Modernizing Authentication — What It Takes to Transform Secure Access
Wi-Fi is a favorite attack vector for hackers, who have used it for nefarious purposes such as gathering sensitive personal and corporate information from business executives staying at hotels.
But executives are not the only ones who could fall prey to attacks enabled by security weaknesses in Wi-Fi connectivity. As an IEEE 802-based network interface, Wi-Fi connections have a Layer 2 (L-2) or MAC address which can be seen by anyone who knows how to intercept the signals it transmits, explained Juan Carlos Zuniga, an engineer for InterDigital Communications and chairman of an IEEE (Institute of Electrical and Electronics Engineers) 802 Executive Committee study group addressing privacy concerns applicable to Internet protocols such as Wi-Fi.
Both the IEEE and the IETF (Internet Engineering Task Force) are addressing security and privacy concerns that have resulted from the "piecemeal" development of the Internet over the years, Zuniga said. Zuniga's study group is focusing on issues associated with the use of mobile devices and Wi-Fi because such issues affect so many and are relatively easy for hackers to exploit.
Wi-Fi's Lack of Privacy
Mobile device manufacturers assign globally unique identifiers to devices, which make it fairly simple to track devices and the people associated with them, Zuniga said. People routinely connect their devices to public or semi-public Wi-Fi "hotspots" at locations like airports, hotels and restaurants. What's more, he said, most devices continuously broadcast their unique identifiers to make it simpler for users to connect to networks they use frequently.
"If you wanted to, you could associate a device with times and locations, and find out where someone has breakfast, where they work, when they go home," he said.
Zuniga's study group identified several possible ways of addressing the problem, including the use of temporary addresses. The approach it believes would work best involves automatic generation of random L-2 addresses. The addresses would be used in place of the address assigned to the device, both when connecting to Wi-Fi access points and also during the scanning performed by devices when they are not connected to a network.
Zuniga and other IEEE 802 and IETF members are experimenting with different methods of doing so, to make it as seamless as possible, Zuniga said. "We want devices to come with these features right off the shelf so no hacking into the devices will be required."
The committee hopes the method used to generate random L-2 addresses will be included in a forthcoming amendment to the IEEE802.11 standard.
"Once this becomes standard, hopefully all devices will be compliant," he said. "It could be several years, though, before that happens. We are hoping that in the meantime companies will see it as a competitive advantage to offer an enhanced privacy feature. It can usually be done quite easily with a change in the firmware. We are putting out as much documentation as possible so manufacturers can see the impact and see how easy it can be to implement."
The committee is publishing its findings, Zuniga added, "so people can suggest changes, if they like."
The committee also hopes that communications over Wi-Fi can ultimately use some kind of a symbol similar to the padlock icon or green color often used in Web browsers to indicate that Web traffic is being securely encrypted.
Ann All is the editor of Enterprise Apps Today and eSecurity Planet. She has covered business and technology for more than a decade, writing about everything from business intelligence to virtualization.