- A TechNote on Wireless and Mobility
- Joanie M. Wexler
- Technology Analyst/Editor
- Editorial Director, TechNotes
For about three years now, road warriors have been creating mobile personal Wi-Fi hotspots that connect them to the Internet via 3G/4G networks. You can easily launch your own mobile hotspot using "soft" or "virtual" APs that, increasingly, are embedded into laptop and mobile operating systems. You can also use tiny, portable hardware APs that contain cellular routers or similar capabilities built directly into handsets and tablets.
These setups have proven handy and economical for travelers who have more than one mobile device that they'd like to connect to the Internet. But they also introduce a measure of risk that the bring-your-own-device (BYOD) phenom could escalate.
Sharing Connections - for Better or Worse
Today's knowledge workers tend to carry multiple mobile devices. It reduces cell phone bills not to have to buy a separate data service plan for each smart phone, tablet and laptop; instead, workers backhaul the traffic generated to and from all devices through a software- or hardware-based mobile Wi-Fi AP onto a single shared broadband cellular connection.
But mobile personal hotspots can open the door for intrusions into the corporate network, as well as "extrusions" - whereby corporate data bypasses a company's AP and is leaked across the cellular network instead. Such extrusions can happen anytime a user's device has a network connection that circumvents corporate firewall and security mechanisms - for example, when a user forwards business email that would otherwise be blocked by IT when using corporate Wi-Fi.
Most troublesome on the intrusion side is the soft AP that surfaced when the Microsoft Windows 7 OS shipped. Third-party soft AP applications (also known as Wi-Fi tethering) can also be downloaded today to jailbroken Apple devices and rooted Android devices; or, soft APs embedded in Android and Apple mobile operating systems can be activated by your mobile network operator, which allows use of the capability for a monthly fee.
In the case of Windows 7, the soft AP embedded in the OS lets the Wi-Fi radio in a user's laptop function simultaneously as both a Wi-Fi client and as a virtual Wi-Fi AP. As a corporate-sanctioned client using one MAC address, the device can connect to the enterprise network using industry-standard Wi-Fi Protected Access-2 (WPA2) security mechanisms. Meanwhile, other authorized and unauthorized users alike can connect to the virtual AP using the same radio and physical network interface but with a different virtual MAC address. Because Windows 7 permits forwarding of traffic received by the virtual AP through the client's Wi-Fi connection, unauthorized devices connecting to the Windows 7 soft AP can access the enterprise network, too, explains Hemant Chaskar, VP of technology and innovation at Wi-Fi security company AirTight Networks.
Why might the BYOD trend accelerate the risk?
Chaskar asserts that, given that the two MACs residing on the same physical interface have been on Win 7 for more than 2 years, "I don't see why it won't happen on Android and iOS," says Chaskar. He points out that most OSs tend to catch up to one another, feature-wise, in time. He adds that "Google is not controlling Android development that tightly; any developer could do [a soft AP app]."
And though Apple's highly anticipated iPhone 5 was not launched at Apple's WorldWide Developer Conference last week, that new device is expected to arrive this fall. Reports have surfaced that MyWi, a mobile hotspot application that currently runs only on jailbroken iPhone devices, will become an Apple-approved app when the iPhone 5 ships.
It should be noted, however, these reports are unsubstantiated by Apple. Lisa Phifer, president of consultancy Core Competence and contributing writer to Webtorials TechNotes, says she'd be very surprised if Apple, known for tightly controlling iOS apps and denying third-party developer access to low-level network capabilities required by MyWi, would formally sanction a non-carrier mobile hotspot application. Even on Android, where nearly anything goes, carriers currently prevent soft APs from running on non-rooted devices.
"What would motivate Apple to buck this practice on the iPhone 5 and anger carrier partners?" she asks.
The MDM Gotcha
Mobile device management systems, which help IT address a broad array of issues surrounding the security, provisioning, management and expense control of mobile devices and applications, aren't a complete solution to control the use personal mobile hotspots and related intrusion and extrusion threats.
Chaskar acknowledges that many MDM systems work fine at detecting and potentially disabling any mobile hotspot connections activated on MDM-managed devices. However, MDMs can't stop unmanaged devices from running mobile hotspots, nor can they prevent managed devices from connecting to unmanaged mobile hotspots, resulting in extrusion.
One alternative is to use sensors that monitor the air for all devices, authorized or not. Wireless intrusion prevention systems (WIPS), such as those made by AirTight, Motorola AirDefense and Fluke Networks AirMagnet, detect the presence of unauthorized devices attempting to connect to your network, including those that relay the intruder's traffic through Windows 7 virtual APs or other soft APs. Going in the other direction, the WIPS system can also spot extrusions (authorized clients connecting to unauthorized mobile personal hotspots) and block them, explains Chaskar.
These setups have proven handy and economical for travelers who have more than one mobile device that they'd like to connect to the Internet. But they also introduce a measure of risk that the bring-your-own-device (BYOD) phenom could escalate.
Sharing Connections - for Better or Worse
Today's knowledge workers tend to carry multiple mobile devices. It reduces cell phone bills not to have to buy a separate data service plan for each smart phone, tablet and laptop; instead, workers backhaul the traffic generated to and from all devices through a software- or hardware-based mobile Wi-Fi AP onto a single shared broadband cellular connection.But mobile personal hotspots can open the door for intrusions into the corporate network, as well as "extrusions" - whereby corporate data bypasses a company's AP and is leaked across the cellular network instead. Such extrusions can happen anytime a user's device has a network connection that circumvents corporate firewall and security mechanisms - for example, when a user forwards business email that would otherwise be blocked by IT when using corporate Wi-Fi.
Most troublesome on the intrusion side is the soft AP that surfaced when the Microsoft Windows 7 OS shipped. Third-party soft AP applications (also known as Wi-Fi tethering) can also be downloaded today to jailbroken Apple devices and rooted Android devices; or, soft APs embedded in Android and Apple mobile operating systems can be activated by your mobile network operator, which allows use of the capability for a monthly fee.
In the case of Windows 7, the soft AP embedded in the OS lets the Wi-Fi radio in a user's laptop function simultaneously as both a Wi-Fi client and as a virtual Wi-Fi AP. As a corporate-sanctioned client using one MAC address, the device can connect to the enterprise network using industry-standard Wi-Fi Protected Access-2 (WPA2) security mechanisms. Meanwhile, other authorized and unauthorized users alike can connect to the virtual AP using the same radio and physical network interface but with a different virtual MAC address. Because Windows 7 permits forwarding of traffic received by the virtual AP through the client's Wi-Fi connection, unauthorized devices connecting to the Windows 7 soft AP can access the enterprise network, too, explains Hemant Chaskar, VP of technology and innovation at Wi-Fi security company AirTight Networks.
Why might the BYOD trend accelerate the risk?
Chaskar asserts that, given that the two MACs residing on the same physical interface have been on Win 7 for more than 2 years, "I don't see why it won't happen on Android and iOS," says Chaskar. He points out that most OSs tend to catch up to one another, feature-wise, in time. He adds that "Google is not controlling Android development that tightly; any developer could do [a soft AP app]."
And though Apple's highly anticipated iPhone 5 was not launched at Apple's WorldWide Developer Conference last week, that new device is expected to arrive this fall. Reports have surfaced that MyWi, a mobile hotspot application that currently runs only on jailbroken iPhone devices, will become an Apple-approved app when the iPhone 5 ships.
It should be noted, however, these reports are unsubstantiated by Apple. Lisa Phifer, president of consultancy Core Competence and contributing writer to Webtorials TechNotes, says she'd be very surprised if Apple, known for tightly controlling iOS apps and denying third-party developer access to low-level network capabilities required by MyWi, would formally sanction a non-carrier mobile hotspot application. Even on Android, where nearly anything goes, carriers currently prevent soft APs from running on non-rooted devices.
"What would motivate Apple to buck this practice on the iPhone 5 and anger carrier partners?" she asks.
The MDM Gotcha
Mobile device management systems, which help IT address a broad array of issues surrounding the security, provisioning, management and expense control of mobile devices and applications, aren't a complete solution to control the use personal mobile hotspots and related intrusion and extrusion threats.
Chaskar acknowledges that many MDM systems work fine at detecting and potentially disabling any mobile hotspot connections activated on MDM-managed devices. However, MDMs can't stop unmanaged devices from running mobile hotspots, nor can they prevent managed devices from connecting to unmanaged mobile hotspots, resulting in extrusion.
One alternative is to use sensors that monitor the air for all devices, authorized or not. Wireless intrusion prevention systems (WIPS), such as those made by AirTight, Motorola AirDefense and Fluke Networks AirMagnet, detect the presence of unauthorized devices attempting to connect to your network, including those that relay the intruder's traffic through Windows 7 virtual APs or other soft APs. Going in the other direction, the WIPS system can also spot extrusions (authorized clients connecting to unauthorized mobile personal hotspots) and block them, explains Chaskar.
As always, with IT Security, it is a matter of balancing the risks and the rewards. The reward is that mobile workers can boost their productivity while out of the office, enjoy respectable network speeds at a modest cost. Any laptop that is setup to roam outside the corporate office, in theory, has adequate security software installed allowing a connection to the public Internet. Connecting a laptop to the Internet via a smartphone's virtual AP isn't significantly different from than connecting via hotel broadband. Even when a mobile worker is out of the office, corporate e-mail should be processed and content checked by the corporate e-mail servers.
The real difference in IT security risk occurs on the smartphone, not on the laptop. When the smartphone acts as a virtual AP, it opens up the possibility that an intruder can gain access to the smartphone's virtual AP. While I haven't done a comprehensive study, my experience with the virtual AP on my smartphone is that WPA2 with a preshared key of 15 characters is used. I would prefer to see it use AES instead of TKIP for encryption though.
In essence, the IT security question is whether or not a 15 character password lowers the risk of an intruder gaining access to the virtual AP to an acceptable level or not.
Password strength is scored with "password guessing entropy" and represents the number of password tries needed to guess the correct password (defined by NIST in publication 800-63). A 15 character numeric password has a password guessing entropy of 33.3 bits and would require 2 to the 33.3 power guesses before finding the correct password. At 1,000 guesses per second, it would take many days to guess a 15 character password and by that time, I've likely moved on with my smartphone, out of range of the potential intruder.
Considering this setup and calculation, I think the risk is acceptable.
If there are vulnerabilities with the virtual AP software and a 15 character password is not strong enough, an intruder might gain access to data (including corporate e-mail) on the smartphone, but this would require two components to fail - the virtual AP software and the preshared key.
Using the laptop as a WiFi client and virtual AP IS risky - particularly if the end users control the configuration of the virtual AP on the laptop. This is also true for Internet Connection Sharing and allowing an active WiFi and wired Ethernet connection as the same. But, unlike a BYOD smartphone, it is usually a corporate managed laptop and there are myriad of methods of disabling these features include Active Directory policies and MS SCCM.