According to a recent In-Stat survey, half of US business professionals now use Wi-Fi hot spots in hotels, airports,...
and other public venues -- one fourth at least once a week. Many hot spot users are concerned about security, and for good reason. Hot spots are an ideal venue for eavesdropping, sharing viruses, or simply taking advantage of those whose defenses are weak.
On the flip side, Wi-Fi hot spots can make business travel far more productive. It's never been easier for travelers to stay in touch with the office and home. Occasional travelers can pay as they go, using hourly or day passes, generally under $10. Frequent travelers can open all-you-can eat hot spot accounts, starting at $20 per month (e.g., Boingo). Those who prefer free services can search JWire or Wi-Fi free hot spot, although some travel may be required to reach even the closest free hot spot.
Fortunately, you don't need to avoid hot spots to avoid wireless intruders. Start by taking just a few simple steps to harden your station's defenses.
- Disable Sharing: File and printer sharing may be common in business and home networks, but should be avoided in public networks where strangers can easily browse, read, and perhaps even write to exposed shares. To prevent this on Windows hosts, open your wireless connection's Properties panel and make sure that "Client for Microsoft Networks" and "File and Printer Sharing for Microsoft Networks" are both unchecked.
- Firewall Your Laptop: By default, Windows hosts listen to many TCP and UDP ports, and each open port represents a potential attack vector. If you're a Windows XP user, close those holes by enabling the firewall built into Service Pack 2, making sure that no exceptions are defined for your wireless connection. If you run another operating system, install a third-party personal firewall. Individuals can download free firewall programs from ZoneAlarm, Comodo, or Kerio. Larger companies should consider centrally-managed desktop firewalls like Symantec Sygate Enterprise Protection or InfoExpress CyberArmor Personal Firewall.
- Control Your Connection: Many wireless client programs -- including the XP Wireless Zero Config service -- automatically connect to any available wireless Access Point (AP) or Ad Hoc peer. This can be handy at the office, but it is simply bad practice in public networks. To regain control, configure your wireless client to associate ONLY at your request. For example, use the XP Wireless Networks panel Advanced button to uncheck "Automatically connect to non-preferred networks" and check "Access point (infrastructure) networks only." If using SP2, configure every "Preferred Network" to disable auto-connection. Finally, disable those connections when not in use!
In mid-January, the Nomad Mobile Research Centre warned that many XP devices are accidentally associating with Ad Hoc peers using common Service Set Identifiers (SSIDs). In one field test, of 56 clients lured into connecting this way, 11 were vulnerable to remote file access or compromise. The three steps outline above are basic and simple, but would have been enough to completely elude this attack.
These simple steps are a good start, but more is required to prevent eavesdropping on wireless data and man-in-the-middle attacks.
- Secure Your Login: Many commercial hot spots use SSL to encrypt the subscriber login process: entering a username/password, passcode, or credit card number on a web page. But when was the last time that you checked to see whether your login was really encrypted? At minimum, use your browser to verify that SSL is enabled before you log in. Never log into a hot spot portal that presents an invalid certificate, or asks for a login without encryption. Larger companies may want to consider securing authentication end-to-end using a roaming client like iPass or Fiberlink.
- Secure Your Data: Operators usually encrypt logins, but encrypting data is an entirely different matter. T-Mobile and iBAHN support WPA data encryption in US hot spots. Everywhere else, you're on your own to prevent eavesdropping. Corporate users running IPsec or SSL VPN clients should create "connection manager" rules that ensure the VPN is up whenever wireless is active. Those who use secure applications like web mail should be careful about leaking other data. If you don't have a VPN, consider using a SOHO encryption service like Witopia Personal VPN, JWire SpotLock, or Citrix Online GoToMyPC.
- Avoid Evil Twins: Look-alike "Evil Twin" APs can trick hot spot users into connecting with them instead of legitimate APs. They can then launch man-in-the-middle attacks like presenting phony web pages or intercepting SSL or SSH sessions. Using a WPA-capable hot spot can help you avoid connecting to an Evil Twin by letting you verify the 802.1X Authentication Server's certificate. T-Mobile's Connection Manager checks that certificate automatically. When using another client, be sure to enable certificate verification.
- Monitor Your Connection: Wireless clients usually indicate connection status, but don't provide detailed connection logging, alert you to improper or suspicious wireless activity, or take preventative action when such events occur. To keep a closer eye on your wireless connection, run a host-resident wireless IDS agent like AirDefense Personal, AirTight SpectraGuard SAFE, or Network Chemistry RFprotect Endpoint. Individuals can use host WIDS to become more aware of unsafe conditions -- for example, bridging between wired and wireless connections. Larger companies can use host WIDS as part of a broader endpoint security initiative, enforcing policies that keep remote workers safe, no matter how they connect to the Internet.
These four steps do require at least some on-going security awareness and effort. But everyone concerned with hot spot security should give them a try. Whether you're an individual, a small business, or a large enterprise, security measures like these can help you to more safely reap the benefits of Wi-Fi hot spots.
About the author: Lisa Phifer is vice president of Core Competence Inc., a consulting firm specializing in network security and management technology. Phifer has been involved in the design, implementation, and evaluation of data communications, internetworking, security, and network management products for nearly 20 years. She teaches about wireless LANs and virtual private networking at industry conferences and has written extensively about network infrastructure and security technologies for numerous publications. She is also a site expert to SearchMobileComputing.com and SearchNetworking.com.