The Hot Spot Security Fable

Hot spots, which provide travelers and nomads with a quick and easy way to access the Internet, have grown in popularity — there are now more than 100,000 scattered across the globe. Consumers and businesspeople can walk into coffee shops, fast food restaurants, hotels, office buildings and even municipal parks, where they can turn on computers and check e-mail, surf the Web or access corporate data.

However, as they take advantage of these services, many open themselves up to potential security breaches like Trojan horses, computer viruses, exposure to inappropriate content, and identity theft.

“Most individuals who access a hot spot do not understand the risks that they are taking,” said Pete Lindstrom, a senior analyst with market research firm Burton Group.

Just about all computer users utilize hot spots to some degree. Teens view them as a good place to hang out and chat with friends, and businesspeople see them as an easy way to stay in touch with the office. Still, the simplicity of hot spots masks their potential problems. Because hot spot providers want to make it easy for anyone to take advantage of their services, they offer bare-bones network functionality — basically a simple, low-security connection to the outside world.

“Most hot spots have no add-on security functions,” said J. Gerry Purdy, principal analyst with Frost & Sullivan.

No Security Standards

In fact, security is often an afterthought for hot spot providers. At the moment, hot spots have no standards outlining acceptable practices, and the sites are largely unmonitored. Consequently, users are more vulnerable there than at home or work, where companies or internet service providers often add security functions to their connections.

As a result, users are exposed to various threats. Hot spot users risk downloading viruses, Trojan horses and worms that can usurp their computers’ processing cycles or even render the devices inoperable. Because these programs usually masquerade as legitimate software, most users do not spot them.

The clients may also access inappropriate content, such as pornography or graphic depictions of violence. ISPs usually offer features allowing users to wall off content and prevent children from accessing adult-oriented material or chat rooms. Such filters are typically not found with hot spots.

Send Money, Guns and Lawyers

This possibility creates problems both for customers, who may not want to view such items, and proprietors, who could be subjected to lawsuits from angry users.

“Hot spot usage is so new that issues such as what checks need to be in place to monitor content have not been on most individuals’ radar screens,” said Craig Mathias, principal at market research firm Farpoint Group.

There are instances in which hackers can grab a user’s personal data. Evil Twin, for example, is a phishing scheme designed to attack WiFi hot spots. With Evil Twin, a fake hot spot poses as a legitimate one. Once a user logs onto the bogus site, sensitive data, such as credit card numbers or bank account information, is intercepted.

There are steps users can take to safeguard against such problems. A simple one is to limit the sites they access while at a hot spot, visiting only sites that begin “https” (“s” stands for “secure”) as opposed to “http.” The former will not store their input long enough to create problems. In the case of Internet cafes, libraries or businesses that provide computers to the public for Web access, users should make sure to clear the machine’s cache, cookies and history before leaving the premises.

Companies Tackle Hot Spot Security

Companies are also becoming more proactive. Often when users are on the road, they are only granted access to applications via a virtual private network (VPN), which adds security and encryption functions to the hot spot link. Corporations are also issuing disposable passwords. Employees can be given one account when traveling and another when they are in the main office.

Hot spot suppliers understand the problems, and some are taking steps to add new user-authentication schemes. Companies such as Boingo Wireless, Fiberlink Communications, Infonet Services and iPass require that client software be installed on mobile devices to provide authentication and encryption features. When a user logs in, the system determines whether the access point is a member of its network. If it is not, the user gets a failed authentication notice.

In other instances, the hot spot provider automatically launches a personal firewall and encrypts log-on credentials as well as any other data. Hackers looking for credit card information will not be able to see any.

One challenge with such approaches is that they are based on proprietary software, so they are not available to all wireless users. “The hot spot providers need to perform a delicate balance: They want to add more security functions but do not want them to prevent some users from working with their service,” Farpoint Group’s Mathias told TechNewsWorld.

Opting for a Standard Approach

To avoid proprietary options, carriers such as T-Mobile added support for the IEEE 802.1x standard to their hot spot networks. The specification prevents information from being intercepted as it is transferred between a WiFi network and a client device. To work, this function has to be incorporated into end users’ wireless network cards. The technology is being built into new systems, but older ones will require upgrades.

The carriers could also develop tiered services, charging customers for secure connections and offering free access for unsecured lines. “Users may balk at paying for a service that they had been getting for free,” Burton Group’s Lindstrom told TechNewsWorld.

Hot spots send a mixed message to users. Usage continues to grow because of the convenience they offer, but there are no clear-cut resolutions to the security shortcomings they present.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

Technewsworld Channels