Wi-Fi security boost just over the horizon

Wi-Fi, especially public Wi-Fi, is still fraught with security problems. A solution has been in the works for some time but is still not ready for most.
Written by Larry Seltzer, Contributor

Considering how important Wi-Fi is and how widespread it has become, security for Wi-Fi has been a fairly static field for years. There are many problems with the protocols and with specific implementations, but the solutions tend to be to use other technologies to work around Wi-Fi's weaknesses.

There are solutions beginning to emerge, particularly 802.11u, a.k.a. PassPoint, Wi-Fi 2.0 and Hotspot 2.0. The goal of PassPoint is to make Wi-Fi easier, but a side-effect is to make security more robust.

In the meantime, users need to use third-party software and the sort of caution that very few have to avoid being vulnerable to compromise on Wi-Fi networks.

My inspiration for writing this story was a recent announcement that the Port Authority of New York and New Jersey, which operates the three major airports in the New York areas, will be providing free Wi-Fi to all passengers in all terminals. The provider will be Boingo, which operates Wi-Fi networks in many large venues such as airports, stadiums and retail facilities.

Industry marketing and TV shows would have you believe that cellular data is a reasonable alternative to more traditional forms of Internet access. It's not. Cellular bandwidth is much more expensive to build and maintain than Wi-Fi and physical lines, which is why W-Fi is used for mobile data offloading; intelligent network operators shift users over to Wi-Fi from cellular when Wi-Fi is available. The more Wi-Fi available, the less contention for cellular networks.

Unfortunately, cellular networks are much more inherently secure than Wi-Fi. A Wi-Fi network can be set up and operated securely. It requires using WPA2, a standard for encryption of data over the network that is now almost ten years old, but still very robust. To use it properly, you also need to use WPA-Enterprise, a series of extensions which use 802.1x authentication to an external server.

More typical than WPA-Enterprise, especially in smaller organizations, is WPA-Personal, which uses a shared secret (password). This can be adequate, with some caveats. First, obviously, anyone who knows the password can connect to the network; these might be people next door, not just your employees. Also, if a malicious actor is sniffing the network at the time a new client connects using WPA2, and the actor knows the password, he can obtain the keys necessary to allow him to eavesdrop on the new user's traffic.

But even a shared secret password is too much to ask of most public Wi-Fi facilities. Instead, they typically leave the network completely plain-text open. When you connect you typically have to open a browser which brings you to a screen where you agree to terms of service which you haven't read and then you're in. But that screen didn't change the fact that the network is completely open. Other users on the local network can still sniff your traffic, potentially even hijacking your sessions. But for this issue, I'm aware of no real weaknesses in WPA2.

I should point out that Boingo tells me that their systems isolate different user sessions even for open, unencrypted Wi-Fi. I'm not clear on what other providers do this, but it's not something you should assume. Presumably you could determine whether your session is isolated by firing up a network sniffer like Wireshark and looking for other users' sessions.

Click here for a Boingo white paper describing the problems described here and more, such as the "Evil Twin" attack in which a malicious Wi-Fi network masquerades as the legitimate one you really want.

Several years ago, this state of affairs became well-known with the release of Firesheep, a tool which made it easy to hijack others' sessions on Facebook, Twitter, and other popular sites. Did everyone cry out for encryption of Wi-Fi? No, curiously the emphasis went to the fact that so many popular services used plain-text HTTP sessions rather than encrypted HTTPS. It was a reasonable point and lit a fire under many companies, but it let Wi-Fi off the hook.

Google was a leader in this HTTPS surge, having already moved almost all their most popular services to HTTPS, especially GMail. And now it's fair to say that any major service that doesn't use HTTPS for all its connections, or at least for any over which potentially personal information travels, is being deficient. Out of this same atmosphere of outrage came the HSTS (HTTP Strict Transport Security) standard through which a site declares that it is to be used only through HTTPS and add-ins such as the EFF's HTTPS Everywhere (which forces the browser to use HTTPS if possible) and Disconnect (an Android app that does the same and much more to force encrypted transport).

If a proper WPA2 connection is unavailable, the best bet is a VPN. Any business device should be set up to use a VPN when not on local company networks. There are also consumer VPNs; I'm a long-time user of HideMyAss Pro. Such products are not inaccessible, I suspect, to the average ZDNet reader, but they are not mass-market.

VPNs on open Wi-Fi have another problem: In order to connect to them, you need to be on the Internet already, so there is a period of time where you are unprotected. This can be minimized, but many programs on your system may communicate in the interim. Some VPNs also don't proxy your DNS requests, potentially allowing others to sniff your queries.

There are other efforts to make Wi-Fi more secure. Many consumer security products, such as Kaspersky Internet Security 2015, watch over your Wi-Fi usage, warning of potential problems. They have the virtue of being proactive and able to tell the user what to do, but they are limited in what they can do. The EFF has also begun a project for an Open Wireless Router, attacking the problem of router security vulnerabilities based both in sloppiness and malice.

SSL and VPNs are workarounds to Wi-Fi security holes, not solutions for them. As I've said, properly configured, WPA2 is a robust and secure protocol, impressively so after all these years. The problem is getting users to use it and to connect to it securely. This is one of the things that PassPoint does.

PassPoint attempts to automate and simplify the process of connecting to a secure Wi-Fi network. To do this it uses WPA-Enterprise authentication to an account you have already established. This might be your home Internet Service Provider, your cellular provider or your employer. Boingo has already deployed PassPoint at numerous locations, including 21 airports in the US.

Providers of public Wi-Fi like Boingo establish roaming agreements with the ISPs and other services, potentially even Facebook or Google, with which you already have a relationship and an account. When you walk into the venue, your PassPoint-enabled device negotiates with the Wi-Fi access point for providers and capabilities and connects automatically.

The Wi-Fi provider (and potentially their partners) get some demographic information about the user, but they might take the opportunity to show you an ad or ask you to watch a video. How much of this they get away with depends on how users react to it.

Alas, PassPoint may be available from Boingo, but is it on your device? Probably not. There is support built into iOS 7 and OS X 10.9 (Mavericks). Some Android devices have support for PassPoint, but using it requires manual tinkering with configuration parameters. There is no official seamless Windows support for it, but Microsoft says that since it supports the basic mechanisms used in PassPoint (mostly WPA-Enterprise) you should be able to hack a connection. The trickier part for more open platforms like Android and Windows is that not all Wi-Fi chip sets support 802.11u.

How could PassPoint be taking this long? I look at it and immediately the great value for many parties comes through. It's good for users, for venues, for carriers, for Wi-Fi providers, and I'm probably forgetting others. And yet it seems to be on the industry's back burner. It looks now like it could be Microsoft and Google most in the way. For me PassPoint can't come soon enough.

Editorial standards