Evil Twin, the phishing scheme that threatens users of Wi-Fi hot spots, has been well-known in the industry for as long as two years, according to the chairman of the Wi-Fi Alliances public access committee.
Evil Twins target is the Universal Authentication Method, or UAM, the basic browser-based authentication presentation screen you see at most commercial hot spots.
The good news for users is that by the time Evil Twin hit the headlines last month, the industry had come up with schemes for addressing that category of attacks, known as man-in-the-middle.
The bad news is that those strategies, pegged to the WPA (Wi-Fi Protected Access) and WPA2 security standards, are not in place everywhere. The problems result from legacy equipment that has not been upgraded to WPA and from the fact that the staff at most hot spots, such as coffee shops, airport lounges and hotels, are not permitted to distribute secure login keys and support users if theres a question.
“Once devices have the WPA client embedded in them,” said Greg Hayes, chairman of the Alliances public access committee and director of mobility marketing at InfoNet, “it drastically reduces the local support burden on the venues because the procedure for getting authentication and getting services becomes a baseline industry standard.
In October the Alliance published a technical whitepaper that detailed how WPA could be implemented in hot spots and offered a migration path to WPA for organizations using legacy equipment. “So its not a forklift upgrade,” Hayes said. Ultimately, he added, the goal is “that end users will enjoy the same levels of secure mobile access when they travel” as they have when they work wirelessly within their offices.
Many corporate and campus environments that provide guest access to visitors have already taken these steps, Hayes noted. But problems still exist at hot spots provided as a courtesy by restaurants, coffee shops, and other public venues where there is no good way of distributing credentials or providing support to Wi-Fi users.
Hayes cited Connexion by Boeings new in-flight Wi-Fi service as an example. “Imagine an airline flight attendant being asked to troubleshoot the network connection with an end user. Obviously, thats not going to happen,” he said. “The burden is really on us [as service providers] to provide seamless roaming and, more and more, to automate the process and make it transparent to the user.”
Traditionally, the authentication, encryption and accounting schemes that offer security and consolidated billing across networks came to enterprise users in the form of aggregated service offerings through such providers as Boingo Wireless Inc., Infonet Services Corp., iPass Inc. and Fiberlink Communications Corp. Boingo also provides service to end users, and iPass, which is largely focused on the enterprise, resells its service to users through its various partners.
These services use client-side software, installed on the mobile devices, to provide authentication, encryption and consolidated billing services. Users have the same login experience whether theyre at an airport lounge, hotel or coffee shop, and they receive a single bill for services as long as the provider servicing the location is a member of the aggregated network.
With their enterprise focus, Infonet, iPass and Fiberlink each provided added security services that allow IT managers to push their security to remote users logging in over any type of connection, whether its Wi-Fi, wired broadband, or dial-up.
: How the aggregators work”>
Infonet and FiberLink have added features to Boingos client that both companies license.
“There are a number of ways where the UAM can be replicated or scammed. Evil Twin is the newest iteration of it,” said Christian Gunning, director of product management at Boingo. When a user logs in, Boingo validates that the access point is a member of its network. If its not, the user gets a failed authentication notice.
“The first thing we do is validate the certificate of that access point to certify that who we think were talking to is actually who were talking to,” said Howard Pressman, manager of wireless solutions at Fiberlink.
iPass Secure Connect automatically launches a personal firewall. Its iSEEL encrypts logon credentials through authentication when VPN encryption is launched. Chris Churilo, director of product marketing at iPass, said if phishers are looking for credit card information, “theyll be a little bit disappointed the only thing they could actually do is get onto the Internet.”
Last year, the Wi-Fi Alliance endorsed the Wireless ISP Roaming specification to define a roaming model that aims to pull service providers more directly into the mix and bring WPA authentication security technologies into public hot spots as they, and their customer users, upgrade equipment.
“If we make the assumption going forward that more and more users will have WPA-enabled clients on their devices, the easier the roaming challenge becomes because you have a standardized protocol for securing and transmitting the information among parties,” Hayes said.
Already, he said, were seeing “a kind of a horse race among providers over the number of hot spots in their networks.” And thats good news to users who find Wi-Fi connectivity increasingly available to them no matter what provider they subscribe to.