The State of Guest Wi-Fi Security

encryption_lock

Most guest Wi-Fi networks today are open SSID’s with no encryption that have a captive portal that requires users to click through some terms and conditions. It would be nice to be able to secure these networks the same way we do with internal SSID’s–mutual authentication of the client and network, and strong layer 2 encryption, but that challenge has proven too difficult to accomplish without a high degree of friction. You could make users suffer through a lengthy and confusing onboarding process, but imagine doing that at every location where there is guest Wi-Fi? Not good. I agree with Keith Parsons’ take: Guest Wi-Fi should be fast, free, and easy. Security should be too.

How can we make this better? The Wi-Fi Alliance is certifying devices for a new security protocol called Opportunistic Wireless Encryption (OWE). Their certification is called Wi-Fi Enhanced Open, but I’ll refer to it as OWE for the purposes of this blog. OWE adds encryption to open WLAN’s with no client authentication, but it does not provide for server authentication, which leaves users vulnerable to man-in-the-middle (MitM) attacks. The authors of the RFC understood this, and wrote that “the presentation of the available SSID to users should not include special security symbols such as a ‘lock icon.'” Aruba Networks has already announced support for OWE, and I hope other vendors follow suit.

Unfortunately The Wi-Fi Alliance did not choose to make OWE support mandatory in WPA3. It’s a separate and optional certification. Perhaps they will right this wrong by requiring OWE support in Wi-Fi 6 certification, which could require WPA3 support just as 802.11n required WPA2 support. Why not tack on OWE to Wi-Fi 6 as well?

Secure Guest Wi-Fi with Hot Spot 2.0/Passpoint

I once believed that Hot Spot 2.0/Passpoint (HS2.0) was the future of secure guest Wi-Fi, because it allowed for anonymous authentication to a WPA2-Enterprise network. The problem is that users are still required to go through a high-friction onboarding process on every anonymous HS2.0 WLAN they wish to use. That means dealing with captive portals, terms and conditions, installing configuration profiles, etc.

HS2.0 does allow for automatic authentication with user creds from other identity providers. That would allow a user to login with pre-installed creds from their cellular carrier, Facebook, Amazon, Google, Apple, etc.

Telcos are the best choice here as their creds are already installed on mobile phones to authenticate with their cellular networks. However, telcos are unlikely to open their authentication service to WLAN operators for several reasons.

  • They want to be paid for providing this service, but SMB and many large enterprises don’t want to pay to increase the security of their guest networks.
  • It gives an implied endorsement of the security, quality, and reliability of the WLAN, which the telco knows nothing about.

That’s why you see telcos integrating with Boingo, for example, but not smaller players.

But what if there was a HS2.0 open roaming consortium that federated authentication from any identity provider that wanted to join? Something like eduroam for anyone.

The biggest problem is that WLAN authentication in such a scenario tells you nothing about the identity or security of… the WLAN. Users authenticate with their identity provider’s RADIUS servers, and the result is strong encryption in the air, but no guarantee of security on the wired network. They don’t get any information about the identity of the wired LAN that their bits are traversing, because the authentication is abstracted away from the network they are using. HS2.0 provides no identity verification of the network that users are actually using.

This is a smaller problem in eduroam, where most WLAN’s are run by higher education institutions and they agree to operate their networks a certain way. There is some homogeneity there, and users can expect similar security and terms of use between member networks.

An open roaming consortium would allow users to authenticate to a university’s WLAN and a dingy laundromat’s WLAN as if there was no difference. In fact, roaming between those networks would happen automatically without any user interaction. That’s an acceptable risk when all the networks in the consortium are similar (eduroam), but it isn’t when nothing can be assumed about the quality and security of member networks in an open roaming consortium.

Is it reasonable to assume an end-user wants to connect to any WLAN that supports their HS2.0 creds? My answer to that is a definite “no.” One benefit of the non-HS2.0 model is that a user must express an intent to connect to a new WLAN, which gives them the ability to decide if it is trustworthy or not. HS2.0 circumvents this process, and if it becomes more open and widespread, users may end up connecting to networks they don’t trust.

Secure Guest Wi-Fi with an On-Premises Solution

There are several on-premises BYOD or SGW onboarding solutions. They don’t solve the high-friction onboarding problem mentioned previously–they compound it, because the credentials they issue cannot be used between networks. Users must wrestle with a high-friction onboarding process with every SGW network they want to use.

The fundamental problem with Hot Spot 2.0 and On-Premises solutions is that they require client credentials. Authenticating users is not a requirement for SGW in my opinion, and I imagine that’s a common view. It creates unnecessary complexity for users and administrative overhead to WLAN operators. We need a solution for anonymous SGW.

An HTTPS-like Solution

For secure guest Wi-Fi, a security model similar to HTTPS would be great. Client identity is not important, but the WLAN identity should be verified, not just the RADIUS server. Strong encryption must be used, wireless network access must be resistant to MitM attacks, and users should only connect to a SGW network when they have expressed the intent to do so.

Additionally, all of the necessary configuration and complexity to accomplish this should be handled by the WLAN operator. For the end-user, it should “just work.”

Take the example of HTTPS: A web admin requests and is issued a DNS-validated TLS certificate signed by a public certificate authority. She then installs the cert on her web server, configures it for strong encryption, and adds an HTTP to HTTPS 301 redirect. Now visitors to the website are able to verify the website’s identity and connect to it with strong encryption, and they had to do nothing to get those security benefits except run a modern web browser. SGW should be just as easy for end users.

OWE gets us halfway there, but crucially, does not address the threat of MitM attacks. We need a WLAN-centric public key infrastructure (PKI) for that, and that’s the rub. Suddenly there’s a lot of administrative overhead to make this work. Perhaps it would look something like this:

An “Open RADIUS Certificate Authority,” or ORCA, would only issue certs to validated network operators, and those certs could only be used with specific SSID’s.

ORCA’s root cert would have to be be preinstalled and trusted by client devices for EAP authentication.

Wi-Fi clients would connect to an ORCA-enrolled SGW SSID and authenticate anonymously, then validate the ORCA-signed cert presented by the RADIUS server. The client verified that the cert has not been revoked and that it is connecting to an SSID that the cert has been permitted for use. The session is encrypted and the WLAN’s identity is verified. Clients only connect to ORCA-enrolled WLAN’s when they intend to, by clicking/tapping on the SSID in their Wi-Fi menu/settings.

All the end user has to do is tap/click on the SGW SSID to connect to it. Everything else is handled by the client device, the WLAN, and ORCA.

Ta da, we now have low-friction SGW, but for all this work, what have we really gained, today, in 2018?

If you run a packet capture on an open guest network today, you’ll see DNS queries and a whole lot of TLS sessions, not much else. Yes, SGW would add another layer of security on top of this, but at what cost? Making ORCA work is no small task, if it is even achievable in the first place.

Conclusions

OWE gives us layer 2 encryption, so that passive sniffing doesn’t reveal those DNS queries anymore. While OWE doesn’t address MitM rogue AP attacks, coupling it with 802.11w protected management frames, which is required for Wi-Fi Enhanced Open certification, adds resistance to malicious deauth attacks.

The work necessary to make my SGW scheme function doesn’t balance with the small gain in security. It’s better to take a perimeterless networking approach (e.g. BeyondCorp), only deploy hardened applications, and assume the networks your users use will not be trustworthy. If you do not use applications that expose their data to network-level interception or abuse, then have at it. How can an end-user ever truly know if a network is trustworthy anyway?

We can add a bit more security through OWE to help obscure the small amount of guest network traffic that remains unencrypted, and 802.11w protected management frames to prevent some rogue AP attacks. That’s going to have to be good enough.

Advertisements

Yes, Hotspot 2.0 is the Future of Secure Guest Wi-Fi

Since first blogging about Hotspot 2.0 and its application to typical enterprise WLAN guest networks I’ve learned quite a bit more thanks to several helpful tweets from Dave Wright of Ruckus Wireless. Although the large majority of the focus of Hotspot 2.0 still seems to be on integration with cellular carriers for AAA services and all the complexity and exclusivity that entails, there are provisions for simpler, anonymous, and secure Hotspot 2.0 guest networks that are much closer to what the typical enterprise WLAN operator will actually deploy. As I’ve said before, authentication is not a priority for most WLAN operators on their guest network, but encryption certainly is.

Is it the holy grail of guest Wi-Fi? Maybe, but more on that after we look at the Wi-Fi Alliance Passpoint (Release 2) Deployment Guidelines. In all 61 pages of the document, there are these few paragraphs devoted to what I predict to be the most common use of Hotspot 2.0.

12. Free Public Hotspot 2.0-Based Hotspots 

Hotspot Operators may provide Hotspot 2.0-based free, public, hotspot service. In this particular service, Hotspot Operators have the need to ensure hotspot users have accepted the terms and conditions governing their hotspot’s use, but are not interested in knowing (or do not wish to know/track) any particular user’s identity. This functionality is provided by Hotspot 2.0 Release 2 infrastructure. The Hotspot Operator configures their infrastructure as follows:

  1. The user in a Free Public Hotspot initiates the online sign-up registration process with the Free Public Hotspot’s OSU server.
  2. During the registration exchange, the OSU server presents the terms and conditions to the user.
  3. If the user accepts the terms and conditions, the OSU server issues a credential; if the user refuses, no credential is provisioned. Note that the same credential is issued to all users which have accepted the terms and conditions; therefore, the Hotspot Operator cannot track the identity of an individual user during the Hotspot 2.0 Access state (see section 6).
  4. When the user/mobile device returns to the same Free Public Hotspot, the previously provisioned credentials are used to provide secure, automatic access. The mobile device authenticates using EAP-TTLS, which provides for the generation of unique cryptographic keying material even though users share a common password.

If the terms and conditions change, then the user is taken through a subscription remediation
process during which the new terms and conditions are presented. If the user accepts the
changed terms and conditions, then a new credential is provisioned. 

There you have it. Hotspot 2.0 does provide for anonymous and secure guest networks. In short, 802.1X/EAP authentication is accomplished with EAP-TTLS through a common credential that is issued after the signup process. In fact, this has already been deployed by the cities of San Jose and San Francisco. To get an idea of how it works from a user’s perspective, check out the directions here.

Yes, you can do this all without Hotspot 2.0 in a less elegant way: Add a notice to your guest network captive portal that users can login to the secure network with a specific generic credential, and even a link to download a .mobileconfig profile for iOS and Mac OS users. However, the user experience won’t be standardized like it is with an OSU server, and non-Apple users will have to manually configure a connection to the 802.1X network, including adding a cert to their trusted roots. Not good UX. And definitely not fast, free, and easy.

The bad news: With Hotspot 2.0, the guest network captive portal is here to stay.

The good news: Users only have to wrestle with the captive portal once (unless the client credential is changed). And perhaps the technology behind the portal is more mobile client-friendly than today’s captive portals. Hopefully a HS2 client sees the OSU server being advertised by ANQP and immediately presents a notification to the user. If the user doesn’t play ball, the client should disconnect and the SSID should not be saved as a preferred SSID.

The great news: This is a lower-friction way to get secure Wi-Fi to guests.

Is this the holy grail? That depends on what you think that is. To me, the barrier to entry is low enough that I think this is a win for guest Wi-Fi.

Another wrinkle: The Hotspot 2.0 802.1X network can still be configured to automatically connect guests from known realms. That means that you could add eduroam and the coming anyroam realms to the SSID to onboard users from those participating organizations securely and automatically. And yes, no captive web portal either. So if the opportunities to integrate with AAA clearinghouses grow (exist at all?), the number of users subjected to the captive portal shrinks.

I’m sure there are concerns regarding the possibility of new SSID’s. Luckily, a legacy open guest network can serve Hotspot 2.0 incompatible clients while also delivering the Online Sign Up portal to compatible clients. That means no new SSID’s.

For the visual learners among us, your typical enterprise WLAN might look like this now:

A typical enterprise WLAN
A typical enterprise WLAN

To support secure Hotspot 2.0 guest clients, it might look like this in the future:

A Hotspot 2.0-enabled enterprise WLAN
A Hotspot 2.0-enabled enterprise WLAN

I’m looking forward to seeing gear get updated to support Hotspot 2.0 Rev 2 so we can see this in the wild. Ruckus is doing a great job banging the drum for Hotspot 2.0, but other vendors seem to be further behind. Client support is not great (come on, Android), but Apple has supported it since iOS 7, so here’s hoping that will drive others to follow suit.

Hotspot 2.0 Can Disrupt the Cellular Marketplace

When it comes to cellular in the U.S. there are two major carriers, AT&T and Verizon, and everybody else. While Sprint and T-Mobile both also compete in the national market, they have far fewer subscribers and a reputation for poor coverage. This has essentially been the state of affairs since Cingular bought AT&T Wireless in 2004 and continued business using the AT&T brand. There are some smaller regional competitors, but their market share is limited, and their customers roam onto one of these national networks when they leave their regional service area.

I think the combination of Hotspot 2.0 and Voice-over-Wi-Fi (VoWiFi), or “Wi-Fi Calling” as it’s known has the potential to disrupt the current cellular marketplace dynamics.

Sprint and T-Mobile have been dropping their prices to try to attract customers away from the Big Two (AT&T and Verizon) for years, even offering to pay early termination fees and give trade-in credit for phones, but it appears that this has largely been unsuccessful. When you can’t make a call from within your own home or office, who cares how cheap the service is?

Part of the problem for T-Mobile is that a lot of the spectrum they own is higher frequency than their competitors, so it doesn’t penetrate buildings as well due to the increase in attenuation that occurs as wavelength decreases. That’s a tough problem to solve.

carriers

VoWiFi and Hotspot 2.0 can change all of that.

VoWiFi extends the network’s voice coverage into the subscriber’s home and office, where subscribers can easily connect their phone to the W-Fi network, which takes care of that concern. Sprint and T-Mobile could also partner with SOHO Wi-Fi router manufacturers so that Hotspot 2.0 roaming integration was preconfigured for their networks on these products. Imagine if a subscriber could buy a NETGEAR “T-Mobile Edition” router and have VoWiFi calling work out of the box, without any configuration on their phones.

Imagine if Sprint and T-Mobile aggressively pursued Hotspot 2.0 integrations with major public Wi-Fi providers. Their subscribers would have seamless VoWiFi coverage in the areas where they currently have the biggest problem: indoors. As public Wi-Fi continues to expand, the voice coverage for these carriers could expand right along with it.

In fact, if we assume a properly designed WLAN, in very high density environments the indoor service for these carriers could be superior to the Big Two. Ever go to a ballgame and been unable to make a call or use data in a full stadium? That’s a common experience and Wi-Fi roaming integration solves that. Wi-Fi was designed to meet LAN access needs like this. Why not actually use it that way?

This could make Sprint and T-Mobile attractive again. Although I don’t imagine the costs would be very significant as it doesn’t involve building new towers and deploying more of their own hardware, they would probably need to compensate large public Wi-Fi operators for the use of their networks. That would allow them to keep their service priced below the Big Two.

Cellular data offload is commonly thought of as a driver for the adoption of Hotspot 2.0. Voice coverage expansion for smaller carriers may be more important.

eduroam – Secure, Automatic Roaming Between WLAN’s

eduroam (education roaming) is the secure worldwide federated network access service developed for the international research and education community.

I’ve been really intrigued by the WLAN phenomenon eduroam which has swept across much of Europe and is being deployed in many US universities this academic year. This is a secure WLAN roaming technology, but it doesn’t require Hotspot 2.0/Passpoint/802.11u/Rev 1/Rev 2 (whatever you want to call that).

Participating institutions put up an ‘eduroam’ SSID with 802.1X authentication, and on the back-end authentication is handled by the authenticating user’s home institution’s RADIUS server, rather than the local server of the WLAN. That allows users to establish secure connections to any participating institution’s WLAN.

To get a user on the WLAN, RADIUS requests are proxied by the local RADIUS server to the eduroam regional or top-level RADIUS routing servers. The eduroam server inspects the username in the request for the domain, e.g. user@example.edu, matches the realm ‘example.edu,’ and then proxies the request to the users home institution’s RADIUS for authentication. The home institution’s server then responds through the same proxying scheme.

eduroam RADIUS routing example
eduroam RADIUS routing example

For users, it ‘just works.’ They connect to the SSID once and add it to their preferred SSID list just like any other network, then their device automatically connects securely wherever they see the eduroam SSID. Could be another university, could be a coffee shop, or even an airport.

For participating institutions, they just need to configure a few RADIUS proxying rules for users outside of their institution, and then users from hundreds of institutions around the world can securely connect to the WLAN.

If my understanding of Hotspot 2.0 is correct, the future for eduroam may be very bright. In a HS2 WLAN, a separate eduroam SSID isn’t needed. eduroam could register to become a HS2 roaming hub, then WLAN operators advertise eduroam through ANQP as a supported roaming hub on their existing 802.1X SSID, and then eduroam users will automatically connect to it. Fewer SSID’s is always better.

While all the talk about HS2 is about offloading cellular data onto Wi-Fi networks, there is real potential here for more useful federated authentication for everyone-not just cellular subscribers. eduroam is the model for that.

Hotspot 2.0: The Future of Guest Wi-Fi?

Hotspot 2.0 is a technology that leverages 802.11u and service provider authentication systems to connect clients to WLAN’s securely and automatically. For example, an owner of a Verizon Samsung Galaxy S5 with Passpoint enabled who comes within range of a Hotspot 2.0-enabled SSID which can serve Verizon customers will automatically connect to the WLAN, secured by WPA2, with no user interaction.

At least, that’s how I understand the most common use case for Hotspot 2.0 and 802.11u. Personally, I have other ambitions for the program and currently it isn’t at all clear what else Hotspot 2.0 is capable of.

I’m encouraged to see that Hotspot 2.0 Release 2 provides a public key infrastructure and pre-installed trusted root certificates on clients for use when forming secure connections to WLAN infrastructure components.

What I’d really like to see if that PKI infrastructure used in a manner similar to HTTPS, so that clients securely connect to an “open” SSID, use EAP-TLS to evaluate the server certificate against its trusted roots, and establish a WPA2 protected connection without any client-side credentials or cumbersome captive portal registration process. 802.11u data can be presented to the client for use in evaluating the certificate. To me, that is the holy grail for WLAN guest networks.

Authenticating users through carrier AAA isn’t important because very few WLAN operators want/need to know the identity of users on their guest networks (with the exception of retail, I suppose).

I must say that I cringed when I read that Release 2 includes “portal based signup.” Hopefully this is substantially different from the extremely mobile-unfriendly process of current captive portal technology. Either way it will be an obstacle to onboarding users. Guest Wi-Fi should be frictionless.

I’m not interested in authenticating guest users on the WLAN, but I do want them to have a secure connection. It would be awesome if WLAN operators could opt-out of all that AAA integration complexity required by Hotspot 2.0 and just use the PKI infrastructure to run an open, encrypted WLAN for guests. This would allow more clients to connect securely as well, rather than only smartphones with with carrier agreements and users that suffer through a portal-based signup process. Will this be possible? I certainly hope so.