Researchers on IBM’s ISS X-Force team are touting a new way of securing open wireless networks without the need for user interaction.
We’re simply checking to make sure that the SSID of the wireless access point is legitimate and when a client connects they establish an encrypted connection.
Tom Cross, threat intelligence manager, IBM X-Force
IBM claims the new Secure Open Wireless method, demonstrated earlier this month at the Black Hat 2011 security conference, can protect wireless network users from traffic sniffing, sidejacking and man-in-the-middle attacks.
It uses digital certificates to establish a secure connection using EAP-TLS, an existing Internet standard for securing wireless networks. EAP-TLS is used in some enterprise wireless networks. Implementation would involve the use of certificates on laptops and other devices to authenticate with a wireless access point over TLS.
Under the IBM system, clients are not required to have a certificate or other credential. It closely mirrors the way HTTPS is use by websites, in which a digital certificate used to secure a website connection is tied to the website domain name. Similarly, Secure Open Wireless does the same thing with open wireless networks by tying the wireless access point SSID to the digital certificate, so when a user establishes a connection, the digital certificate shows that the traffic is encrypted, hence it’s clear that the connection is with a legitimate access point.
“We’re not requiring the client to have any client certificate or any other credential and we’re not asking for one,” said Tom Cross, threat intelligence manager at IBM X-Force and lead researcher behind Secure Open Wireless. “We’re simply checking to make sure that the SSID of the wireless access point is legitimate and when a client connects they establish an encrypted connection.”
Although there have been few reported instances of wireless attacks, hackers have demonstrated how easy it is to steal account credentials and other data by simply sniffing network traffic on insecure wireless networks. Every year at the DEFCON hacking conference, a “Wall of Sheep” is displayed, showing dozens of usernames and passwords that attendees obtained from those using insecure wireless network. A new Mozilla Firefox browser plug-in called Firesheep makes an attack even easier. The tool lets users view a person’s email and other insecure browsing sessions and easily log into the victim’s account.
“As a security professional, I know that packets across an insecure network are subject to surveillance,” Cross said. “I think Firesheep really made the problem tangible for people who are not security experts.”
Users of public Wi-Fi can protect themselves by connecting via a VPN service, but Cross said latency is introduced and some VPN services are expensive. He said the use of 3G and 4G cellular data connections also encrypt information and prevent most attacks.
IBM released code under the GNU General Public License (GPL) at this year’s Black Hat event to enable early adopters to test the system. Secure Open Wireless is currently only supported by Linux client machines, but the researchers are working toward support among Windows PCs.
To use Secure Open Wireless, the wireless network provider has to purchase a digital certificate, which costs $20-$30 a year. It requires a RADIUS server, such as FreeRADIUS, which provides centralized authentication management for the wireless network. Cross said a number of people expressed interest in implementing and testing the method. The researchers plan to collect feedback from early adopters to improve the system.
“What’s important is that we don’t have to make any changes to the wireless access points themselves,” Cross said. “Once people learn that they can create a secure open wireless network, I think that it’s going to become an expectation. When users go to connect to a wireless network, they’re going to want that wireless network to be secure.”