Security Risks for Mobile Computing on Public WLANs: Hotspot Registration
by Simon Ford - International Director at NCP Engineering - Monday, 25 August 2008.
In all three cases there exists the risk that the user may surf outside of the secure VPN tunnel on the Internet and encounter destructive software such as viruses, worms or Trojans. Temporarily opening the firewall creates the danger of deliberate misuse by the user on the basis of multiple actuations of the time window. If the personal firewall fundamentally permits no communication outside of the configuration, then the user has to activate the corresponding firewall rules for the duration of registration on the hotspot. This requirements-based opening of the personal firewall involves the greatest risk of mis-configurations. The user must have a firm grasp of the exact changes being made and the exact environment in which they are made. Employee security awareness and technical know-how determine the security level quality.

A large security risk also exists when user data (user ID/password) is spied out externally on the hotspot during the registration process. With the aid of his notebook a hacker can simulate both the hotspot and the WLAN SSIDs. If a user then registers on a hotspot, he does not land at the access point of the provider, but rather on the notebook of the hacker. By means of the previously mirrored access point web pages, the user still assumes that he is authenticated on the hotspot, when in reality he is on the notebook of the hacker and his personal registration data is now exposed.

Providers always attempt to protect the hotspot registration pages through SSL processing (https), but that does not always succeed. For example, a user who arrives at a manipulated hotspot obtains the following report from the browser: A problem exists with the security certificate on the web site. In the background of this report, the attacker has only recreated the hotspot registration page and does not use the original certificate. For the lay person, this may not be recognizable at first glance, and it is incumbent to him to decide whether or not he should trust the certificate. In order not to place a user in the position of making this decision, the hotspot registration should flow transparently before construction of the VPN. A solution that has proven itself in practice is the so-called registration script that takes over the transmission of registration and the inspection of the certificate at the hotspot.

The requirements for the functionality of a personal firewall with mobile computing on WLANs are multilayered. They also apply to the critical phases during the registration and sign-off process on the hotspot. Requirements must be known at the earliest possible time and should be in place from system start. They also must remain when no VPN connection exists or has been deactivated. Furthermore, the user should be safeguarded against arbitrarily reconfiguring or completely shutting off the personal firewall.

VPN client with integrated personal firewall

The dilemma of system requirements may be resolved by a VPN solution with a client-integrated personal firewall. The advantage of the integrated variant is that a personal firewall and VPN client are functionally linked to one another. In a quasi-teamwork fashion, the existing firewall rule statements are dynamically activated in dependence on the network environment. Fundamentally, three situations may be differentiated:

1. Known networks
2. Unknown networks
3. VPN networks

Automatic recognition of the network takes place by validating different network factors. In friendly networks, permissive firewall rules apply as they do in public environments like the hotspot. The personal firewall must work with intelligent mechanisms that guarantee a secure activation of network access via the browser, as well as a secure registration on the hotspot. The user chooses the menu point “hotspot registration” in the welcome area of a public WLAN. Subsequently, the VPN client automatically searches the hotspot and opens the web site for registration in a standard browser. For example, after successful entry of access data and activation by the operator, the VPN connection can connect to the company headquarters and communicate as securely as it would in an office.

In this manner, the PC is accessible in the WLAN in no time, and there are ports dynamically assigned for http/https for registration and logging off the hotspot. During this time, only data traffic is possible with the operator’s hotspot server. Unnecessary data packets are refused. In this way, it is guaranteed that a public WLAN can use the VPN connection at the central data network and no direct internet access can take place.


VPN protocol flaw allows attackers to discover users' true IP address

The team running the Perfect Privacy VPN service has discovered a serious vulnerability that affects all VPN providers that offer port forwarding, and which can be exploited to reveal the real IP address of users.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Tue, Dec 1st