Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Mobile

8/22/2011
06:28 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Baking Security Into Open WiFi Networks

New approach lets WiFi networks remain open and secure

What if you could make the coffee shop wireless LAN both open and secure? That's just what a group of researchers hopes to do with their new open-source code available to organizations or establishments hosting their own WiFi networks.

The newly released Secure Open Wireless Access (SOWA) proof-of-concept implementation is aimed at making openly available WiFi networks safer by giving users encrypted connections to wireless networks without their risking connecting to a rogue wireless access point or their traffic getting sniffed or hijacked. Researchers from IBM's X-Force research team, as well as an independent researcher, recently joined forces to push the technology, which they first demonstrated earlier this month at Black Hat USA in Las Vegas.

At the heart of SOWA are digital certificates associated with the WLAN's SSID, which ensure that the user is actually connecting to, say, Panera Bread's or Starbucks' trusted WiFi network. This would shield users from sidejacking or other attacks that hijack their HTML session cookies or sniff their traffic. That threat of malicious WiFi activity was intensified last fall with the release of the notorious Firefox extension called Firesheep, which made sidejacking merely a matter of point-and-click and easy enough for an everyday user -- not just a hacker.

"Insecure wireless is a constant reality. When you are using open wireless networks, your traffic is unencrypted and subject to be monitored," says Tom Cross, threat intelligence manager at IBM X-Force and lead researcher for SOWA. "Firesheep was a pretty dramatic demonstration of when you're using an unencrypted network that you're subject to having your credentials stolen.

"I think there's more of this kind of sniffing going on than we realize," he says. "When someone is attacking an insecure wireless network, there is no real way to detect that it's happening ... This has significant impact on security and personal privacy ... We want to build open wireless networks that are encrypted and that anyone can access."

The reality today is that the only secure WLANs are closed ones that require credentials and other access controls, which isn't conducive to coffee shops or other public spaces. So the researchers decided to take an approach similar to HTTP-S, but using SSIDs to identify the WLAN provider rather than domain names.

Cross and fellow researchers Takehiro Takahashi and Christopher Byrd initially focused on a Linux version of the secure WiFi solution, but they are looking at how to do the same with Windows and Mac OS X.

Sidejacking expert Robert Graham, CEO of Errata Security, says the SOWA approach would block the passive interception of traffic, and could also eliminate rogue access points. "If done correctly, it would also stop active interception," such as rogue APs, he says.

Graham says implementing it would basically only entail "a minor tweak to existing code."

"Companies can support it without breaking their existing products," Graham says. "Microsoft or Apple can also drop a competing solution into their own products that works much the same way."

IBM's Cross says it would help if the technology were built into the operating system. The SOWA PoC basically includes a slightly tweaked FreeRadius authentication server function and a client "supplicant," or lightweight code, that's based on WPA. Cross says FreeRadius would have to be configured to use the digital certificate for EAP/TLS, and the domain name in the cert would look something like "sown.ibm.com."

The SOW client tool negotiates the encryption. As long as the WiFi network's certificate checks out, the client gets connected to the network, Cross says. "From the client standpoint, it's easy to use," he says.

Interestingly, the IBM researchers and Byrd, manager of security and privacy for Brown Smith Wallace, independently and coincidentally came up with their secure open wireless research. "I had been working for years on finding a solution for [securing] hotspot wireless," Byrd says. He found he could use existing 802.11 wireless standards and basically make a tiny tweak to the source code of the open-source wireless authentication server Hostapd -- and voila, he had the beginnings of a secure open WiFi network.

The researchers decided to pool their research to help further their work and encourage its implementation.

"The bottom line is that I'm frustrated with insecure wireless networks. I think this is the right solution. We're trying to figure out the best way to make this available to the largest number of people the fastest," IBM's Cross says.

But the realizing promise of open, secure WiFi won't happen overnight. The initial PoC covers only Linux-based systems, and widespread adoption would require support for Windows as well as Mac OS X. "It has the same hurdle you have with any kind of widely deployed software. For mass effect, it means getting many computers updated [with the code]," Byrd says.

The PoC is available for download here, and a copy of the researchers' recent presentation is available here (PDF) for download.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Stop Defending Everything
Kevin Kurzawa, Senior Information Security Auditor,  2/12/2020
Small Business Security: 5 Tips on How and Where to Start
Mike Puglia, Chief Strategy Officer at Kaseya,  2/13/2020
5 Common Errors That Allow Attackers to Go Undetected
Matt Middleton-Leal, General Manager and Chief Security Strategist, Netwrix,  2/12/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-20477
PUBLISHED: 2020-02-19
PyYAML 5.1 through 5.1.2 has insufficient restrictions on the load and load_all functions because of a class deserialization issue, e.g., Popen is a class in the subprocess module. NOTE: this issue exists because of an incomplete fix for CVE-2017-18342.
CVE-2019-20478
PUBLISHED: 2020-02-19
In ruamel.yaml through 0.16.7, the load method allows remote code execution if the application calls this method with an untrusted argument. In other words, this issue affects developers who are unaware of the need to use methods such as safe_load in these use cases.
CVE-2011-2054
PUBLISHED: 2020-02-19
A vulnerability in the Cisco ASA that could allow a remote attacker to successfully authenticate using the Cisco AnyConnect VPN client if the Secondary Authentication type is LDAP and the password is left blank, providing the primary credentials are correct. The vulnerabilities is due to improper in...
CVE-2015-0749
PUBLISHED: 2020-02-19
A vulnerability in Cisco Unified Communications Manager could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack on the affected software. The vulnerabilities is due to improper input validation of certain parameters passed to the affected software. An attacker ...
CVE-2015-9543
PUBLISHED: 2020-02-19
An issue was discovered in OpenStack Nova before 18.2.4, 19.x before 19.1.0, and 20.x before 20.1.0. It can leak consoleauth tokens into log files. An attacker with read access to the service's logs may obtain tokens used for console access. All Nova setups using novncproxy are affected. This is rel...