In a conventional wireless network, the biggest worry is with rogue clients gaining access to the access point (AP), or the traffic travelling to it. With public wireless networks, however, the phenomenon of wireless insecurity is reversed. Is the access point being connected to the real one?

The best known example of this phenomenon is the “evil twin”, a fake hotspot used to extract information (credit card data) from a user tricked into thinking they are using a legitimate wireless service. Typically, the legitimate base station is jammed and users are invited to log-in to the fake man-in-the-middle site instead.

As public WiFi services usually charge users a fee before they enter, they are asked to enter credit card information at that point, which the scammers then use to rack up bills. It’s been described as the wireless equivalent of a phishing scam.

There is little evidence that this technique has ever been used on any scale, but it is obvious that entering data into a web page via a wireless link is fraught with risks.

The easy answer is to use encryption, but very few “connect-as-you-go” services force it on the public as they would end up with no customers – turning on wireless encryption is still the exception. And what sort of encryption might they turn on? WPA-PSK, or full WPA is the bottom line for properly secure wireless communications, but it is not yet supported universally.

Thinking laterally, it is possible to bypass WiFi encryption completely and use either application-specific encryption (PGP encryption of email for instance), or fire up a VPN client and use the Secure Sockets Layer (SSL), which creates its own encrypted tunnel between a client application and the web servers or applications being accessed. Requiring a VPN device in the company premises, this is not something that a small business would necessarily be able to offer, however.

A small number of ISPs are starting to offer VPN clients for the SME or lone user, and the cost need not be high. One such company is Witopia, a US-based outfit that also offers wireless authentication subscriptions (more on this below). The cost is modest for what is on offer – about $40 a year for Mac/Windows PCs.

More authentic still
A different way of ensuring that both the client and access point is genuine is to use authentication, which in wireless terms means using the EAP/802.1X admission control protocol. If a client isn’t genuine it can’t authenticate, and the same applies to a rogue access point. Just as encryption can be set on AP and client to shut out any PC not possessing the correct key or keys, so the same process can be set up to ensure that all stations on the wireless network are who they say they are. For any really secure wireless network, data encryption is only the first step; authentication is a necessary second step for complete security, just as it is, come to think of it, in the world of wired communications.

Authentication sounds a bit intimidating, and it remains overwhelmingly a corporate technology. However, a few companies, such as aforementioned Witopia, are now offering remote authentication for the SME or lone users without them having to have access to their own 802.1X-based RADIUS login. (An equivalent service is being offered by a company called Boxed Wireless.)

As long as the access point and client NIC support remote authentication (all recent ones do), the Witopia service can be set up in minutes. Once the log-in details have been configured on the AP and PCs accessing it, from then on any new PC accessing the WLAN access point will have to authenticate itself using the service before a connection can be made.

It works on similar principles to data encryption, requiring each client to possess an encrypted key (that changes on a cycle), and a valid account. Before network access is granted through the AP, and before the WPA encryption key exchange has been initiated for data movement, this key must be verified remotely from the AP on Witopia’s servers.

The entry level version of Witopia’s WiFi authentication service can secure from one to three access points, and up to five user accounts, for an amazingly low $9.99 a year, excluding a one-off activation fee. The small business version can handle from one to 10 access points and up to 100 users for between $198 and $332, an ongoing cost of $14.99 per access point, per year.

Techworld will review Witopia’s authentication service in more detail in April.

Ordinary users should be jumping on such a service, but sadly they won’t for some time. It is still seen as something for the paranoid. However, the great saviour of authentication could turn out to be public WiFi. As already discussed, with public access points, you need to be very sure that what you are connecting to is genuine, and authentication services are sure to kick off when the public finally wises up to this.