Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Mobile

8/22/2011
06:28 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Baking Security Into Open WiFi Networks

New approach lets WiFi networks remain open and secure

What if you could make the coffee shop wireless LAN both open and secure? That's just what a group of researchers hopes to do with their new open-source code available to organizations or establishments hosting their own WiFi networks.

The newly released Secure Open Wireless Access (SOWA) proof-of-concept implementation is aimed at making openly available WiFi networks safer by giving users encrypted connections to wireless networks without their risking connecting to a rogue wireless access point or their traffic getting sniffed or hijacked. Researchers from IBM's X-Force research team, as well as an independent researcher, recently joined forces to push the technology, which they first demonstrated earlier this month at Black Hat USA in Las Vegas.

At the heart of SOWA are digital certificates associated with the WLAN's SSID, which ensure that the user is actually connecting to, say, Panera Bread's or Starbucks' trusted WiFi network. This would shield users from sidejacking or other attacks that hijack their HTML session cookies or sniff their traffic. That threat of malicious WiFi activity was intensified last fall with the release of the notorious Firefox extension called Firesheep, which made sidejacking merely a matter of point-and-click and easy enough for an everyday user -- not just a hacker.

"Insecure wireless is a constant reality. When you are using open wireless networks, your traffic is unencrypted and subject to be monitored," says Tom Cross, threat intelligence manager at IBM X-Force and lead researcher for SOWA. "Firesheep was a pretty dramatic demonstration of when you're using an unencrypted network that you're subject to having your credentials stolen.

"I think there's more of this kind of sniffing going on than we realize," he says. "When someone is attacking an insecure wireless network, there is no real way to detect that it's happening ... This has significant impact on security and personal privacy ... We want to build open wireless networks that are encrypted and that anyone can access."

The reality today is that the only secure WLANs are closed ones that require credentials and other access controls, which isn't conducive to coffee shops or other public spaces. So the researchers decided to take an approach similar to HTTP-S, but using SSIDs to identify the WLAN provider rather than domain names.

Cross and fellow researchers Takehiro Takahashi and Christopher Byrd initially focused on a Linux version of the secure WiFi solution, but they are looking at how to do the same with Windows and Mac OS X.

Sidejacking expert Robert Graham, CEO of Errata Security, says the SOWA approach would block the passive interception of traffic, and could also eliminate rogue access points. "If done correctly, it would also stop active interception," such as rogue APs, he says.

Graham says implementing it would basically only entail "a minor tweak to existing code."

"Companies can support it without breaking their existing products," Graham says. "Microsoft or Apple can also drop a competing solution into their own products that works much the same way."

IBM's Cross says it would help if the technology were built into the operating system. The SOWA PoC basically includes a slightly tweaked FreeRadius authentication server function and a client "supplicant," or lightweight code, that's based on WPA. Cross says FreeRadius would have to be configured to use the digital certificate for EAP/TLS, and the domain name in the cert would look something like "sown.ibm.com."

The SOW client tool negotiates the encryption. As long as the WiFi network's certificate checks out, the client gets connected to the network, Cross says. "From the client standpoint, it's easy to use," he says.

Interestingly, the IBM researchers and Byrd, manager of security and privacy for Brown Smith Wallace, independently and coincidentally came up with their secure open wireless research. "I had been working for years on finding a solution for [securing] hotspot wireless," Byrd says. He found he could use existing 802.11 wireless standards and basically make a tiny tweak to the source code of the open-source wireless authentication server Hostapd -- and voila, he had the beginnings of a secure open WiFi network.

The researchers decided to pool their research to help further their work and encourage its implementation.

"The bottom line is that I'm frustrated with insecure wireless networks. I think this is the right solution. We're trying to figure out the best way to make this available to the largest number of people the fastest," IBM's Cross says.

But the realizing promise of open, secure WiFi won't happen overnight. The initial PoC covers only Linux-based systems, and widespread adoption would require support for Windows as well as Mac OS X. "It has the same hurdle you have with any kind of widely deployed software. For mass effect, it means getting many computers updated [with the code]," Byrd says.

The PoC is available for download here, and a copy of the researchers' recent presentation is available here (PDF) for download.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Attackers' Costs Increasing as Businesses Focus on Security
Robert Lemos, Contributing Writer,  11/15/2019
TPM-Fail: What It Means & What to Do About It
Ari Singer, CTO at TrustPhi,  11/19/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: -when I told you that our cyber-defense was from another age
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-5541
PUBLISHED: 2019-11-20
VMware Workstation (15.x before 15.5.1) and Fusion (11.x before 11.5.1) contain an out-of-bounds write vulnerability in the e1000e virtual network adapter. Successful exploitation of this issue may lead to code execution on the host from the guest or may allow attackers to create a denial-of-service...
CVE-2019-5542
PUBLISHED: 2019-11-20
VMware Workstation (15.x before 15.5.1) and Fusion (11.x before 11.5.1) contain a denial-of-service vulnerability in the RPC handler. Successful exploitation of this issue may allow attackers with normal user privileges to create a denial-of-service condition on their own VM.
CVE-2010-4660
PUBLISHED: 2019-11-20
Unspecified vulnerability in statusnet through 2010 due to the way addslashes are used in SQL string escapes..
CVE-2011-0529
PUBLISHED: 2019-11-20
Weborf before 0.12.5 is affected by a Denial of Service (DOS) due to malformed fields in HTTP.
CVE-2019-10765
PUBLISHED: 2019-11-20
iobroker.admin before 3.6.12 allows attacker to include file contents from outside the `/log/file1/` directory.