Securing Public Hotspots--Protect Yourself And Your Users

Wi-Fi, not wired Ethernet, is now the network access method of choice for most users, having become so cheap and pervasive, it's even available on $50 text message gadgets aimed at grade-schoolers (which are easily hacked into a Linux-booting, BackTrack-worthy, penetration-testing appliance; see more below). Yet what Wi-Fi offers in convenience, it lacks (in spades) in security, at least in a public setting. In fact, the exposure on an open, unencrypted network is worse than you think--about like taking a swim in a smelly, tepid cesspool. Here's why.

Most IT pros are familiar with Firesheep, the Firefox extension that snoops unencrypted networks (usually open Wi-Fi, but it also Ethernet), filters packets looking for common sites (Facebook is a favorite target), and captures their session cookies, allowing instant impersonation of the victim. But far more nefarious man-in-the-middle Wi-Fi attacks are relatively easy to set up and can not only capture data but transparently redirect the victim to bogus sites, opening the door to all kinds of fun exploits, whether it's making use of old, unpatched browsers to install a keylogger or cloning a banking site and hoping the rube on the other end doesn't notice the missing padlock symbol in the address bar.

The more sophisticated of these types of attacks use a Wi-Fi honeypot, like the deceptively cute Pineapple (essentially a Fon access point running an OpenWrt package), which impersonates any SSID a client might be looking for, such as one the system has previously accessed and has configured to automatically reconnect to, essentially sucking in the Wi-Fi traffic from every client within range. In other words, when accessing unencrypted Wi-Fi APs, it's virtually impossible to know if you're being compromised.

Of course, WPA2 solves these vulnerabilities (although, even here, it's possible to exploit the WPA handshake and crack weak preshared keys), but because secure key management is a hassle, few public hotspots use it.

What's a poor road warrior to do? The best defense is to immediately establish a VPN tunnel, whether to your corporate network (make sure you're not split-tunneling and that all traffic is routed through the corporate WAN) or to a public provider, of which there are many (WiTopia is my favorite), upon making a Wi-Fi connection. Better yet would be for hotspot providers to start using encryption … if only there were an easier way. Thanks to Aerohive, there is.

Aerohive, one of those small, innovative, "we try harder" wireless LAN software and equipment vendors, developed what it calls Private PSKs (PDF) (preshared WPA2 key) two years ago, but the implementation was hampered by the need to individually set up and administer users--not a feasible situation for public networks. It has remedied this in the recent 4.0 release of the HiveOS/HiveManager software with an option for "secure guest self-registration" for PPSKs. While the software is still aimed at enterprises, Matthew Gast, Aerohive's director of product management, says it's also useful for public networks. Here's how it works.

Unlike traditional WPA-Personal (what most people use at home) keys, Private PSKs are unique, time-limited keys created for individual users on the same SSID. Since PPSK credentials are unique, a key from one user can't be used to derive keys for others. Furthermore, uniqueness allows network administrators to set each user's access policies, including virtual LAN, firewall policy, and quality of service.

The latest Aerohive software allows the keys to be delivered via a captive Web portal of the type many public hotspots already employ to get user acknowledgement of terms of service. This means that when people access an Aerohive-powered public hotspot and open their browsers, they are presented with their own, very random WPA2 keys. Getting onto the public Internet requires setting up a WPA2 connection using these private keys. While allowing a user to self-register is fine in many situations where a user's "right" to access a network isn't restricted, such as at coffee shops or airports, in some situations, such as at hotels or conference rooms, WLAN providers might want to verify a user's identity. Here, the Aerohive software allows preassigning a user ID (for example, the customer's last name concatenated with the room number), which that person must correctly enter in the Web portal before getting a private key.

Encrypting Wi-Fi is critical to keeping it a reliable, safe access method, and public hotspots remain the Wi-Fi architecture's Achilles' heel. A simple yet secure means of extending WPA2 security to situations where the user population is unknown and constantly changing is the next step in the evolution of public hotspots. While Aerohive has come up with an innovative and effective system, the industry really needs to develop a standard that can be deployed across WLAN platforms so that open, unencrypted Wi-Fi can become a thing of the past.