June 19, 2012

The Curse of the Mobile Hotspot

For about three years now, road warriors have been creating mobile personal Wi-Fi hotspots that connect them to the Internet via 3G/4G networks. You can easily launch your own mobile hotspot using "soft" or "virtual" APs that, increasingly, are embedded into laptop and mobile operating systems. You can also use tiny, portable hardware APs that contain cellular routers or similar capabilities built directly into handsets and tablets.

These setups have proven handy and economical for travelers who have more than one mobile device that they'd like to connect to the Internet. But they also introduce a measure of risk that the bring-your-own-device (BYOD) phenom could escalate.

Sharing Connections - for Better or Worse

WirelessTN-June-11-ART.jpgToday's knowledge workers tend to carry multiple mobile devices. It reduces cell phone bills not to have to buy a separate data service plan for each smart phone, tablet and laptop; instead, workers backhaul the traffic generated to and from all devices through a software- or hardware-based mobile Wi-Fi AP onto a single shared broadband cellular connection.

But mobile personal hotspots can open the door for intrusions into the corporate network, as well as "extrusions" - whereby corporate data  bypasses a company's AP and is leaked across the cellular network instead. Such extrusions can happen anytime a user's device has a network connection that circumvents corporate firewall and security mechanisms - for example, when a user forwards business email that would otherwise be blocked by IT when using corporate Wi-Fi.

Most troublesome on the intrusion side is the soft AP that surfaced when the Microsoft Windows 7 OS shipped. Third-party soft AP applications (also known as Wi-Fi tethering) can also be downloaded today to jailbroken Apple devices and rooted Android devices; or, soft APs embedded in Android and Apple mobile operating systems can be activated by your mobile network operator, which  allows use of the capability for a monthly fee.

In the case of Windows 7, the soft AP embedded in the OS lets the Wi-Fi radio in a user's laptop function simultaneously as both a Wi-Fi client and as a virtual Wi-Fi AP. As a corporate-sanctioned client using one MAC address, the device can connect to the enterprise network using industry-standard Wi-Fi Protected Access-2 (WPA2) security mechanisms. Meanwhile, other authorized and unauthorized users alike can connect to the virtual AP using the same radio and physical network interface but with a different virtual MAC address. Because Windows 7 permits forwarding of traffic received by the virtual AP through the client's Wi-Fi connection, unauthorized devices connecting to the Windows 7 soft AP can access the enterprise network, too, explains Hemant Chaskar, VP of technology and innovation at Wi-Fi security company AirTight Networks.

Why might the BYOD trend accelerate the risk?

Chaskar asserts that, given that the two MACs residing on the same physical interface have been on Win 7 for more than 2 years, "I don't see why it won't happen on Android and iOS," says Chaskar. He points out that most OSs tend to catch up to one another, feature-wise, in time. He adds that "Google is not controlling Android development that tightly; any developer could do [a soft AP app]."

And though Apple's highly anticipated iPhone 5 was not launched at Apple's WorldWide Developer Conference last week, that new device is expected to arrive this fall. Reports have surfaced that MyWi, a mobile hotspot application that currently runs only on jailbroken iPhone devices, will become an Apple-approved app when the iPhone 5 ships.

It should be noted, however, these reports are unsubstantiated by Apple. Lisa Phifer, president of consultancy Core Competence and contributing writer to Webtorials TechNotes, says she'd be very surprised if Apple, known for tightly controlling iOS apps and denying third-party developer access to low-level network capabilities required by MyWi, would formally sanction a non-carrier mobile hotspot application. Even on Android, where nearly anything goes, carriers currently prevent soft APs from running on non-rooted devices.

"What would motivate Apple to buck this practice on the iPhone 5 and anger carrier partners?" she asks.

The MDM Gotcha

Mobile device management systems, which help IT address a broad array of issues surrounding the security, provisioning, management and expense control of mobile devices and applications, aren't a complete solution to control the use personal mobile hotspots and related intrusion and extrusion threats.

Chaskar acknowledges that many MDM systems work fine at detecting and potentially disabling any mobile hotspot connections activated on MDM-managed devices. However, MDMs can't stop unmanaged devices from running mobile hotspots, nor can they prevent managed devices from connecting to unmanaged mobile hotspots, resulting in extrusion.

One alternative is to use sensors that monitor the air for all devices, authorized or not. Wireless intrusion prevention systems (WIPS), such as those made by AirTight, Motorola AirDefense and Fluke Networks AirMagnet, detect the presence of unauthorized devices attempting to connect to your network, including those that relay the intruder's traffic through Windows 7 virtual APs or other soft APs. Going in the other direction, the WIPS system can also spot extrusions (authorized clients connecting to unauthorized mobile personal hotspots) and block them, explains Chaskar.


As always, with IT Security, it is a matter of balancing the risks and the rewards. The reward is that mobile workers can boost their productivity while out of the office, enjoy respectable network speeds at a modest cost. Any laptop that is setup to roam outside the corporate office, in theory, has adequate security software installed allowing a connection to the public Internet. Connecting a laptop to the Internet via a smartphone's virtual AP isn't significantly different from than connecting via hotel broadband. Even when a mobile worker is out of the office, corporate e-mail should be processed and content checked by the corporate e-mail servers.

The real difference in IT security risk occurs on the smartphone, not on the laptop. When the smartphone acts as a virtual AP, it opens up the possibility that an intruder can gain access to the smartphone's virtual AP. While I haven't done a comprehensive study, my experience with the virtual AP on my smartphone is that WPA2 with a preshared key of 15 characters is used. I would prefer to see it use AES instead of TKIP for encryption though.

In essence, the IT security question is whether or not a 15 character password lowers the risk of an intruder gaining access to the virtual AP to an acceptable level or not.

Password strength is scored with "password guessing entropy" and represents the number of password tries needed to guess the correct password (defined by NIST in publication 800-63). A 15 character numeric password has a password guessing entropy of 33.3 bits and would require 2 to the 33.3 power guesses before finding the correct password. At 1,000 guesses per second, it would take many days to guess a 15 character password and by that time, I've likely moved on with my smartphone, out of range of the potential intruder.

Considering this setup and calculation, I think the risk is acceptable.

If there are vulnerabilities with the virtual AP software and a 15 character password is not strong enough, an intruder might gain access to data (including corporate e-mail) on the smartphone, but this would require two components to fail - the virtual AP software and the preshared key.

Using the laptop as a WiFi client and virtual AP IS risky - particularly if the end users control the configuration of the virtual AP on the laptop. This is also true for Internet Connection Sharing and allowing an active WiFi and wired Ethernet connection as the same. But, unlike a BYOD smartphone, it is usually a corporate managed laptop and there are myriad of methods of disabling these features include Active Directory policies and MS SCCM.

Interesting development regarding carriers and their penchant for preventing installation of third-party mobile hotspot apps on smartphones:

On July 31st, the FCC announced that Verizon Wireless (VzW) had agreed to pay a $1.25 million fine for non-compliance with the FCC’s “C Block rules,” requiring licensees of C Block spectrum (which VzW uses to deliver 4G services) to let customers to freely use devices and applications of their choosing. According to the FCC's statement:

"The Bureau launched an investigation after reports suggested that VzW had successfully requested that a major application store operator block VzW’s customers from accessing tethering applications from its online market. (“Tethering” is using a wireless phone as a modem to obtain Internet access for another device, such as a laptop computer or tablet.)"

"The Commission also received an informal complaint alleging that VzW had violated the FCC’s C Block rules by making such a request. At that time, VzW’s terms of service required all customers who wanted to use their phones for tethering to subscribe to the company’s Mobile Broadband Connect service, at an additional charge. In response, VzW stated that the additional fee reflected the fact that customers who tether laptops or other devices have the capability to use more data capacity than others. At the time of that response, however, Verizon Wireless required not only unlimited data plan customers, but also customers who paid for data on a usage basis, to pay the additional fee. VzW asserted that third-party tethering applications could enable its customers to tether without paying an additional fee."

In addition to the fine, the settlement requires VzW to notify Google that it no longer objects to making tethering applications available for download from the Play Store. VzW also revised its service plans so that customers on usage-based pricing plans may tether, using any application, without additional fee. For example, VzW's new ShareEverything plans include Mobile Hotspot on all capable devices, letting subscribers share their plan's data allowance with multiple Wi-Fi-enabled devices.

This ruling will no doubt increase the number of mobile hotspots being already used in the workplace, as well as those carrying business traffic outside of the office. It will also make it harder for enterprises trying to stop mobile hotspot use - whether they're trying to prevent unauthorized device intrusion, corporate data extrusion, or simply interference with corporate WLANs. But it also means one less reason to root your Android - and that's good news to IT.

Search Webtorials

Get E-News and Notices via Email




I accept Webtorials' Terms and Conditions.

Trending Discussions

See more discussions...

Featured Sponsor Microsites



Please note: By downloading this information, you acknowledge that the sponsor(s) of this information may contact you, providing that they give you the option of opting out of further communications from them concerning this information.  Also, by your downloading this information, you agree that the information is for your personal use only and that this information may not be retransmitted to others or reposted on another web site.  Continuing past this point indicates your acceptance of our terms of use as specified at Terms of Use.

Webtorial® is a registered servicemark of Distributed Networking Associates. The Webtorial logo is a servicemark of Distributed Networking Associates. Copyright 1999-2018, Distributed Networking Associates, Inc.