While traveling through several Midwest airports recently I was presented with the usual onslaught of numerous “FREE” public wireless access services. From Airport terminals to coffee shops in the center of the city, everyone wants to give away free wireless access. And I say Bully! The problem I have with all this ubiquitous access is that as security professionals we typically cringe at the thought of connecting to an “unknown” or “untrusted” wireless source and then surfing the web, checking email, or any of another dozen things we do each day in order to do our jobs, stay in touch with friends and family, or just download really cool music. We are terrified of connecting without encryption and should be.
As all these “Hot Spots” begin showing up on my machine, it occurred to me. Why don’t business owners that give away free internet access setup good encryption and make the key public. As we are trained in the secret trade of security we are taught that keys must always be kept secret and never revealed publicly in order to insure privacy. Well, “public” Wi-Fi is just that; PUBLIC. It is meant to be used freely by anyone who can gain a signal strong enough to connect. The owners typically care not what you do or where you go (although some do apply restrictions with web filtering, etc.). And unfortunately users do just that. Poor Jack down the street logs into his bank account not knowing that the kid in the parking lot is sniffing his passwords while he sips his morning cappuccino. Sara logs into her email and the same thing happens.
What about systems that use “portals” for authentication? Most of them do just that; authenticate, not encrypt. They are used for “pay” services and use your username and password to ensure that you are, or have been billed properly. They rarely make any attempt at securing your transmissions. But couldn’t we use these pages for advertisements and reminders about security? Perhaps adds for the morning special on Blueberry muffins at the local coffee shop or who will be playing at open mike night on Thursday; all ways to drive more business.
And why don’t we use encryption in “FREE” public access wireless? Mostly due to ignorance. Most business operations either don’t realize or don’t care about the security problems associated with transmitting in the clear or are simply too lazy to do anything about it. But what would it hurt? Most new OSs prompt for a key when connecting to a new network and once you have exchanged keys everything from that point on is encrypted. All the other dangers of public Wi-Fi still exist but the single most dangerous could be eliminated with as single flip of the switch on the interface of the AP or system being used.
So next time you are at your favorite coffee shop ask the owners if they even know how to enable security on their Wi-Fi, and if so, to do it. At least you can surf the web with a little more sense of security than before.
That’s enough ranting for one week. Stay tuned for next week’s on the subject of Anonymous FTP. Until then…