Open Wifi Security (Friday evening rant)

1) Yes, at our @nordic_choice hotels we have open wifi as standard. No Client<->AP encryption (WPA/23), and no captive portal to logon to.

Let me first explain some obvious reasons for doing so. (Often disregarded by infosec pros.)

@Nordic_Choice 2) It is INCREDIBLY easy for anyone to connect and start using the Internet at our hotels. And we have absolutely all kinds of people staying with us. That includes people that are not tech-savvy at all.

@Nordic_Choice 3) Being a company who very actively seek to reduce our footprint on earth & measure our performance in "People, Planet & Profit" (not just profit), open wifi with no captive portal saves time, energy & money. It helps your mood as well. 😇

@Nordic_Choice 4) We are using enterprise solutions for our wifi. Hey, we have APs with WPA3 support available! Flick the switch, and you got it. Oh, and we do client isolation. You doing a conference or a meeting? Ask us, and we can give you your own SSID. With encryption & a serious password.

@Nordic_Choice 5) At most of our hotels we don't do captive portals. We don't need it to provide you with Internet access. Guest wifi is a shared resource, and we provide plenty for each client (30/20). At some hotels even much higher speeds at optimal times.

@Nordic_Choice 6) We use RFC1918 private addresses for clients connecting to our guest wifi, so Internet villains cannot directly portscan or connect to your honeypot telnet server, should you have one.

@Nordic_Choice 7) We have (obviously) monitoring tools to look for APs that are not working, areas with massive spikes in traffic & signs of errors that shouldn't be there. But hey, we don't block ports or protocols: your VPN, Tor or corporate VPN connection works fine.

@Nordic_Choice 8) "BUT YOUR WIFI IS OPEN, THERE IS NO ENCRYPTION, ANYONE CAN HACK ME!"

No.

Most services you use online today are encrypted (HTTPS you know). Quite a few of them has even configured HTTPS to a level where MitM is very, very hard to do for an adversary. Even on open wifi!

@Nordic_Choice 9) DNS IS PLAINTEXT.

We know. We are working hard to only use #DNSSEC resolving DNS servers, but of course you can use your own as well. Personally I want to provide our guests with DoT too, and you can use DoH as well with whatever provider you prefer.

@Nordic_Choice 10) About DNS:
We @Nordic_Choice use #DNSSEC. We do #DNSSEC for our email with Google. Check our MX records: we use mailservers with the smtp.goog (Google) domain, which is #DNSSEC signed.

We ask our providers to use #DNSSEC. You should too.

@Nordic_Choice 11) We haven't had a single report coming in from anyone becoming a victim of "hacking", where lack of Client<->AP encryption in our guest wifi was the reason for the incident.

*Not a single report.*

@Nordic_Choice 12) Yes, we are well aware of clients remembering open wifi SSIDs, & automatically connecting to those SSIDs, even if it is someone playing with Kali or their brand new Hak5 Pineapple.

We can't help with your wifi history, and imho most devices have been on open wifi once.

@Nordic_Choice 13) Side note: two largest telcos in Norway ran massive campaigns warning against use of (open) wifi last year, promoting 4G instead. One of those telcos is also a BIG provider of open wifi in several countries. Paradox?

@Nordic_Choice 14) We have also experienced the confusion related to encryption & captive portals. Some even believe that captive portals are there to protect their security & privacy, and that a captive portal means there is encryption in place.

@Nordic_Choice 15) At one point I was told that without "double encryption" + login using a captive portal, we would violate #GDPR, and our wifi could not be used by employees of organisation X.

Tough job trying to fix that one.

@Nordic_Choice 16) Now a little probability threat analysis: Where is the most obvious location of a villain wanting to hack you?

@Nordic_Choice 17) Another survey: What do you reckon as the most common way of getting hacked:

@Nordic_Choice 18) Third survey question:
Have you ever been the victim of open Wifi hacking (MitM or other ways) - Infosec cons & Hak5 Pineapple demos excluded?

@Nordic_Choice 19) Obviously there are MANY ways to hack, bypass or make any wifi Client<->AP encryption irrelevant. Not to make that an argument against using encryption though, I personally prefer the encrypted version.

But risk analysis is cool.

@Nordic_Choice 20) There are threats out there, we will always have vulnerabilities, and we have values to protect.

As a provider of free & open wifi access for our guests, we try to evaluate all of those, looking at probability & impact, while also remembering UX.

@Nordic_Choice 21) I could have said lots more, and I probably forgot something important as well.

A nudge to @boblord here is in place, as well as @schneierblog & many, many others I've learned from in terms of being sober when doing risk analysis. :)

@Nordic_Choice @boblord @schneierblog 22) So I'll stop my rant here, and say thank you for reading all these tweets.

I am now ready to answer your questions, comments and flames.