Don't give open hotspots a security pass
Comcast offers iOS profiles and AT&T automatically connects your phone. Is that safe? A new hotspot standard will help.
Two long-time colleagues pinged me this week with unrelated but intertwined questions about connecting to publicly available Wi-Fi hotspot networks. Dwight Silverman of the Houston Chronicle pointed out that Comcast offers a downloadable iOS profile that lets devices automatically connect to the cable company’s own hotspots—including those that piggyback on residential connections—and the networks of partner cable firms.
Sean Captain, writing for Fast Company, was looking into a planned New York deployment of Wi-Fi kiosks that would use a not-new, but not-yet-widely-used secure method of connecting. I had heard about the standard a few years ago, and barely since; this new network might be large enough, well-placed enough, and useful to enough people to prompt more adoption.
Comcast’s insecure security
Comcast started building out a national Wi-Fi hotspot footprint available at no cost to its subscribers several years ago. This was an effort to make their service more valuable beyond one’s home use, and followed on a pioneering effort by Cablevision. Over time, multiple separate cable operators have built Wi-Fi networks of varying size, and most of them allow roaming among them as long as you’re a customer of one network.
(In 2014, Comcast decided to opt in residential customers so their home connections would also be hotspots, allegedly provisioned to not use any bandwidth that the subscriber was entitled to nor allow peering into the home LAN’s traffic. You can opt out..)
Using your own cable provider’s network can be straightforward: The first time you connect to any named hotspot (like Comcast’s
xfinitywifi), you’re prompted for your subscriber credentials. Once you’ve logged in, you should automatically connect without that login in the future. That login happens securely, but it doesn’t create an encrypted connection between your iOS or other device and the hotspot. Rather, it just ensures you’re a legitimate subscriber.
Dwight alerted me that Comcast offers a downloadable Wi-Fi profile, something typically used only at the enterprise level, which lets your iOS device or Mac automatically connect (“Autojoin” in Apple’s parlance) when parameters match. The trouble is that Comcast provides a set of three different network configurations bundled into a single profile:
xfinitywifi: an unencrypted network run by Comcast
CableWiFi: its partnership network, also unencrypted
XFINITY: a well-secured network
Intentionally shared public Wi-Fi networks (i.e., hotspots) are by definition untrustworthy. This doesn’t mean you shouldn’t use them; rather, you can’t trust that they either are what they say they are or that your traffic is protected. On the former point, operating systems have no way to tell whether an unencrypted network to which you’ve previously connected is identical to one that’s being presented in the future with the same name. (Technically, the same Service Set Identifier or SSID, also known as the network name in a lot of router interfaces.) There’s no mechanism.
XFINITY profiles and networks can be spoofed by anyone (this is often called an “evil twin” network), so that your devices join a malicious hotspot, which can use various network tricks as well as direct interception of data that passes through them to obtain some of your data. For instance, they can poison DNS (the global domain name lookup system) to point your browser, email client, or apps to an illegitimate site. If that other site uses web or similar encryption, your OS or software will warn you, but some people may be lulled into clicking to bypass the warning.
Most people—especially via iOS—only retrieve and send email via a secure connection independent of the network, so those are generally safe as long as you heed those warnings, but all your unsecured web browsing and any other unsecured services you use become open, both to evil-twin misdirection and to anyone else in the same space sniffing the legitimate open network.
To be clear, this isn’t a problem that only Comcast has waded into, with or without its profile. AT&T’s carrier profile causes automatic
attwifi connections, too, and any open network you’ve ever connected to will convince all of your devices to connect to an identically named network again in the future. (In OS X, you can remove these connections in the Network system preference pane, by selecting your Wi-Fi adapter, clicking Advanced, and then selecting and clicking the - (minus) button to delete entries from the Wi-Fi list. In iOS, you can tap Settings > Wi-Fi > i next to active network, then tap Forget This Network, but that’s only available while you’re connected to that network.)
A virtual private network (VPN) connection creates an encrypted tunnel between your device, whether iOS or OS X or another platform, and a server elsewhere on the Internet, so it defeats evil twins and local sniffers. (I’ve tested the VPN services Cloak and TunnelBear in the last year several times, and both have unified multi-platform free trial or free tier and subscription plans worth checking out.)
How do I know who you are?
You’ll note that one of the Comcast profiles is a secured one. In fact, it’s pretty awesome. It uses certificate-based authentication. Since you have to login to download the profile, it’s providing you a security document that proves your identity to the remote server as well as letting iOS or OS X confirm the authentication server is the one it expects to see. Unfortunately, there’s no option to restrict your connections only to these security methods, which combine a login and network-level encryption to prevent sniffing even by people on the same network.
This is how all hotspot networks should be set up, and I’m a veteran of having covered many attempts over the years to get some traction. All efforts until now have required a hassle: Installation or configuration, hoops that deter users. Comcast’s system works only if iOS, Mac, and Android users download a profile. Another method widely proposed would have brought WPA2 Enterprise to hotspots, in which users would login using a name and password. But at the time this was originally discussed, powerful smartphones were just entering the market and not all consumer-level OSes could support this enterprise configuration option.
What Sean Captain was querying me about—you can read his article here—was the use of a melding of hotspot portal logins and WPA2 Enterprise first proposed a few years ago that hadn’t scored any big wins, though it was backed by all the necessary stakeholders to make it happen. It’s known as Passpoint and also called Hotspot 2.0. It’s taken nearly four years since its announcement and then codification into a standard before we’re seeing interest in widespread use.
Passpoint lets hotspot operators set up portals that can either let in the old-style open or web-page logins occur, or with a newer OS, respond to the device that it can handle a secure connection. The OS handles the entire transaction seamlessly, and the network assigns a unique encryption key all behind the scenes. (A single initial entry of a user name and password may be initially required to obtained a profile, although, like with Comcast, that should always be possible in advance.)
The New York City access point project—the fifth distinct attempt by my count over a decade to bring a widespread Wi-Fi to the Big Apple—coincides with operating system updates that will allow a good percentage of mobile and large percentage of laptop users to take advantage of this more-secure connection.
Boingo Wireless, a long-time hotspot aggregator that runs some hotspots itself and resells access to hundreds of thousands more worldwide, has a test project set up for 20 airports it serves. It states the minimum system requirements as Android 6.0 or later, iOS 7 or later, Mac OS X 10.9 (Mavericks) or later, or Windows 10.
The only downside to this new technology? The setup and management means that small businesses, like coffeeshops and indie bookstore chains, are unlikely to shift from their $25 Wi-Fi access point to one full-featured enough to support Passpoint initially. But the features required are all software based, so we’ll gradually see inexpensive routers that can offer the advantage to owners without the complexity.
For now, I advise—as I have for well over a decade—looking into using a VPN service everywhere. But it’s good to see that the tide has finally turned toward default security that deters casual interception at hotspots.