Do you use the wireless at a coffee shop? It’s almost as silly a question at this point as ‘Is the Pope Catholic?’ We all use the wireless at a coffee shop, a retail location, or other public space. Why not take advantage of the bandwidth being offered and reduce the strain on our mobile data plan? Or get our tablet computer online to check a price or check our email?
The environment of public wireless connectivity isn’t without security challenges, though. The biggest one stems from the way we connect to those public networks. In a traditional enterprise network, we use pre-shared keys (PSKs) and other authentication methods to ensure that our user connections are secure from the moment of connection. That way, we know there is no data being passed in the open without encryption. Public wireless networks don’t use PSKs because the challenges of getting the PSK to the transient user is too difficult. Worse yet, publishing the PSK in a conspicuous location doesn’t enhance security. Anyone with access to the key can join the network and see the packets being sent.
Enhancing Open Encryption
How can we configure our open public wireless networks to be safer and encrypted while keeping things easy to use? These challenges have faced wireless engineers for several years as we’ve struggled with the archaic protocol that is WPA2. It wasn’t until the successor to this venerable wireless security protocol was introduced in 2018 that movement was made to close this security hole.
Wi-Fi Enhanced Open is the brand name for the suite of protocols that include the Opportunistic Wireless Encryption protocol described in RFC 8110. One of the people with significant involvement in the development of Wi-Fi Enhanced Open and OWE is Stephen Orr of Cisco. He recorded an excellent video that goes into the topic at Mobility Field Day 5 earlier this year:
Stephen does a great job of going into the topic with lots of great packet capture examples and visibility into how the protocol protects users. One thing to remember is that OWE and Wi-Fi Enhanced Open do not protect from man-in-the-middle attacks. It’s designed to protect from eavesdropping. This is one of the things you need to be the most worried about in your public wireless network.
Attackers don’t want to authenticate to the network to sniff packets. That leaves traces behind that can be used to identify you in the event of a breach or other disclosure. Instead, they prefer to listen passively to the traffic to pick out interesting conversations to work on later. The attackers don’t even need to be present. Instead, they set up a packet capture system outside the building to collect as much data as possible in a set amount of time for later analysis. Given that this data is in clear text under WPA2, it’s a goldmine.
OWE and Wi-Fi Enhanced Open fix this by encrypting the data before it’s exchanged between the AP and the client. Even on an open network with no PSK, there is no clear text exchange. This means that attackers attempting to pull down as much data as possible are stuck because it’s all encrypted when the data collection is finished. Analyzing gibberish is going to lead to more gibberish.
Note from above that Wi-Fi Enhanced Open doesn’t protect from man-in-the-middle attacks. That’s because the exchange between the AP and the client is all that matters. There is no mutual authentication or other methods used to verify the identity of the infrastructure devices. You have to trust that the device that you are connecting to is a trusted AP. In an enterprise this isn’t an issue, as you control the devices you deploy. In a public retail space, you have to believe in the people running the service.
Elements in Transition
One other point in the video that Stephen Orr brings up that merits a quick mention in the idea of Enhanced Open Transition mode. Rasika Nayanajith has a great post about it here. The idea of transition modes for new protocols is needed because people don’t always run the most up-to-date hardware and software. Transition modes assure that you don’t run into situations like Orr describes where a legacy client doesn’t understand the lack of PSK on the network and pops up a dialog box that has no correct answers.
I think my favorite part of this talk was how Stephen talked about the fact that all ‘transition modes’ are essentially known security holes you put in your network. You are compromising the best possible security posture for a few clients that need it. A transition mode is a weak link in a chain that will be attacked if you let it. You can either upgrade the legacy hardware or find a different connectivity method to close the hole. The longer the transition mode is enabled, the more likely you are to be compromised through it. Don’t use it unless you need to, and use it only as long as is necessary. Given that there is nothing in IT more permanent than a temporary solution, make sure you stay on top of the security holes you create on purpose.
Bringing It All Together
We can’t make everyone 100% secure. We can’t lock everything down the way we’d like and expect ease-of-use like we want. Printing your PSK on your menu is a recipe for disaster. Hoping your open network isn’t going to be compromised at some point is wishful thinking. You need to be ready to implement technology like Wi-Fi Enhanced Open to bridge that gap. But make sure you listen to the people developing it, like Cisco’s Stephen Orr, when they tell you not to open yourself up to trouble later.
If you’d like to learn more about Cisco’s wireless solutions, including the software technology that Stephen Orr is helping develop, make sure you check out their website at http://Cisco.com.