) or RSSi (signal-strength index).

Other factors you can filter on include the access point’s vendor, whether it operates with 802.11n, whether it uses the 40Mhz “double-bandwidth” channels amongst other things.

Better views

There is the option to turn on a multi-colour legend view which will show up which SSIDs match particular coloured lines on the graphs. This is important in urban areas where there are many wireless networks in operation.

As well, there is the option to see a historical preview of various access point as a “sparkline” or mini-graph view when you select access points. This is useful when you determine filters based on relative signal strength or activity of particular APs.

Other functions

The same software can work with GPS devices like Bluetooth “pucks” or integrated GPS modules for mapping wireless networks. This can be useful for plotting out wireless coverage for an outdoor access point or hotzone or may be just useful for “wardrivers”.

Features I would like to see

One feature I would like to see is options to make it easier to identify and filter on a multi-access-point “extended service set” so you can identify the coverage of that wireless network or “smoke out” foreign access points. This could be catered for with security credentials that are held on the host computer, whether as part of Windows Zero Configuration for accessing the network, or as a separate local database and / or the visibility of a network’s Internet gateway as determined by IP address and MAC address from the access points.

This function could be augmented with the use of multiple Wi-Fi adaptors on one computer thus improving the monitoring of an “extended service set” or a multi-band Wireless-N network.

As well, it could be a good idea to port the program to Android and other smartphone platforms so that these phones can be used as a tool for managing the wireless networks. This could include support for data capture applications where the data can be uploaded to a PC for later analysis.

Conclusion

This program is an example of a free and easy-to-use network-management program that is being made more of a tool than a toy.

Originally published: 12 March 2009  – Latest update 20 April 2010

There are an increasing number of WiFi wireless hotspots being set up, mainly as a customer-service extra by cafe and bar operators. But there have been a few security issues that are likely to put users, especially business users off benefiting from these hotspots.

This is becoming more real due to netbooks, mobile Internet devices, WiFi-capable smartphones and other easily-portable computing devices becoming more common. The hotspots will become increasingly important as people take these devices with them everywhere they go and manage their personal or business data on them.

The primary risk to hotspot security

The main risk is the “fake hotspot” or “evil twin:. These are computers or smart routers that are set up in a cafe or bar frequented by travellers, business people or others who expect Internet access. They can be set up in competition to an existing hotspot that offers paid-for or limited-access service or on the fringes of an existing hotspot or hotzone. They offer the promise of free Internet access but exist for catching users’ private information and/or sending users to malware-laden fake Websites hosted on the computers.

Standard customer-education practices

The common rhetoric that is given for wireless-hotspot security is for the customer to put most of their effort into protecting their own data without the business owner realising that their hotspot service could be turning in to a liability. This can then lead to the hotspot service gathering dust due to disuse by the customers it was intended to serve.

The typical advice given to users is to check whether the premises is running a wireless hotspot or if there is a hotzone operating in the neighbourhood before switching on the wireless network ability in your laptop computer. Then make sure that you log on to a network identified by a legitimate ESSID when you switch on the wireless network ability.

Other suggestions include use of VPNs for all Web activity, which can become difficult for most personal Web users such as those with limited computer experience. Some people even advise against using public Internet facilities like Internet cafes and wireless hotspots for any computing activity that is confidential on a personal or business level.

But everyone involved in providing the free or paid-for hotspot service will need to put effort into assuring a secure yet accessible hotspot which provides a high service quality for all users. This encompasses the equipment vendors, wireless Internet service providers and the premises owners.

Signage and operating practices

When Intel promoted the Centrino chipset for laptop computers, they promoted wireless hotspot areas that were trusted by having a sticker with the Centrino butterfly logo at eye level on the door and the premises being scattered with table tent cards with that same logo. Similarly hotspot service providers and wireless Internet service providers used similar signage to promote their hotspots.

But most business operators, especially small independently-run cafes and bars, commonly deploy “hotspot-in-a-box” solutions where they connect a special wireless router that they have bought to their Internet service and do their own promotion of the service. This may simply be in the form of a home-printed sign on the door or window or a home-printed display sign near the cash register advising of WiFi hotspot service.

An improvement on this could be in the form of the ESSID matching the business’s name and listed on the signage, which should have the business’s official logo. Similarly, the network could be set up with WPA-PSK security at least with the passphrase given to the customers by the business’s staff members when they order hotspot service. Most “hotspot in a box” setups that list the customer’s username and password on a paper docket also list the ESSID and WPA-PSK passphrase on these dockets. As well, I would modify the login page to convey the business’s look with the business’s logo and colours. A complimentary-use hotspot could be secured with a WPA-PSK passphrase and the customer having to ask the staff member about the passphrase. This could allow the facility to know who is using the hotspot and the organisation who runs that hotspot can have better control over it.

It may be worth the industry investigating the feasibility of using WPA-Enterprise security which is associated with different usernames and passwords for access to the wireless network. Most portable computers and handheld devices in current use can support WPA-Enterprise networks. This can be implemented with the typical “paper-docket” model used by most “hotspot-in-a-box” setups if the authentication system used in these units works as a RADIUS server and the built-in wireless access point supports WPA-Enterprise with the unit’s built-in RADIUS server. The same setup could work well with a membership-based hotspot service like a public library with the RADIUS server linked to the membership database. But it may not work easily with hotspot setups that work on a “self-service” model such as paid-service hotspots that require the user to key in their credit-card number through a Webpage or free-service hotspots that use a “click-wrap” arrangement for honouring their usage terms and conditions.

The organisation who runs the hotspot should also be aware of other public-access wireless networks operating in their vicinity, such as an outdoor hotzone or municipal wireless network that covers their neighbourhood; and regularly monitor the quality of service provided by their hotspot. Also, they need to pay attention to any customer issues regarding the hotspot’s operation such as “dead zones” or unexpected disconnections.

People who own private-access wireless networks should also keep these networks secure through setting up WPA-secured wireless networks. They should also check the quality of their network’s service and keep an eye on sudden changes in their network’s behaviour.

When wireless-network operators keep regular tabs on the network’s quality of service, they can be in a better position to identify rogue “evil-twin” hotspots

Improved standards for authenticating wireless networks

There needs to be some technical improvement on various WiFi standards to permit authentication of WiFi networks in a manner similar to how SSL-secured Web sites are authenticated. This could be based around a “digital certificate” which has information about the hotspot, especially:

• the ESSID of the network ,
• the BSSID (wireless network MAC) of each of the access points,
• the LAN IP address and MAC number of the Internet gateway
• the venue name and address and
• the business’s official name and address.

The certificate, which would be signed by public-key / private-key method could be part of the “beacon” which announces the network. It would work with the software which manages the wireless network client so it can identify a wireless network as being secure or trusted if the signature is intact and the network client is attached to the network from the listed BSSIDs and is linking to the gateway LAN IP.

The user experience would be very similar to most Internet-based banking or shopping Websites where there is a “padlock” symbol to denote that the user is using an SSL-secured Website with an intact certificate. It will also be like Internet Explorer 7 and 8 where the address bar turns green for a “High-Assurance” certificate which requires higher standards. In this case, the user interface could use colour-coding and / or a distinctive icon for indicating a verified public network.

The provision of cost-effective wireless-network management software

There are some programs that can turn a laptop computer in to a wireless-network survey tool, but most of them don’t show much useful information, are hard to operate for anyone other than a network technician; or are too costly. They miss the needs of people who run home or small-business wireless networks or wireless hotspots.

What needs to exist is low-cost wireless-network management software that can work with the common Microsoft or Apple platforms on computers that have common wireless . The software should be able to use commonly-available wireless network adaptors such as the Intel Centrino platform to perform site surveys on the WiFi bands and display the activity on these bands in an easy-to-view but comprehensive manner. The software should be easy to use for most people so they can spot interference to their wireless network easily and can “tune” their wireless network for best performance.

An application that is matching this need is MetaGeek’s inSSIDer, a free wireless-network site survey tool for the Windows platform which I have reviewed in this blog. It has the ability to list all the networks receivable by signal strength, MAC address, SSID or channel; or plot a graph of the networks by signal strength over time; or plot a graph of all the access points by signal strength over channel. This may help with managing your hotspot by identifying rogue access points and “evil-twin” hotspots.

Similarly the popular smartphone and PDA platforms like Applie iPhone, Android, Symbian S60 / UIQ, Blackberry and Microsoft Windows Mobile could have low-cost wireless-network management software written for them so they can make a handheld PDA or mobile phone work as a site-survey tool for assessing quality of service.

Once this kind of software is available for small business and home users, it empowers them to assure proper coverage of their network and check for any “evil twin” or other rogue hotspots being set up to catch customers.

Summary

There needs to be more effort put in to setting up secure public-access wireless networks so that people can benefit from portable computing anywhere without forfeiting the confidentiality of their personal or corporate data.

It also will encourage people to gain the maximum value out of their WiFi-enabled portable information devices whether for their business life or their personal life.