Best of the ISP-Lists

Fixed Wireless Business

Getting a Profit from a Hotspot

Members of the ISP-Wireless list discuss the tradeoff between security and ease of use that ISPs face when setting up a public hotspot for private profit.

[September 3, 2002]

On the ISP-Wireless list in August, AM queried,

"Assuming a MAC filter is in place at a hotspot, how easy is it for a user to change or spoof their MAC address with a laptop running Windows and typical 802.11b WLAN card?"

A number of respondents explained that it's disturbingly easy:

[NR noted] "It's trivial on UNIX, and it takes a few mouse clicks on Windows as long as you have the right 802.11b card. The whole hotspot control issue makes me itch. I suppose they'll come up with something decent eventually, but I've been asked to work on a 65-location hotspot marketing effort, and I spent the first two hours trying to discourage the investors from putting any money in it…"

[JS agreed] "With 802.11, anyone with a wireless sniffer program can get MAC/IP pairs all day long, wait for one of them to drop off, assume the pair, and off they go. I can guarantee that no 802.11 network is safe."

Others contended that sharing of address information or passwords is the biggest problem:

[NR advised] "If you want it done right, you need something like IPsec or PPTP to authenticate the user, not just the piece of hardware. MAC blocking schemes just disintegrate if the uninvited guest has any sort of legitimate access to the network such as a friend with a connection, etc."

[AM agreed] "That's exactly what I'm facing using NoCatAuth from NoCatNet."

Still others suggested that there are ways to limit the problem of shared information:

[DS contended] "It's not completely useless, because only one of them can be on the network at once with the same MAC address. Friend A would be an idiot to give his MAC address out, because if Friend B was on the same time as him, nothing would work."

[EG added] "If you have short timed access for the hotspot, like 2 to 8 hours, then MAC spoofing isn't a real issue. You authenticate this MAC address to use your gateway for x hours: after x hours, it gets denied again, and the user has to pay for more time."

Others recommended some more intensive security measures:

[JS observed] "The best (maybe only way at this time) to make 802.11 wireless networks safe from bandwidth thieves is a VPN. The VPN would require an encrypted key system and password to establish the VPN connection: without the VPN, they wouldn't be able to go anywhere."

[MB offered] "I have taken security a bit farther. On our system, we use Steel-Belted Radius from Funk Software. By doing so, we use the MAC address for the user name, and the static IP we give the customer as the password. So not only do they have to clone the MAC, they also have to clone the exact IP for that MAC address. Just makes it a bit harder."

[JO added] "PPPoE with WinPoET and ServPoET from Fine Point Technologies works very well."

Still others suggested that there's always going to be a tradeoff between security and simplicity:

[AM warned] "So here's the process:

1) User reads the hotspot's website

2) User reads Fine Point's website

3) User downloads WinPoET for $40

4) User installs/configures the new software

5) User logs onto the hotspot to use the Internet

Do you really think a user will do all that so he can surf for an hour or two? I think we need to eliminate items 2 through 4 if this is ever going to work."

[EG agreed] "At a hotel I got stuck in on my way back from Sweden, they had high speed access. The front desk offered Ethernet patch cords if you didn't have one. When you started surfing, the only page you could get was their payment page: you couldn't ping or trace outside their network. On the payment page, you submitted your credit card information and name. You could then surf to your heart's content for the rest of your visit. It has got to be simple: the simpler the better."

—End