Too good to be true

If you get within spitting distance of my blogs, then you know how I feel about open Wi-Fi.  I find it odd that in the USA Wi-Fi is by default open but wherever I’ve been in Europe it is by default password protected.  Go into any pub in the UK and somewhere by the door or near the posted menu you will find the Wi-Fi password advertised.  Go into an upscale restaurant and it may not be posted but ask and you will receive a discreet slip of paper with the password printed or hand written on it.

I don’t know how widespread the practice is because my Eurpoean travel has been limited, but they seem to care more for privacy.  There is an underlying assumption that people will be able to handle entering the password and it’s no big deal.  Here at home, it’s a different story.  Password protecting our hot spots is a topic that lies mostly undisturbed in the public conversation but scratch the surface and some rather disheartening attitudes are revealed.  People, I am told, can’t handle password protected Wi-Fi.  We are too stupid and would swamp the barista or desk clerk with tech support questions.  Or we are too impatient and get annoyed when asked to make the effort.

Every once in a while though I find a hot spot in the US that is password protected.  Whenever I do, I make it a point to tell the business how much I appreciate it and why.  today while checking in at the Admiral’s Club lounge at CLT I spotted a sign on the desk advertising the Wi-Fi password.  Since taking over the US Airways Lounge, American Airlines has made a few upgrades.  A new Wi-Fi policy would be a welcome policy change in my opinion.  I thanked the desk agent profusely.

It was too good to be true.

“We had to do it,” the desk agent said a bit too solemnly.

Had to do it?  I wondered if they’d had a breach I wasn’t aware of.

“Too many people outside the club were sucking up our bandwidth,” he explained.

“Oh,” I replied, a bit disappointed.  “I was hoping you were going to say the airline had finally gotten serious about security of passengers and guests. But whatever the reason, I’m glad for the change.”

His mood brightened.  “We don’t hear that very often,” he said with a wide smile.  Apparently, many people think it’s inconvenient.  Or have trouble signing on with a password.  Sigh.

I picked out an empty work carrel, set out my laptop, and proceeded to sign on.  I looked twice.  The Wi-Fi settings showed an open network.  I scanned the listings and found several open hot spots.  The only encrypted access points appeared to be a network device and “Mike’s Nexus 5.”  Well, at least Mike knows to encrypt his hot spot.

I signed onto the Admiral’s Club WI-Fi and opened a browser.  The same AT&T landing page as always showed up with one minor change – it now asks for a password.  The Wi-Fi itself is still wide open.  Anyone can see anyone else’s traffic.  Spoofing the Wi-Fi or setting up a Man In The Middle would be trivial.  You get a really good 144MBPS connection, but the network remains unsafe at any speed, just as always.

It’s not the Wi-Fi that is password protected, it’s the Internet gateway server.  The passengers and lounge guests are just as vulnerable as ever on the network.

[facepalm]
[headdesk]
[headdesk]
[headdesk]

As disappointing as that is, it gets worse if you think about it for a minute.  When the Wi-Fi itself is encrypted, the user must enter the password on their device’s Network Connections dialog.  That’s a bit arcane for some people, especially if their devices are set up to connect promiscuously to any open Wi-Fi.

But in this case, the user has to enter the password into the browser on the same page where up to now they have been accepting the terms of service.  There’s a big text field that says “Password” and a Submit button, and yet people have problems with this.  More to the point, people who travel enough to warrant the expense of a club membership – business leaders, consultants, voters – have trouble with this.  The implications boggle the mind.  I forced myself to stop thinking about it.  Or tried.  The existence of this post tells you how successful that was.

But it isn’t hopeless.  Some US businesses are experimenting with encrypted Wi-Fi hotspots.  A few days ago I visited Modern Nissan in Concord, NC.  Their Wi-Fi was password protected the right way using WPA2.  The receptionist happily provided the password on request, as did most staff I asked. (I took a survey.)  They assured me this wasn’t causing distress among their customers, and they had very few customer tech support issues because of it.

Not one to take chances, I stopped by the office of the manager, thanked him for the password protection and explained why it is important.

“Please,” I implored, “if ever someone wants to go back to open Wi-Fi don’t do it.  With all the breaches these days we are going to have to do this sooner or later so help lead us there and be proud of it. Set the example for others.”

He didn’t say anything for a moment.  Maybe he was trying to decide whether I’d left my tinfoil hat at home, I don’t know.  But then he thanked me for the feedback and said he’d pass it along.

So let this be a lesson to you.  Get involved and ask your vendors who offer Wi-Fi to encrypt it using WPA2.  Take a moment to thank the ones who do.  And if you are worried about your online security, remember that Modern Nissan has your back.

As for the Admiral’s Club, perhaps they will come around eventually.  After all, running WPA2 does just as good a job at keeping non-members from sucking up all the bandwidth and has the added benefit of keeping us safer online.  Doesn’t keeping us safer online sound like good customer service policy to you?  Eventually I believe it will become standard here in the USA.  If that’s true then the only question for American Airlines and the Admiral’s Club, for any vendor who cares about their customers really, is whether they want to be seen as taking a leadership position on customer-facing network security.  If so, then now’s the time.

About T.Rob

Computer security nerd. WebSphere MQ expert. Autist. Advocate. Author. Humanist. Text-based life form. Find me on Facebook, Twitter, G+, or LinkedIn.
This entry was posted in Clue train, Tech and tagged , , , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s