Aggregated Mobile Access Services Address Hot-Spot Security

Protections against phishing schemes such as Evil Twin exist but have yet to be implemented in many public hot spots. In their absence, aggregator services help to secure enterprise users.

Evil Twin, the phishing scheme that threatens users of Wi-Fi hot spots, has been well-known in the industry for as long as two years, according to the chairman of the Wi-Fi Alliances public access committee.

Evil Twins target is the Universal Authentication Method, or UAM, the basic browser-based authentication presentation screen you see at most commercial hot spots.

The good news for users is that by the time Evil Twin hit the headlines last month, the industry had come up with schemes for addressing that category of attacks, known as man-in-the-middle.

/zimages/4/28571.gifClick here for tips on how to avoid Evil Twin.

The bad news is that those strategies, pegged to the WPA (Wi-Fi Protected Access) and WPA2 security standards, are not in place everywhere. The problems result from legacy equipment that has not been upgraded to WPA and from the fact that the staff at most hot spots, such as coffee shops, airport lounges and hotels, are not permitted to distribute secure login keys and support users if theres a question.

"Once devices have the WPA client embedded in them," said Greg Hayes, chairman of the Alliances public access committee and director of mobility marketing at InfoNet, "it drastically reduces the local support burden on the venues because the procedure for getting authentication and getting services becomes a baseline industry standard.

In October the Alliance published a technical whitepaper that detailed how WPA could be implemented in hot spots and offered a migration path to WPA for organizations using legacy equipment. "So its not a forklift upgrade," Hayes said. Ultimately, he added, the goal is "that end users will enjoy the same levels of secure mobile access when they travel" as they have when they work wirelessly within their offices.

Many corporate and campus environments that provide guest access to visitors have already taken these steps, Hayes noted. But problems still exist at hot spots provided as a courtesy by restaurants, coffee shops, and other public venues where there is no good way of distributing credentials or providing support to Wi-Fi users.

Hayes cited Connexion by Boeings new in-flight Wi-Fi service as an example. "Imagine an airline flight attendant being asked to troubleshoot the network connection with an end user. Obviously, thats not going to happen," he said. "The burden is really on us [as service providers] to provide seamless roaming and, more and more, to automate the process and make it transparent to the user."

Traditionally, the authentication, encryption and accounting schemes that offer security and consolidated billing across networks came to enterprise users in the form of aggregated service offerings through such providers as Boingo Wireless Inc., Infonet Services Corp., iPass Inc. and Fiberlink Communications Corp. Boingo also provides service to end users, and iPass, which is largely focused on the enterprise, resells its service to users through its various partners.

These services use client-side software, installed on the mobile devices, to provide authentication, encryption and consolidated billing services. Users have the same login experience whether theyre at an airport lounge, hotel or coffee shop, and they receive a single bill for services as long as the provider servicing the location is a member of the aggregated network.

With their enterprise focus, Infonet, iPass and Fiberlink each provided added security services that allow IT managers to push their security to remote users logging in over any type of connection, whether its Wi-Fi, wired broadband, or dial-up.

Next page: How the aggregators work.