(1) Field of the Invention
The invention pertains generally to wireless hotspots. More specifically, the invention relates to authorizing a wireless client device for secured wireless access at a hotspot having both an open wireless network and a secure wireless network.
(2) Description of the Related Art
Hospitality establishments such as hotels, resorts, coffee shops, shopping malls, airports, airlines, etc. often wish to wirelessly offer Internet access to customers. To make customer access as simple as possible, often the hospitality establishment sets up a wireless access point (AP) that provides an open and unencrypted hotspot. Security options such as wired equivalent privacy (WEP), Wi-Fi Protected Access (WPA), and Wi-Fi Protected Access II (WPA2) are disabled on the AP so that customers do not need to know any password or other access credential in advance to associate (i.e., connect) their wireless device with the AP.
If the hotspot is to be limited to only certain users such as paying customers, a captive portal system is generally employed to redirect all newly associated users to a web-based login portal where payment information or user authentication information can be received before allowing access to the Internet. To ensure security of the user's payment and/or authentication information, the login portal is generally provided at a hypertext transfer protocol secure (HTTPS) uniform resource locator (URL). Once a user completes the login process, the media access control (MAC) address or the Internet Protocol (IP) address of the user's device is cleared for Internet access at the hotspot.
Although convenient, such unencrypted public hotspots are extremely insecure. Even though the login portal is usually accessed through an HTTPS URL, after successfully logging in to the hotspot and beginning to browse the Internet, all subsequent HTTP-only URLs have no network-level encryption over-the-air. This means that any malicious user within signal range of the public hotspot can listen in to the unencrypted over-the-air signals to/from other users. Hackers may easily capture sensitive information including usernames, passwords, session IDs, cookies, and any other data sent to/from these web sites.
For example, the Firefox® add-on entitled “Firesheep” demonstrates how a malicious user can hijack the session of any user of an unencrypted hotspot who is currently logged in to any of 26 popular online services including Amazon®, Facebook®, Foursquare®, Google®, The New York Times®, Twitter®, Windows Live®, Wordpress® and Yahoo®. It works by monitoring all Web traffic broadcast between wireless client devices and an access point (AP) of the unencrypted hotspot in order to detect and then spoof a session ID that is passed back and forth between the online service and the legitimate user's computer to maintain the user in a logged in state. In this way, the hacker can access the user's account on the online service even though the hacker does not know the user's password on that service. Because unencrypted hotspots do not encrypt over-the-air traffic, the session IDs of current users who are logged in to HTTP-based websites at the hotspot are easily captured.
A typical recommendation for users to better secure Internet browsing at an unencrypted hotspot is to always utilize a trusted virtual private network (VPN) service. When a wireless client device is properly configured to utilize a VPN service, the device establishes an encrypted connection with the VPN service and then sends and receives all Web traffic via this encrypted connection. In this way, even when a user's desired destination website is accessed using an unencrypted HTTP-only URL, the over-the-air web traffic between the user's wireless device and the website is encrypted due to being passed through the intermediate and encrypted VPN connection.
Although VPNs certainly increase security, most users do not use them. VPNs require some technical savvy by the user, both to recognize the need for the VPN in the first place, and to preconfigure their personal device to utilize a trusted VPN service in advance of arrival at the hotspot. Most VPN services also charge for usage and add some appreciable delay to web browsing.
Another downside to the VPN solution is that it is focused on securing the user's web traffic rather than the wireless hotspot as a whole. For example, regardless of whether the user is accessing the hotspot's secure login portal, the VPN service, banking websites, and/or any other websites accessed via an HTTPS-based URL, only the payload of packets transmitted over-the-air at the unencrypted hotspot are encrypted. Packet headers remain in the clear and include sensitive information such as the MAC and IP addresses of the user's wireless device. This unencrypted information can be utilized by hackers to steal Internet access from the hotspot such as by spoofing a MAC/IP address of a subscribed user. Hackers may also cause other problems at the hotspot by impersonating valid users according to information contained in the unencrypted packet headers.
In order to prevent the packet headers from being broadcast in the clear, the hotspot provider must activate one of the over-the-air encryption methods such as WEP, WPA, or WPA2. However, as previously mentioned, these encryption methods require the client device to first authenticate itself using a shared secret or other access credential before allowing the client device to associate with the encrypted hotspot.
To get around this problem, hospitality establishments providing public hotspots such as hotels or coffee shops often pre-configure their wireless networks to accept a single wireless password. Customers of the hospitality establishment are given the password for use while at the establishment. For example, front desk staff at a hotel provide guests of the hotel with the hotel's wireless password upon check-in, or cashier staff at a coffee shop provide customers of the coffee shop with the shop's wireless password upon drink purchase. The goal is to only allow valid users to associate with the encrypted hotspot and to ensure all traffic broadcast over the air (including the packet headers) is encrypted to prevent eavesdropping by hackers.
However, when employing a single wireless password given to all valid users, it is difficult to limit access to only the valid users of the hotspot. For example, previous guests of the hotel or previous customers of the coffee shop and anyone else who happens to know or find out the wireless password are able to wirelessly associate their devices with the encrypted hotspot and possibly steal Internet access. Manually changing the password on a periodic basis is a nuisance to staff and does not really solve the problem since anyone can use the new password until it is changed again. Furthermore, a common shared password used by all users potentially makes cryptographic analysis and cracking easier by a hacker.
IBM® has recently proposed a new system where the service set identifier (SSID) of a wireless network is its domain name and the AP sends a digital certificate to the wireless client upon connection, which validates the certificate and automatically establishes an encrypted connection with the AP when the name in the certificate is the same as the SSID domain name. Over-the-air communication is thereby encrypted without requiring the user to know a password in advance. However, IBM's proposal requires changes to both APs and client devices and therefore does not function with current state-of-the-art equipment. Operating systems such as Windows®, Mac OS X®, and Linux® also need to support the new protocol in order for a typical user to actually benefit. Hardware and/or software updates may not be possible or may be difficult with current state-of-the art equipment (e.g., already-deployed APs and client devices). Furthermore, when any user can associate with the encrypted hotspot without using any password, it is difficult for the hotspot provider to prevent invalid users such as hackers from associating as well.
Another known solution to the shared secret requirement is to activate WPA2 “Enterprise mode” security with a modified Remote Authentication Dial In User Service (RADIUS) server that allows any username and any password. In this way, wireless users can be associated with an encrypted wireless local area network (WLAN) regardless of what username/password combination they enter for authentication purposes. However, most users would not realize that any username/password will work and will therefore not even attempt to associate with a secured SSID if they are not aware of a specific password for that SSID. Additionally, when any username/password combination results in successful association with the secured network, it is difficult for the hotspot provider to prevent invalid users such as hackers from associating as well.