On October 3, the Enforcement Bureau of the Federal Communications Commission (FCC) issued an order forbidding Marriott Hotel Services (MHS) from blocking the use of personal hot spots at its properties and slapping the company with a $600,000 fine. This is the latest round in the battle between technology and companies' insatiable appetite for gouging their customers (particularly their business customers) in any way they possibly can. While this Consent Decree was directed at MHS specifically, this ruling also has implications for any organization operating an enterprise wireless LAN.
The complaint was originally made by a guest at the Gaylord Opryland in Nashville last March. According to the Consent Decree, MHS routinely charged between $250 and $1,000 per day per wireless access point being used in its meeting rooms or convention center. Having worked with countless trade shows over the years, this came as no surprise to me. However, this type of price gouging becomes particularly vexing when many of us have cellular data plans with gigabytes of capacity that cost far less than $250 per month!
MHS made use of a feature available in virtually every wireless LAN switch: the capability to block "rogue" access points.
The rogue access point is a problem that has plagued security professionals since Wi-Fi's inception. Users would routinely buy residential Wi-Fi routers, bring them into the office, connect them to an Ethernet jack, and begin offering wireless access within the department. These networks were easy to find because they were typically called "Linksys" or "Netgear" and none of the encryption or security features were activated. From a security standpoint, this was the equivalent of putting an Ethernet jack to the company's network in the parking lot and hanging a sign over it.
In a centrally managed Wi-Fi network like you can buy from Cisco, Aruba, Motorola Solutions, Aerohive and others, they have a feature called rogue detection/rogue mitigation. With this feature, you can set the access points (APs) to periodically scan all of the available Wi-Fi channels looking for APs that are not part of the centrally managed WLAN. Alternately, you can dedicate a number of access points to scan for rogues continuously. When an unauthorized AP is located, you can either flag it to the network management console or actively disable it.
It turns out that disabling an access point can be done very quickly using a quirk in the Wi-Fi protocols. While we have great mechanisms for encrypting data frames, Wi-Fi Management Frames are typically sent in the clear. The trick Marriott used for disabling personal hot spots is called a Disassociation Attack. Basically, the managed APs listen for stations associating (the Wi-Fi term for "connecting") with the rogue AP, and then immediately send a "Disassociation Frame", essentially disconnecting them.
The problem for Marriott is Section 333 of the Communications Act of 1934 which reads, "No person shall willfully or maliciously interfere with or cause interference to any radio communications of any station licensed or authorized by or under this act or operated by the United States Government." The Consent Decree further references an FCC Enforcement Advisory that reads, "We remind consumers that it is a violation of federal law to use devices that intentionally block, jam, or interfere with authorized radio communications such as cell phones, police radar, GPS, and Wi-Fi." That's pretty clear.
Those of us who work on Wi-Fi networks recognized the potential challenges when the rogue detection capability started showing up in all of the managed Wi-Fi systems. When you turn on the capability, the SSIDs of all APs the system can hear will be displayed, both "rogues" and the legitimate access points on your next-door neighbors' Wi-Fi networks. The vendors were very careful to inform their customers that those legitimate APs would have to be marked as "benign", because if our system disabled them, we would be running afoul of that Section 333 requirement. As a result, many organizations simply disabled the rogue detection capability--safe, but not necessarily "smart."
All of this had been pretty straightforward when APs were stationary devices typically attached to wired Ethernet connections. However, now a personal hot spot providing access to your 4G service can be the size of a pack of cards or simply a capability built into your smartphone. This is presenting a challenge to organizations trying to secure their internal Wi-Fi network, because how do you distinguish between a "rogue" and a legitimate personal hot spot providing access to a 4G service? The key is that you have to be able to determine if the questionable AP is connected to your WIRED network--a legitimate personal hot spot won't be.
The FCC is well within its authority and on the right track in aggressively protecting the unfettered use of the airwaves; while messing with someone's Wi-Fi Internet access, as Marriott did, is an annoyance, other actions could be more serious--for example, if someone were blocking access to emergency services, this clearly creates a major public safety issue.
Where Wi-Fi jammers had been readily available on the Internet up to a few years ago, they have now largely gone underground. Similarly, cellular jammers have mostly disappeared from the market. So while you may be annoyed by that moron's cell phone going off during the best part of the movie, you would be ill-advised to attempt any "corrective action."
Follow Michael Finneran on Twitter and Google+!
@dBrnWireless
Michael Finneran on Google+
