Pages

Pages

Saturday, November 06, 2010

What impact will security worries have on WiFi offload?

I'm not normally too paranoid about WiFi security - although to be honest, I probably should be, given the amount of time I spend in weird countries using public hotspots, as well as an hour or two a day working cafes in London. I take what I feel are sensible precautions, but I'm still aware that I could probably be more careful.

But what has scared me recently has been the fuss around FireSheep. To the uninitated, I suggest a quick read-up on it. Basically it allows the easy hacking of someone's web access, especially when using popular websites like Facebook, when using ordinary HTTP rather than the encrypted HTTPS option. Specifically, FireSheep enables people to snoop on their neighbours' access to various web services when using shared, open WiFi networks.

This post is not about the controversy, or the various software countermeasures to force more traffic to secure access paths, or squash the capability of the hacking tool to operate effectively.

I'm more thinking about what this does to mobile operators' 3G data offload strategies - specifically using public WiFi hotspots. There are various implications:
  • Legal folks at telcos probably want to have a good think about liability issues if their software forces (or automates) WiFi access, without at least warning users about the risks.
  • There is an opportunity for operators to differentiate and add value by putting VPN or other capabilities in their connection manager clients, or custom browser variants.
  • Some end-users are going to switch off WiFi or be hesitant about using it, and just stay on 3G
  • Public / hotspot femtos are going to start looking more attractive
  • UMA-style WiFi, or I-WLAN, which hooks back to the operator's core network via an IPsec tunnel, is going to look more attractive again
  • More WiFi APs in public hotspots will probably shift to WEP/WPA encryption, making logon and authentication more of a pain (expect more support calls from confused customers)
Overall, I think these issues have not yet filtered through to the telecoms community as quickly as might be expected. A quick Google search doesn't show much for firesheep+offload.

This is too important to overlook, I think.

5 comments:

  1. Dean -- no worries, really. Mobile operators have heard the Wi-Fi security concerns loud and clear. The dominant design in 3G off-load via Wi-Fi moving forward, as operators are implementing it with us today, relies on the EAP-SIM variant of 802.1x authentication which uses (a) the subscriber credentials already on the smartphone (the SIM card) to make authentication as secure and automatic as what happens on 3G networks, and (b) the secret keys exchanged in that process as the basis for AES encryption over the air. Stay tuned for announcements of large Wi-Fi networks deployed that are every bit as easy to use and secure as the 3G networks -- but with tons more bandwidth where you want it most.

    regards,

    Steven Glapa
    Ruckus Wireless, Inc.

    ReplyDelete
  2. Hi Steven

    Sorry, I don't buy the EAP-SIM argument at all - I've heard it since about 2004 and it doesn't stack up for a lot of use cases.

    In particular, it doesn't work in scenarios for PC-based offload where the user has a 3G dongle attached, but uses the native WiFi and connection manager on the computer.

    In fact, the most likely scenario is where the user doesn't even attach the dongle (& SIM) to the PC when they know they are in a cafe where WiFi is available & they have credentials, even if they use the operator's connection manager client.

    I'm also not sure if the SIM is accessible on a phone switched to "flight mode", or how it would work in roaming scenarios.

    There are many other flaws with using SIM-based authentication I can think of as well.

    Dean

    ReplyDelete
  3. Mark Grayson9:12 am

    Hi Dean

    whatever the case, it is clear that previous attempts at defining architectures which mandate a homogeneous client environment have failed (else we would all be talking on UMA-phones enabled with RCS-clients). Service Providers and WLAN Access Providers need to be able to support heterogeneous client environments which support service to basic clients with all the security caveats, but which motivate the deployment of new client functionality with improved WiFi experience.

    Cheers,

    Mark Grayson
    Cisco

    ReplyDelete
  4. Davide1:39 pm

    EAP-SIM variant would work for WiFi offload in a smartphone, right? In this respect, Steven is right.

    ReplyDelete
  5. PC-based offload is surely going to be a relative rarity going forwards (and its historical signficant position is probably a major reason why EAP-SIM had no real impetus). Any laptop user with an interest in data access is going to make the leap required to get SIM-auth working if their reward is Wifi levels of access, surely.
    No reason from the looks of google-results for SIM access to be affected by flight mode - AFAIK any user with contacts stored on the SIM can still access them(?) when in that mode.
    The sticky bit with EAP-SIM as your baseline is the non-SIM-based wifi customer. And for them, I wonder whether it's going to come with 802.1x PEAP/TTLS over WPA2 (enterprise) which will be the "acceptable" form of encrypted access dual SSID's and all..
    Hugh

    ReplyDelete