[OpenWireless Tech] Securing Open Wireless

[Christopher Byrd]

I recently wrote an article that covers the issue with open wireless
networks and summarizes a solution that was featured on the cover of
the March ISSA Journal titled "Unsafe at any SSID: Wireless Hostpot
(In)Security": http://riosec.com/files/byrd-wireless-hotspot-insecurity.pdf

This article introduces a method which I called "Open Secure Wireless"
to use EAP-TLS without client authentication to achieve anonymous
secure wireless connectivity using existing protocols. I had
previously written a paper on this method here:
http://riosec.com/open-secure-wireless

In parallel and independently Tom Cross and Takehiro Takahashi from
IBM X-Force developed was is essentially the same method which they
called "Secure Open Wireless Networking". That was introduced in a
blog posting here: http://blogs.iss.net/archive/WirelessSolution.html.

To summarize this solution:
- The EAP-TLS protocol does not require client certificates (despite
common misconceptions and vendor implementations).

- EAP-TLS without client authentication provides a secure wireless
connection without client authentication similar to how HTTPS works
for web sites.

- Server certificate validation is possible. These changes would
benefit both this solution and existing closed (enterprise) EAP-TLS
and EAP-PEAP networks.

- We have working demos for both authentication servers (FreeRADIUS
and hostapd) and wireless supplicants (wpa_supplicant).

- Existing commercial wireless supplicants (Microsoft Windows, Mac
OSX...) work as-is, but would require some simple modifications for
widespread adoption and server certificate validation.

Please post to the list any questions or feedback on this approach.

Also, I will be presenting the solution jointly with the Tom and
Takehiro at Black Hat Las Vegas in the Arsenal Demo/Tool area. If you
are going to be at Black Hat, please stop by and check it out!

Thanks,

Christopher