A secure Wireless LAN hotspot for anonymous users

A secure Wireless LAN hotspot for anonymous users

Summary:  This information is also available as a TechRepublic PDF download.As ubiquitous and convenient as Wireless LAN Hotspots are, it is probably the single most dangerous technology to the mobile computer user.

SHARE:
58

 This information is also available as a TechRepublic PDF download.

As ubiquitous and convenient as Wireless LAN Hotspots are, it is probably the single most dangerous technology to the mobile computer user. From a security standpoint it is an absolute nightmare because of multiple inadequacies. The two biggest issues with Hotspots is that you have no idea if you're connecting to a legitimate Access Point or if you're connecting to a hacker's fake Access Point and everything you send and receive is transmitted in clear text with no encryption.

Anyone who doubts that this is a problem should ask themselves if they would post their email account passwords in my talkback section at the bottom of this blog or go in to an airport and yell out their user account names and passwords as loud as they can. If the answer is no then they should be concerned with Hotspot security. If we look at Defcon's Wall of Sheep every year, a sucker is literally born every minute and this isn't because there were hard-core hackers breaking in to people's Wireless LAN connections. In fact the only thing there were doing was passively listen as users sent out their usernames and passwords in clear text over the radio waves and posted the results on the Wall of Sheep. Of course we can always expect users to use some form of a VPN solution and encrypt everything going over the air but the vast majority of hotspot users don't do that and even when they do use VPN it doesn't necessarily encrypt all traffic.

Hotspots face the classic convenience and usability versus security tradeoff and 999 out of 1000 times the Hotspot will choose convenience and usability. The last time I used a secure Wireless LAN hotspot was at RSA 2007 and they proved why the security without the convenience is utterly unusable. This year at least they tried to make it a little easier than RSA 2006 by giving out anonymous usernames and passwords (instead of personalized accounts) but they still up running a line 20 people deep with a three-man helpdesk helping people set up their secure Hotspot access at the RSA conference. It must have wasted a thousand man-hours between the helpdesk and the users that had to wait in line. For this reason, no one bothers setting up a secured Hotspot and users won't use it even if they did because it would be too much trouble acquiring a username and password. But does it really have to be this way?

I have seen hotspots that use WPA-PSK (Wi-Fi Protected mode using Pre-Shared Key) to offer some level of privacy, but that's only private against people who don't have access to the PSK. Microsoft for example hosts conferences using WPA-PSK by handing out USB keys with automatic client configuration and a complicated random string used for the PSK. Even ignoring the fact that you need to physically give something to each guest for them to be able to make the connection, this mode of security can be snooped by anyone with access to the PSK because they can sniff and decode the decryption key during the initial setup of a WPA-PSK connection.

But there is actually a better and easier way to set up a secure Wireless LAN hotspot for an anonymous user using a single generic and common username and password that anyone can remember. An interesting property of PKI is that it allows us to do a secure key exchange without any usernames or passwords so long as one side has a trusted digital certificate. This concept is used millions of times a day by ordinary users anytime someone goes to an SSL-secured webpage and the secure authentication channel is set up before the user enters a username and password. The same general concept could be applied to the Wireless LAN world with a slight twist in the implementation.

An interesting feature of Wireless LAN security using 802.1x and PEAP mode is that it is possible to log in with the same anonymous guest account with a publicly known password for any number of people and still provide each user with a secure point-to-point link-layer encryption. That means that someone with full knowledge of the anonymous guest user account and password will not be able to eavesdrop on any user that uses this hotspot system. So even if everyone in the world knows the username is "guest" and the password is "guest", they'll have connectivity to the network with more privacy than a typically unencrypted wire connection.

To implement this solution, we can do this with any typical Wireless LAN Access Point and a RADIUS server (how to set one up). So long as the connection between the Access Point and RADIUS server is secure or there is a sufficiently complex RADIUS secret, each wireless client has complete privacy. In this case since it's such a simple implementation, the RADIUS server could be embedded in to the Access Point itself which means you don't even have to worry about the RADIUS secret strength. The RADIUS server does however need a publicly trusted Digital Certificate (how-to guide here) which you can purchase for $20 at places like GoDaddy.com and there's literally zero difference between that and the $200 Certificates from other Certificate Authorities. Going with an in-house or self-signed Digital Certificate for this particular application isn't appropriate because external users have no trust relationship with your in-house Certificate Authority or your self-signed Digital Certificate and there is no easy way to automate that trust relationship like you can for internal users.

A RADIUS server is typically connected to a backend user directory such as Microsoft Active Directory, Novell, or LDAP but this particular application doesn't require that since we only need a single user account. We can set up a local user in the RADIUS server named "guest" with the password also set to "guest" which is extremely generic and easy to remember. That means when the user connects to this secured Hotspot, they will have to do an initial 802.1x/PEAP setup where they enter in the username and password. Since the credentials are so easy to remember, it's possible to do a quick-and-dirty setup guide for Windows and Mac with no complicated keys to remember or personalized user credentials. Fortunately, the guest credentials and the entire setup process can be saved for future use and the fact that it's so generic means that it can be applied consistently on a very large scale. Anyone looking to implement an easy to use and secure Wireless LAN Hotspot should seriously consider this solution.

Topics: Security, Networking, Wi-Fi

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

58 comments
Log in or register to join the discussion
  • Great Article

    A very important topic--thanks George.

    Linux users may want to read here about setting up a Layer 3 dynamic tunneling vpn with ssh (version 4.3 or greater) [url=https://help.ubuntu.com/community/SSH_VPN]here[/url].

    The set up can include creation of a rsa key pair for automated login and automated ifup/ifdown to a start-up icon.

    That sets up a true VPN.

    For the occasional 'hotspot' wireless access, I use ssh to local port forward to my home subnet using ddns (enable ssh port forwarding in your router):

    [b]ssh -D 8000 username@hostname_or_ip[/b]

    Then, open your Firefox preferences, and let the browser use proxy ip address 127.0.0.1 and port 8000 and enable SOCKS5, which supports forwarding DNS requests.

    That way your DNS requests and browser requests are both tunneled to your home pc and then onto the net.

    Again, great article George.
    Safe surfing Folks!!
    D T Schmitz
    • Thanks. For experts like you, I'm not worried.

      For experts like you, I'm not worried. The problem is the masses and the problem is people who have VPN split-tunneling enabled. This solution would make it easy to create a secure link layer for anonymous guests and protect everyone and not just the Linux gurus who can figure out how to do SSH tunnels.

      The problem with this approach is that the client configuration is still too complicated and the masses will be put off by it. Then again I may be underestimating people's desire for private web surfing. I wish there was a wall of sheep placed in more hotspots and airports so that we can educate people about the dangers of Wi-Fi Hotspots.
      georgeou
      • Unfortunately...

        ...security is necessarily complicated regardless of the method employed.

        Hats off to Prof. George Ou for 'educating' on the dangers of Wi-Fi Hotspots! :)
        D T Schmitz
        • Ah but it can be made easier

          Ah but it can be made easier as this blog illustrates. I'm really hoping RSA takes my advice for their conference next year. Maybe Microsoft will employ this instead of using WPA-PSK with a USB key.
          georgeou
          • What we really need to hope

            is that its not only RSA and Microsoft that note your suggestions here. This is a huge issue, as you have made clear on a number of occaisions, and a very large number of Wireless LANs are running no security, or WEP, not even WPA-PSK.
            Azriphale
          • Oh for sure, I'm just hoping RSA and Microsoft will start the trend

            Oh for sure, I'm just hoping RSA and Microsoft will start the trend. I would love it if every hotspot provided this service.
            georgeou
    • nice idea dood... niiiiiiice!!!!!!

      why didnt i think of that...

      thanks!!!!! i use ddns for servin up a web page or two and to throw up an ftp server to share files with friends...

      filezilla ftp server is free
      pcguy777
  • security concern

    Great article, but as windows per default tries to do the PEAP login with the user/password of the person logged in (and not guest/guest), do you think that it can be stolen?
    leomezza
    • You would give up the hashed credentials

      You would give up the hashed credentials if you made the mistake of typing in your corporate username/password. Then they could perform a dictionary attack. However, the same danger happens everyday when most users use the same username passwords for all their generic web accounts.
      georgeou
    • re:

      How is this a concern when trying to break someone elses enctypted transmission? you would need both public and private key for that.

      right?
      pcguy777
  • I Fail To See...

    ...how this prevents a hacker from setting up a bogus hotspot. After all, all they need is a digital certificate, right? Steal one and you suddenly have no security...
    wolf_z
    • but the cert has to be trusted

      or rather from a trusted source... and can only be purchased via bank card right... thats a requirement of purchasing a real trusted cert. The money trail.
      pcguy777
    • The publicly trusted certificate

      The publicly trusted certificate that's been signed by Verisign, Thawte, Entrust, Geotrust, or GoDaddy will make this work because they're the trusted third party. It's exactly how secure webpages work.
      georgeou
      • And if it's *stolen*?

        George, you miss my point.

        If I'm a bad guy and I steal someone *else's* genuine cerfiticate, it's suddenly worth nothing, because my PC will trust it. Unless you're telling me a secure certificate encodes the IP address?

        Otherwise, nothing stops an insider attack.
        wolf_z
        • If you want to make that argument, then let's just give up

          If you want to make that argument, then let's just give up everything. Why bother because some inside administrator will always betray us.
          georgeou
          • It's not an argument - it's a flaw.

            There's nothing to stop a Rogue from attending the same event, and setting up their own Rogue-Hotspot from there own wireless router, such as a WRT54 with their own custom firmware. It would be easy to impersonate the Genuine WiFi network by broadcasting an identical SSID, perhaps on a different channel - perhaps the same. By impersonating the "Trusted 3rd Party" who validates the DigitalSignature, the end-user of Rogue-Hotspot has no way of proving this DigitalSignature to be true, if the only way to verify that chain-of-trust comes from the communication channel provided by the Hotspot provider.

            So. Two-Factor Authentication is the only workable model for this.
            braithwaiteinbritain
          • You simply don't understand how PKI works

            "By impersonating the "Trusted 3rd Party" who validates the DigitalSignature, the end-user of Rogue-Hotspot has no way of proving this DigitalSignature to be true, if the only way to verify that chain-of-trust comes from the communication channel provided by the Hotspot provider."

            You can't impersonate a GoDaddy or Verisign signature unless you already hacked the client machine and altered their Certificate Trust List which contains a list of Root Certificates.
            georgeou
  • Interesting... but

    Great info if I were the one who was setting up an access point. This puts the work on the access point provider.

    How does this help me the traveller when I want to hook up? A few of these may be around the country. How do I secure my laptop connection to any wireless access point?
    fspevak@...
    • Unfortunately

      for your to be able to connect securely to a wireless network, the access point needs to have some sort of security enabled. So, if the network has not implemented any security, you can't connect to it securely. In that case, you have to use secure protocols only, which, as George mentioned, secure protocols are the exception, not the rule. You can do what _dietrich mentioned, and use SSH to create a secure tunnel to another location (such as your secure home network), but as George points out, this is not for eveybody.
      Azriphale
    • Dynamic Forward/SOCKS

      My suggestion for the 'traveller' is to set up an ssh port forward tunnel to your home router to a pc on the home subnet to act as a proxy for dns/http requests.

      If you set up ssh with a login/password rsa key pair everything is encrypted to your home, including the authentication process which occurs automatically.

      See my thread [url=http://talkback.zdnet.com/5208-10533-0.html?forumID=1&threadID=36363&messageID=668838&start=-9990]here.[/url]

      (ssh -D local_port_number username@host_ip)

      Safe Surfing from a hotspot guaranteed!!
      D T Schmitz