The Emperor has Nothing On: Why VPNs may do nothing and millions like you are fooled to believe protected in Wi-Fi hotspots!

VPN services offered by a lot of service providers are marketed as solution to Wi-Fi hotspot’s insecurity. I have been advocating this since long that it might improve the situation but fail to offer privacy and data protection to wireless hotspot users.

When a user first time connects to the Internet in a Wi-Fi hotspot, his VPN client remains in disconnected state. It requires manual enabling of the service. During this small time window when his VPN is not ON, he is vulnerable to various wireless threats. For the sake of point being mentioned in this post, lets ignore this vulnerability that exists in a small time window.

Majority of Wi-Fi hotspot all across the globe requires you to pay for Wi-Fi internet access at some point in time. Some may ask you to make a transaction upfront, while others provide free few minutes Internet access and thereafter access needs to be purchased. When a user tries to purchase Wi-Fi internet bandwidth, he has access only to the payment gateway. Since the user cannot access any service on the Internet, he cannot utilize VPN service to protect his transaction done to purchase Wi-Fi internet bandwidth in a fee based Wi-Fi hotspot. So, all Wi-Fi hotspots offering paid internet access and requiring users to make payment through their web portal make users vulnerable to Wi-Fi threats irrespective of users having VPN subscription.

In a Wi-Fi hotspot that offers few minutes of free Internet access and then fee based internet access, suddenly, makes the user vulnerable to wireless threats on expiry of the free session by blocking all connections from his device to the Internet including VPN tunnel. At this stage if a user proceeds to purchase more wireless internet bandwidth, he will end up risking his credit card information or bank account details.

The situation of a VPN service subscribed user in any paid Wi-Fi hotspot environment is similar to the Emperor who thought he had new clothes but he had nothing on.

Your Wi-Fi Hotspot Sucks!

If you are responsible for providing wireless hotspot service and still not ready to accept the change happening around, then better be prepared to get a customer feedback like this. Your visitors are no more just citizen. They are now netizen and smartphones have become their new passport to go over the Internet. Your outdated conventional Wi-Fi hotspot service might becoming a big hurdle to their desperation to get online as quickly as possible. Why?

Majority of smartphone users use various apps installed on their device for accessing different web service, be it accessing corporate emails, or getting access to their social content. There is an app almost for every service that you may have heard of.

Accessing the Internet in a conventional Wi-Fi hotspot environment is a multi-step procedure. A wireless hotspot user has to identify a right wireless network to connect, opt for a network usage plan online (or buy) and and complete the user authentication procedure. All these are browser inspired  steps that a hotspot user has to follow before getting access to the Internet. Unfortunately, smartphone user, rarely taps on browser app to access online content. As a result what might happen is that a guest staying in your five star hotel might not be able to figure out why none of his apps are working even though smartphone shows that it is connected, leading to technical support call. In other case, if a user knows about it, he might not find user authentication very convenient over smartphone. Some wireless hotspots also have user session maintained , which gets marked to unauthenticated after inactivity of user device is detected. It becomes extremely annoying for smartphone user to do web based user authentication every-time his session expires.

Did you say that you were already experiencing similar problems ? Good news is that you are not alone and there smart Wi-Fi hotspot solution available that also fixes some other very challenging wireless hotspot problems arising due to handhelds. If interested in the solution, contact us at contact@airegis.com and we will help restore peace of your technical support team and improve your service review feedback. :-)

Airegispot 1.0 or Hotspot 2.0: Choice is yours!

New Challenges for Next Generation Wi-Fi Hotspot Providers

      1.       Increase in Wi-Fi devices and amount of user’s data on the network

Number of wireless devices connecting to a public wireless hotspot networks are multiplying day by day. The main reason behind this increase of devices can be attributed to growing base of mobile users carrying multiple wireless gadgets such as smartphone, iPad, and notebook, wherever they roam.  In fact, today’s internet users are going through a paradigm shift as they are always wanted to be connected to the internet. This has resulted into exponential growth in user’s data on the wireless hotspot networks.  A lot of free Wi-Fi internet service providers have to cope-up with the demand for additional bandwidth required to handle the sudden growth of user’s data on their network.

2.       Demand for throughout coverage

Since transmit and receive range of smartphones and other similar handhelds are less compared to laptops, new coverage holes are getting created in an already deployed conventional Wi-Fi hotspot network. Service providers are under intense pressure to provide throughout coverage, for example in hospitality industry where guests need to have Internet access not just in rooms but also in passage, terrace etc.

3.       Digital certificate cost

In conventional Wi-Fi hotspot, authorized access to the Internet access is provisioned using a web based login portal. Providing user authentication without application layer security is a serious security threat to a service provider. Awareness about the insecurity of open Wi-Fi configuration is growing fast and hence application layer user authentication control can be easily bypassed. Therefore, service providers have to also bear the cost of digital certificate required by https based user authentication procedure.

4.       Unwanted connected device handling

Today’s hotspot infrastructure is churning out as it is unable to deliver desired performance due to large number of wireless clients connecting to the network, causing network to reach its maximum capacity soon. Under such condition, wireless hotspot infrastructure has no inbuilt intelligence that can help differentiate between a paid and unpaid user and hence when the number of clients exceeds the connection limit, even paid users have to suffer. Problem like this is affecting the revenue from fee based wireless hotspot service.

5.       HS 2.0 integration overhead

In order to provide support for roaming customers, a new technology called Hotspot 2.0 (HS2.0) is being adopted by the wireless broadband industry. In order to support HS 2.0 WISPs need to upgrade their wireless hotspot infrastructure. The technology also requires integration with cellular service providers in order to support SIM card based user authentication. This is probably ok for carriers who are creating their own wireless hotspot infrastructure to support data offload. Wireless service providers already having hotspot running need to shell out additional cost in order to bring support for user authentication required in HS2.0. On contrary to this, wireless user base is still not ready to use the technology as it requires software/firmware upgrade on client device, which can be a big barrier to HS2.0 based service monetization.

The cost of running a Wi-Fi hotspot service is growing while the revenue from the service is not showing similar growth sign.  Airegis solution for Wi-Fi hotspot enables wireless service providers to run a truly secured wireless internet service that can be offered to hotspot users as value added premium service. Apart from providing privacy and over-the-air data protection, the most attractive advantage of Airegis powered wireless service is that network connectivity, authentication, and network usage policy are clubbed together into one that helps next generation smartphone user in getting a quick access to the Internet. The inbuilt intelligence of the Airegis powered Wi-Fi hotspot system allows only authorized device to connect and use the service. This helps in keeping the wireless network resource available for those who have subscribed to premium wireless service.  The cost of digital certificate needed for conventional captive portal authentication can be also saved as with layer-2 security based wireless system, need for a secure web authentication becomes redundant.

In short, by embracing Airegis powered Wi-Fi hotspot solution, wireless internet service providers can easily beat new challenges of next generation wireless hotspots.

Hotels a Hotspot for Credit Card Fraud: Wyndham Hotel is the Latest Victim

According to a study published on the creditcards.com around two years back, hotels were found to be the hotspot for credit card fraud. The same study had indicated that the hotel’s services were targeted the most-even more than financial service company.

Last month, FTC had filed a complaint against Wyndham hotels and its subsidiaries for alleged data security failures that led to three data breaches at Wyndham hotels in less than two years.  The FTC charges that these failures led to fraudulent bills on consumers’ accounts, millions of dollars in fraud loss, and the export of hundreds of thousands of consumers’ payment card account information to an Internet domain address registered in Russia.

This may be a case of misrepresentation of security related privacy policy by the hotel as alleged by FTC and the problem could have been avoided by having a well secured system for storing credit card data and personal information of guests. What would not be possible is restoring the damage due to such an incidence in the hotel which already had done serious brand erosion of the hotel.

Others may take it as a lesson and may possibly give attention to a security assessment of their own systems; there has been another big door open which has remained invisible to many security experts and auditors. This is nothing but insecure form of Wi-Fi service being offered in hotels.

In the past, guests had option to use wired internet connection available inside rooms to have safe and secure browsing. But lately, due to high adoption rate of smart mobile devices which can only be used with wireless networks (either Wi-Fi or cellular) to go online. This implies, guests are increasingly going to use the same insecure wireless hotspots installed in the hotels for their personal and professional requirements which at times might include credit card or bank account transaction apart from other private and confidential data. Transmission of any such data in insecure Wi-Fi hotspots is available in air and can be captured with no or little effort.

Most hotels across the globe provide similar form of Wi-Fi internet service inside hotels and which means no data privacy to their guests. A wireless hacking incidence in any star hotel can also lead to credit card theft, though might not be as voluminous in nature as it was in the case of Wyndham hotel, and hotel may also be able to avoid fine or penalty for the loss of guest’s credit card data as they do provide warning to their users about insecurity of wireless service, what they may never be able to do is saving hotel from brand name erosion due to such an incidence if it happens.

Wi-Fi technology has undergone a lot of advancement in recent years and with Airegis proprietary technology it is possible to offer truly robust Wi-Fi service to guests. One of the key advantages of Airegis solution is that it does not require installation of any custom made software or apps on the client device. So, users with any Wi-Fi certified device can connect to Airegis powered Wi-Fi hotspots and browse internet without worrying about wireless threats and data privacy.

It is high time for the hospitality industry to sacrifice the decade old Wi-Fi hotspot system, adopt and upgrade their wireless infrastructure with the Wi-Fi hotspot technology available today and let their guests wear the same wireless security cover that they use when they are at home or in the office. Ultimately, Guest is King!

Free Webinar: In-Flight Wi-Fi Insecurity: Key Issues and Mitigation

In-Flight Wi-Fi service can be observed as the latest trend in the Aviation sector. More and more airlines are announcing In-Flight Wi-Fi service in order to woo air travelers. In fact, on board Wi-Fi service is undergoing a transition from being a key differentiation to a key requirement. The big question, however, is "Are service providers spreading the security risks of open Wi-Fi hotspots by bringing it on board ?".

Please join us on September 17, 2012 at 09:30 PM EST (10:30 AM CDT / 05:30 PM CEST) for Airegis Webinar Event "In-Flight Wi-Fi Insecurity: Key Issues and Mitigation" to know more on risks and challenges of today's In-Flight Wi-Fi service and how Airlines and service providers can proactively preempt these risks.

Please click here to register and receive your login instructions.

You can also read our monthly article "Your In-Flight Wi-Fi is Turbulence Free. Is It Hackers Free Too?"

To know about Airegis, Please visit www.airegis.com

Beware from Wi-Fi Hackspots!

The popularity of public Wi-Fi hotspots are growing tremendously and it is evident from the fact that Wi-Fi hotspots are being embraced aggressively for various reasons, such as customer acquisition for a business by offering Free Wi-Fi service, to promote some service over public Wi-Fi network, to offload cellular traffic, or to provide netizens access to the Internet at public places.  Google partnership with Ozone for providing free internet access for Google+ users in India is one example of how businesses are using public Wi-Fi to promote their services. Similarly, Malaysia has introduced a law making it mandatory for eateries to provide Wi-Fi service to their patrons.

Unfortunately, what is being ignored in this popularity is that insecure Wi-Fi hotspots can pose serious security threats to their wireless users. Majority of today’s public Wi-Fi hotspots installed at Hotels, Cafes, and Restaurants, Airports and other public places do not provide robust security to the user Wi-Fi connection, and hence hotspots users are vulnerable to various security risks.  Due to thesecurity vulnerabilities, public Wi-Fi hotspots have become new haven for wireless hackers, and therefore the hotspots are being increasingly termed as Hackspots. In this blog, we will see types of Wi-Fi hotspot setups mushrooming in public places and why they are being termed as next generation Hackspots.

Most of Wi-Fi hotspot deployments can be categorized into two:-

   

     1. Open Configured Wi-Fi Hotspots

      In this type of Wi-Fi hotspot service, any user with Wi-Fi enabled device can connect to the wireless network. Once connected, the user gets redirected to a web page, also called as login/captive portal, for carrying out user authentication with the service provider. At times in fee based Wi-Fi service, wireless users have option to buy

data bandwidth from the same login portal.

      In this type of Wi-Fi hotspots, user’s private data travel unencrypted and hence can be snooped easily. Wireless users have to rely on third party software which can encrypt data before transmitting them in the air.

 2. Password Protected Wi-Fi Hotspots

A lot of WISPs provide security enabled Wi-Fi service. In this type of Wi-Fi network, same common password or key is shared among its users. Wireless users have to use that key to make connection with the Wi-Fi hotspot service. After connecting to Wi-Fi hotspot, users may be redirected to captive portal for an additional user authentication, or for the purchase of Internet usage.

In this type of Wi-Fi hotspots, though user’s private data travel encrypted, yet they can be decoded easily as wireless key or password is shared among wireless users.

A lot of wireless users have misconception that they can use SSL secured websites in public Wi-Fi hotspots e.g. accessing Google+ social network from any of free public Wi-Fi hotspots allowing their users to access Google+ freely. They are unaware of wide array of security problems that exist in public Wi-Fi hotspot and how SSL secured website can be tricked to steal user’s private data. A more details explanation is available here.

Even use of VPN does not provide full protection. Unfortunately, in a Wi-Fi hotspot where users have free access to a limited set of websites, it is impossible to use VPN for data privacy. Wireless users unaware of the limitation of VPN service can find more details here.

Conclusion

In the absence of robust  and simplified Wi-Fi  security measures, today’s Wi-Fi hotspots have turned into Hackspots, as hotspot user’s confidential data such as bank account details, credit card number, private emails, instant messages can be sniffed out from these Wi-Fi hotspots. Awareness about security threats of wireless hotspots is also increasing causing lot of users to be hesitant in using the services of Wi-Fi hotspots. The lack of security requires immediate action from WISPs for provisioning robust and simplified security measures for their hotspots, so as to restore the faith of hotspot users by protecting them from hackers. Interestingly, new standard for Wi-Fi hotspots, called Hotspot 2.0, has an option for secure Wi-Fi service. Unfortunately, Hotspot 2.0 is a newly introduced standard by Wi-Fi alliance and hence its adoption will take whole lot of ime as this requires millions of already deployed wireless hotspots as well as wireless client device to be upgraded to Hotspot 2.0.

Airegis unique and innovative solution helps WISPs uniquely position themselves in the market by offering secure wireless service and thereby helping wireless users use public Wi-Fi networks for all private data communication without requiring any software upgrade on wireless client device and without subscribing any third party solution for security. Moreover, it is fully compliant with today’s most robust security configurations for wireless networks. Hence any Wi-Fi client device certified by Wi-Fi alliance can avail the benefits of secure public Wi-Fi networks powered by Airegis.

Security Risks of Using Insecure Public Wi-Fi Networks

Doing a Google search for “security risks of public Wi-Fi hotspots” can pop up hundreds of links to odd articles giving specifics of wireless threats and security measures that wireless hotspot users must take on while using public Wi-Fi networks. But, do wireless hotspot users understand all possible security risks associated with public Wi-Fi networks? Without understanding real risks, it is hard for wireless hotspot users to assess any free or fee based end point security solutions and they may end up relying on virtual solution that claim protection against all wireless attacks that can be launched on public Wi-Fi networks and its connected wireless users. Therefore, users must understand all security threats and their implications while using the services of an insecure public Wi-Fi network. The blog aims to highlight five lethal wireless security threats and why the most often recommended mitigations strategies are not enough.

Types of Wireless Attacks in Public Wi-Fi Networks

      1. Eavesdropping

Public Wi-Fi networks are mostly configured without any Wi-Fi security for user’s convenience, and therefore are easy prey to eavesdropping attack. Anyone with malicious intents, using freely available software, can easily snoop on the conversation of a public Wi-Fi user when present in the radio range of the later. The conversation can potentially include  information’s, such as,  credit card details, bank account details, passwords, emails, instant messages etc., leakage of which can be extremely damaging for a user.

      2. Impersonation

a.       Wireless Client Impersonation

Identity of a Wi-Fi capable device called MAC address remains visible in the air while searching or connected to a Wi-Fi network, any Wi-Fi device connected and authenticated to a insecure public Wi-Fi network can be easily impersonated. By exploiting such an impersonation, a hacker can use an authenticated device MAC address to bypass user authentication for accessing a particular public Wi-Fi network. This can potentially have serious implications for the user of the impersonated Wi-Fi device.

b.      User’s Identity Impersonation

Identity of a public Wi-Fi user can be impersonated by stealing cookies related to various sessions established over a insecure public Wi-Fi network.  A lot of web services use cookies to identify an active session of a user, and send these cookies in plaintext making them visible to hackers in range. . Recently, a tool called “Firesheep” was released to expose the above weakness in various web services such as Facebook, Twitter etc., and how the weakness can be easily exploited impersonate user's identity over insecure public Wi-Fi networks.

      3. Man-in-the-middle Attack (MITM)

MITM attack can be easily simulated in an insecure Wi-Fi network environment using easily available Wi-Fi tool suites such as Aircrack-ng. After successfully launching MITM attack, attacker takes complete control over wireless data flowing to/from Wi-Fi users. Attacker can even snoop into HTTPS based web using a tool called SSLStrip. There are two popular tricks of launching MITM attack in an insecure public Wi-Fi network.

a.       Honeypot

Honey pot is a Wi-Fi network planted by an attacker which appears to be a public Wi-Fi network by the name it advertises for example-“Free public Wi-Fi”, “Free Wi-Fi” etc. This is a very popular trick for launching Man-in-the-middle attack on public Wi-Fi users.  As the flow of data traffic remains seamless and transparent, the wireless user on a Honeypot remains ignorant of underlying MITM attack he/she is subjected to.

b.       Evil Twin

Evil twin is a variant of Honeypot attack which exploits the fact that a Wi-Fi client device is configured to connect to a wireless network identifiable by its name called service set identifier (SSID) and not by identity of access points (APs).  In an “evil twin” attack, an attacker can create a twin of an insecure authentic public Wi-Fi network by advertising the same authentic SSID. After setting up an 'evil twin', the attacker can easily lure the wireless client device to its own fake network by preventing it to connect to the authentic wireless network by launching DoS attack. Sometimes attacker can confuse and lure wireless clients to fake evil twin AP by increasing transmit power on the planted AP.

      4. Peer-to-peer Attack

Peer-to-peer attack can be instrumented by accessing other Wi-Fi user’s machine over an adhoc connection or via common Access points advertising the similar Wi-Fi network. A lot of APs forward wireless traffic directly over-the-air if both sender and receiver are connected to the same AP. A Wi-Fi user when connected to an insecure public Wi-Fi network is vulnerable to peer-to-peer attack if client isolation also known as public secure packet forwarding (PSPF) is not enabled in the network. Client isolation/PSPF is an enterprise grade feature and effectively works on centrally controlled WLAN system. Unfortunately, due to high cost of deployment of controller based WLAN system, a lot of public Wi-Fi networks are using standalone SOHO grade wireless access points (APs). By exploiting peer-to-peer attack over a public Wi-Fi service, a hacker can easily target a user accessing the Wi-Fi service to his/her favour. 

5. Unintended Client Connection

Unintended connection is the one which happens without user’s knowledge. The anatomy of unintended connection is as follows. When connecting to a Wi-Fi network, the Wi-Fi client device immediately saves the network details in its memory, in order to keep the connection intact by automatically connecting again, in case the client device loses the connection with the network.

However, saving the network credentials can cause an unwanted connection to a Wi-Fi network and the wireless users may remain completely uninformed. Tendency to establish unintended connections can be a big threat for wireless users carrying Wi-Fi enabled devices which remain ON most of the time, such as Wi-Fi capable smartphones. Such device can be easily exploited by a hacker by advertising a fake Wi-Fi network having similar details as the saved one. If the unintended Wi-Fi connection succeeds on a hacker’s fake Wi-Fi network,  then umpteen number of cloud based applications residing nowadays on most of the smart mobile devices, will start uploading/downloading user’s private data to their respective cloud servers causing users data to flow over and done with hacker’s controlled network. Moreover, unintended connection does not provide opportunity to activate and run secure tunnelling software such as Virtual Private Network (VPN).

Solutions Recommended by Wireless Experts

1. Use of password protected Wi-Fi Network

You may often find advisories for using password protected Wi-Fi network. A password protected Wi-Fi network can be either WEP enabled or WPA/WPA2 passphrase based. WEP does provide no security to wireless network as it can be cracked in a few minutes using off-the-shelf hardware and software tools freely available on the Internet. WPA/WPA2 passphrase is more robust compared to WEP, but in public Wi-Fi networks, sharing password defeats the purpose. There are tools such as, for example “wireshark” (http://www.wireshark.org/), freely available on the Internet which can be used to strip off security cover from encrypted wireless data of WEP or WPA/WPA2 passphrase enabled wireless networks.

Snapshot of Wireshark option for decryption of encrypted wireless data 

      2. Captive Portal

Captive portal is implemented in public Wi-Fi networks to prevent unauthorized, unknown or unpaid access to the Internet. This is often based on username/password which is mistakenly considered by wireless users as security. This is a first line of defence for service providers and do not offer security to wireless hotspot users.

3. Use of VPN

VPN does provide security in an insecure public Wi-Fi network and help protect private data exchange if it can be setup reliably after establishing a wireless connection. A motivated attacker can still prevent wireless user from using VPN in an insecure public Wi-Fi network by disrupting the communication and forcing user to browse without VPN. There are other weaknesses associated with the use of VPN discussed in this blog:

4. Only use SSL encrypted websites

There are only a bunch of web services that implement complete HTTPS sessions. Interestingly, there are tools available, as mentioned earlier also, such SSLSTRIP that can strip off SSL security from a session. Tech savvy user can identify this difference but not a naïve user and he can still become victim of a wireless attacker.

Conclusion

Users of insecure public Wi-Fi networks are vulnerable whenever they use these wireless networks and they may remain vulnerable even after using the network. By turning on firewall on client device one can only restrict malicious user from actively scanning and penetrating into a victim's wireless client device. Use of VPN service provides limited security in certain scenarios.  Since foot print of Wi-Fi is getting wider and bigger, it is high time to build secure public wireless networks which have its own intelligence for managing security for users.  In order to achieve this goal, Wi-Fi alliance is working on a new specification to bring security and roaming for public Wi-Fi hotspot users but that may require firmware upgrade on millions of Wi-Fi capable client devices already in the market.

Airegis unique and innovative solution helps wireless service providers uniquely position themselves in the market by offering secure wireless service and thereby helping wireless users use public Wi-Fi networks for all private data communication without requiring any software upgrade on wireless client device and without subscribing any third party solution for security. Moreover, it is fully compliant with today’s most robust security configurations for wireless networks. Hence any Wi-Fi client device certified by Wi-Fi alliance can avail the benefits of secure public Wi-Fi networks powered by Airegis.

Experience the next generation Wi-Fi Hotspot. It is simply secured.

Welcome visitors. This is our first official blog post and we would like to share with you a new world of secure Wi-Fi hotspots.

Wi-Fi hotspot is one of the fastest growing industries bringing its presence to almost everywhere and it is going to grow more and more due to tremendous surge in wireless capable handheld devices people are carrying these days e.g. smartphones, ipads, notebooks etc. According to a recent study of Wireless Broadband Alliance (WBA) report, growing usage of tablets and smartphones will drive the deployment of Wi-Fi hotspots from 1.3 million today to 5.8 million by 2015, which is a whopping 350 % increase. The growth in Wi-Fi hotspots is also expected to go through the roof with large scale initiatives similar to one taken by Malaysia recently, where the government has mandated the provision of Wi-Fi internet service in every restaurants.

Though security, maintenance and ownership of the network have been more important considerations for service industry, players looking to provide free or paid Wi-Fi service to customers are left with no choice but to provide extremely insecure wireless internet service. Insecurity of an open wireless hotspot systems have been a topic of discussion for years, yet users of such networks are always advised to take alternate security measures when they are connected to open Wi-Fi hotspots such as use of VPN or visiting to https enabled websites.

However, being user centric, most of the measures needed to minimize exposure to hotspot risks can be easily forgotton by a hotspot user at various occasions. Moreover, the hotspot user might be completely unaware of security recommendations, or lacking technical know-how or resources to implement them. Also, with measures such as use of VPN client software, a hotspot user may have to pay for VPN service or face difficulty in seamless browsing.

Today, we are extremely excited to share with you the next generation Wi-Fi hotspot system. Airegis has come up with a unique product to enable robust security for hotspot users without losing the simplicity of today’s hotspot setups and without requiring a hotspot user to follow certain recommendations for averting the hotspot security risks. The product presents a unique opportunity to wireless hotspot service providers to win the trust of users and generate more revenue by offering it as a differentiated service until wireless security becomes a de-facto standard for hotspots.

Please feel free to contact us if you are interested in a discussion or a product demo. You can visit our website www.airegis.com.