Baking Security Into Open WiFi Networks

What if you could make the coffee shop wireless LAN both open and secure? That's just what a group of researchers hopes to do with their new open-source code available to organizations or establishments hosting their own WiFi networks.

The newly released Secure Open Wireless Access (SOWA) proof-of-concept implementation is aimed at making openly available WiFi networks safer by giving users encrypted connections to wireless networks without their risking connecting to a rogue wireless access point or their traffic getting sniffed or hijacked. Researchers from IBM's X-Force research team, as well as an independent researcher, recently joined forces to push the technology, which they first demonstrated earlier this month at Black Hat USA in Las Vegas.

At the heart of SOWA are digital certificates associated with the WLAN's SSID, which ensure that the user is actually connecting to, say, Panera Bread's or Starbucks' trusted WiFi network. This would shield users from sidejacking or other attacks that hijack their HTML session cookies or sniff their traffic. That threat of malicious WiFi activity was intensified last fall with the release of the notorious Firefox extension called Firesheep, which made sidejacking merely a matter of point-and-click and easy enough for an everyday user -- not just a hacker.

"Insecure wireless is a constant reality. When you are using open wireless networks, your traffic is unencrypted and subject to be monitored," says Tom Cross, threat intelligence manager at IBM X-Force and lead researcher for SOWA. "Firesheep was a pretty dramatic demonstration of when you're using an unencrypted network that you're subject to having your credentials stolen.

"I think there's more of this kind of sniffing going on than we realize," he says. "When someone is attacking an insecure wireless network, there is no real way to detect that it's happening ... This has significant impact on security and personal privacy ... We want to build open wireless networks that are encrypted and that anyone can access."

The reality today is that the only secure WLANs are closed ones that require credentials and other access controls, which isn't conducive to coffee shops or other public spaces. So the researchers decided to take an approach similar to HTTP-S, but using SSIDs to identify the WLAN provider rather than domain names.

Cross and fellow researchers Takehiro Takahashi and Christopher Byrd initially focused on a Linux version of the secure WiFi solution, but they are looking at how to do the same with Windows and Mac OS X.

Sidejacking expert Robert Graham, CEO of Errata Security, says the SOWA approach would block the passive interception of traffic, and could also eliminate rogue access points. "If done correctly, it would also stop active interception," such as rogue APs, he says.

Graham says implementing it would basically only entail "a minor tweak to existing code."

"Companies can support it without breaking their existing products," Graham says. "Microsoft or Apple can also drop a competing solution into their own products that works much the same way."

IBM's Cross says it would help if the technology were built into the operating system. The SOWA PoC basically includes a slightly tweaked FreeRadius authentication server function and a client "supplicant," or lightweight code, that's based on WPA. Cross says FreeRadius would have to be configured to use the digital certificate for EAP/TLS, and the domain name in the cert would look something like "sown.ibm.com."

The SOW client tool negotiates the encryption. As long as the WiFi network's certificate checks out, the client gets connected to the network, Cross says. "From the client standpoint, it's easy to use," he says.

Interestingly, the IBM researchers and Byrd, manager of security and privacy for Brown Smith Wallace, independently and coincidentally came up with their secure open wireless research. "I had been working for years on finding a solution for [securing] hotspot wireless," Byrd says. He found he could use existing 802.11 wireless standards and basically make a tiny tweak to the source code of the open-source wireless authentication server Hostapd -- and voila, he had the beginnings of a secure open WiFi network.

The researchers decided to pool their research to help further their work and encourage its implementation.

"The bottom line is that I'm frustrated with insecure wireless networks. I think this is the right solution. We're trying to figure out the best way to make this available to the largest number of people the fastest," IBM's Cross says.

But the realizing promise of open, secure WiFi won't happen overnight. The initial PoC covers only Linux-based systems, and widespread adoption would require support for Windows as well as Mac OS X. "It has the same hurdle you have with any kind of widely deployed software. For mass effect, it means getting many computers updated [with the code]," Byrd says.

The PoC is available for download here, and a copy of the researchers' recent presentation is available here (PDF) for download.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.