Slashdot Mirror
FCC Prohibits Blocking of Personal Wi-Fi Hotspots
alphadogg writes: The FCC on Tuesday warned that it will no longer tolerate hotels, convention centers or others intentionally interfering with personal Wi-Fi hotspots. This issue grabbed headlines last fall when Marriott International was fined $600,000 for blocking customer Wi-Fi hotspots, presumably to encourage the guests to pay for pricey Internet access from the hotel.
I would have been first had my WiFi not been jammed!
So I guess this means the government will pursue the tech companies who enable this illegal practice as vigorously as torrent sites that enable copyright infringement?
Can they prevent wireless companies from blocking hotspots next?
Physics is nothing like religion. If it was, we'd have an easier time trying to raise money!
Private hotspots aren't on your network.
It little behooves the best of us to comment on the rest of us.
They outlawed Faraday cages?
“He’s not deformed, he’s just drunk!”
If they won't let me unplug my employees private hotspots on my network, I will be mad.
You can unplug them. You just can't actively jam them.
The FCC has actually been showing some balls lately, I like it. Keep it up, Wheeler!
I'm sorry what? I could be falling for the biggest WHOOSH of all time here but I've re-read your post a few times.
Are you talking about your employees setting up a hotspot and bridging into your wired network? If that is the case you would be fully within your rights to unplug them from your wired network.
That said if that is even a possible vector into your network (I can only assume you don't control their hardware) then you need to treat that network as hostile anyway and the servers should not be directly accessible.
You have to have a free pool to get a 5 star rating. Too bad the ratings companies around the world haven't required decent and free Wi-Fi. Major hotel chains would change their offers in a hurry when they are down rated to a 4 star hotel.
This doesn't imply that the FCC has any problem what-so-ever with you telling your employees not to use personal hotspots at work. You can fire them for breaking company policy if you've codified the ban on personal hotspots. You can triangulate their position based on their 2.4Ghz radio frequency emissions (doable by just walking around with a smartphone and a good bit of time, probably easier to just spot check workers and make sure they're connected to your network, not theirs), you can make them use company computers that either can't connect to other networks, or that report a time-stamped list of networks they've been connected to (should inform employees of this practice ahead of time), you just can't actually jam the radio spectrums used for Wi-Fi.
Haha! Nice. And nice raincoat, but might I suggest a more attractive model to show it off :P
Just like modems on laptops or in the server room are not a security risk?
The problem is that people can, and do, connect the same device simultaneously to the hotspot or the modem and to the internal network. And then they port forward. I've certainly caught people doing this, especially among non-technical staff who try out "this cool thing they read about". I'm afraid it's often even worse among software architects who use passphrase free SSL or SSH keys "to save time", who lock their passwords to never expire, and who are very careful never to explain what they're doing to anyone else.
I've encountered far too many cases of such setups used for business critical services, unknown to anyone else, that collapse during network cleanup efforts or when the employee finally moves on.
FCC will not stop a moron staying in one of hotel rooms (or say appartments) sending disconnect packets to everyone around them. The only solution is to secure your network from trivial sabotage and applicable standards are readily available. Why waste time policing the hotel itself when every one of it's guests can do the same thing and worse?
If the employees are turning on their personal hotspots and using that, you don't have a security problem. If they are both connecting to the hotspot and to your network, you can stop this by booting them off your network. What you can't do, though, is put a hotspot jamming device in place to knock out all personal hotspots.
My sci-fi novel, Ghost Thief, is now available from Amazon.com.
The rules for access to the frequency spectrum used by WiFi require that the device has a mechanism to prevent it interfering with other users of the channel. That is why frequency hopping, spread spectrum and exponential backoff algorithms are all parts of devices permitted to be used in these bands. The devices are not licensed to access the band, they are certified to comply with the rules to access the band.
A device specifically intended to prevent someone else accessing the band is a clear violation of this law. There was no time since WiFi existed that this was remotely legal.
People should be in jail.
I should use this sig to advertise my book ISBN-13 : 978-1501515132.
I thought it was a joke. I mean I hope it is. Someone can't be that stupid, right?
I worked NetSec for a global casino/resort company. At nearly every site a few times a month I would send local IT to go find wifi routers plugged into our network. Employees would bring in cheap routers because we didn't allow wifi other than the guest network which was strictly for corporate visitors (ie. sales reps, etc) and they wanted to use their personal devices for whatever. This happened even at corporate, where I sat.
Fifty watts per channel, baby cakes.
> If the employees are turning on their personal hotspots and using that, you don't have a security problem.
If they connect anything that lives inside your network, at any time, or that even has a VPN connection your internal networks at any time, you have a security problem. It may be one you choose to accept as a matter of policy, but the risk is very real. Worse. Most admins simply do not have the tools are buy-in to review and monitor systems for gateways, remote console access, or network tunnels that may expose your internal network through precisely such a hotspot or modem access.
I agree that by current regulation you may not run a hotspot jammer. The FCC regulations are quite clear about this, partly because they block other cellular communications and services such as telephones and GPS. But I'm afraid I disagreee vehemently with you that their use does not constitute "a security problem".
What I find most baffling about the whole affair is how something that one would ordinarily think of as a fairly overtly malicious exploit, spoofing the appropriate management frames to break a network you don't have authenticated access to the configuration interface for, became a 'respectable' tool for 'management', even included out of the box in fancy commercial products from vendors with risk averse legal teams and so on.
This seems like the place where somebody who has been dealing with enterprise wireless gear long enough to have observed the change might be found. Did this 'feature' cross over from what was initially a proof of concept by a security researcher? Was it recognized as a possibility before the standards had even been hammered out and was available from day one? Do we know what vendor adopted it first? Were there any who specifically didn't offer it for legal, rather than technical, reasons?
At this point, it is certainly the case that at least some wireless management consoles adopt a very...possessive...tone, detecting 'rogue' APs, despite those APs being no more or less legitimate than any others, in terms of spectrum use, and offering 'containment' or various similarly clinical euphemisms for dealing with them. How, historically, did it come to be that this nasty DoS trick went all legitimate, even as generalized hacker hysteria can get you a stiff dose of CFAA charges for almost anything that involves a CLI and confuses the DA?
I'd love to have my hands on all the versions of various vendors' wireless management and administration packages, to see how this feature evolved over time. I can certainly see its appeal; but I find it hard to believe that nobody had serious doubts about its legality from time to time.
I'm still not understanding how your setup allowed them to function. Assuming you are talking about them plugging a router into an active port in a room, how are their devices resolving anything other than your hotels generic hotel login screen. That there should have immediately stopped them as they would have had to authenticate through your portal and you would have had a log of it. Simple case of warning then dismissal.
If it's not a port for guests to access the internet from in their rooms why the hell don't you have port locking turned on at the very least? Why would those ports be of any use what so ever? They either should not have worked via port locking or there should have been no way they resolved and address or had a gateway to the internet. Staff will stop bringing in routers if it doesn't go anywhere.
If the hotspot is connected to your internal network then you absolutely have an issue. If it is just a hotspot, ala your mobile phone then there is no security risk as there is no connection to your network
If that vector exists though for the hotspot to be connected to your network you by default have to treat the network as compromised and hostile. So if you are in an office, or a hotel or any other large physical scale environment you have to treat the wider network as if it is compromised already because you are physically incapable of securing it. And it should be as separate from your server network as possible. It is why we have VLANs.
If you have someone with access to your server rooms they should be a trusted individual. If that individual is setting up an unsecured hotspot with access to your network without prior approval they should be immediately be removed.
The government doesn't want anything to stand in the way of people taking the internet for granted or reducing their usage due to expense. Otherwise the surveillance network doesn't work as well. Also, jammers have a tendency to interfere with their IMSI catchers. Can't have that now, can we?
If I jammed the hotels WiFi it'd be a criminal (more likely 'terrorist') attack. Should I be surprised there isn't a criminal investigation into hotels doing this to it's own customers?
$600,000 is cheap considering they made millions blocking private Wi-Fi from one of their main hotels which was a magnet for business. Oh and the word "presumably" should not of been used. They blocked it to make money plain and simple. They can't use any type of excuse 1. They blocked it 2. They got caught next and last... 3. They asked the FCC for permission to block. Maybe they thought the FCC would feel sorry for them who knows. I don't feel sorry for them, and their fine would of been no less than 6 figures if I was the FCC. Whats with all of these fines these days? A business can walk away barely being tapped on the wrist, and their wallet is never really screaming for mercy. Bunch of babies. That is what is wrong, and why Corps feel like they can get away with anything.
Comcast's Wifi hotspot interferes with my wireless access point. Can I get some help here?
For weight and space reasons I travel with only my wifi-only tablet. Generally that works well for me.
Every now and then I encounter a hotel with only wired access provided in rooms. (Often they have wifi in public areas.) Is there an answer to using the wifi-only device in such a circumstance. For sake of argument, let's assume I am an international traveller whose cellphone never works in the countries I visit. (True) That means the hotspot method mentioned will not work.
well, stop using my channels. I'm using channels 1-16 to stream 4k video from my computer to the TV next to it.
Sleep your way to a whiter smile...date a dentist!
1. Your stupid policy of no wifi created the behaviour.
2. Authenticate physical connections to your corporate LAN. This function has been built into most non welfare switches for at least 15 years
Would it not be wiser on the long run to implement 802.1X with MAC authentication?
The problem is that people can, and do, connect the same device simultaneously to the hotspot or the modem and to the internal network.
You should be screaming at your network security team for allowing an untrusted device to connect to your internal network. My god, I bet you even allow devices with no antivirus running.
My Fortune 500 company only allows devices to connect to the internal network if they are running a (commercial) software which detects when a network interface is enabled and immediately disables whichever other network interface had been in-use. On *our* network, people CANNOT connect the same device simultaneously to our trusted network and an untrusted network. Without launching denial of service attacks on our customers or vendors who visit us.
Sounds like you need to set up a wifi network for your empoyees.
What the Hotels actually are losing are orders for movies. They set pricing on their wifi to replace the overpriced movie orders they no longer get from in-room orders. Once again, porn industry drives internet pricing.
Gently reply
So finally, the government does something for the consumer rather than the biggest corporate monopoly, and there's all this butthurt? You people are slaughtering that gift horse and serving up chevalineburgers to the hungry multitudes.
except 12-13 are not allowed in the USA; 14 is only allowed in Japan and 15-16 are not valid WiFi frequencies.
Obviously didn't write Tom Wheeler a big enough check.
Or, for even less complexity, limit the number of MAC addresses per port to 1. No need for central MAC database that way.
Grammer Nazis - I mod you "troll" unless you actually add something on-topic. Yes, I know I have mispellings in my sig.
I mean, if the WiFi was "good", free, and there were multiple APs with plenty of antennas and bandwidth... would you use it? Especially at a convention?
Even if it's encrypted, people are just going to sniff out your traffic, because they know the key too. The benefit cellular hotspots confer is that only YOU know the WPA2 key.
Wondering where the hell the FCC thinks it gets the authority to regulate what a hotel or restaurant does.
My only question is what if the hotel is giving free wi-fi to guests, and then those guests are re-offering that bandwidth freely for people who didn't pay? That doesn't seem fair either, sort of like a fast food restaurant offering free refills, and then some asshole continuously refilling his large beverage to pour into other people's cups so they don't buy drinks at all.
I don't know if there's a tech that could tell when packets are coming from X machine, or coming form sources 'beyond' that machine, but to me it would be legit if a hotel *could* prevent such usage. Otherwise you have a freeloader issue.
-Styopa
Does that product run on Linux and BSD?
Cheap storage VM.
Yeah, there are a dozen ways to securely implement this policy, even if it is stupid. I don't see home wifi being a problem for any well run network. There are probably dozen ways to detect and remove them, and just as many ways to mitigate them so they aren't a problem in the first place.
Cheap storage VM.
Any company that can't work around this limitation is just reaping what it sows when it hires bottom of the barrel admins and techs. This is simple to mitigate for almost no cost if you have a competent admin.
Cheap storage VM.
It's a money grab.
Oh, but the hotels argue: it costs money to build and operate a WiFi network!
I would point out that those hotels do not charge an extra fee for other things that have a substantial cost to build and substantial operating cost:
Why aren't the hotels charging fees for those other things that have a substantial cost to build and operate?
Wake up dinosaurs, it's the 21st century.
I'll see your senator, and I'll raise you two judges.
OMG! You're right! The sky would fall.
Also imagine what would happen if someone were also giving away their free electricity! Or water from the expensive to construct indoor plumbing!
And about that jerk who refills other people's cups with a beverage! Horrors! I'm sure that next to nothing cost colored sugar water is going to break the hotel -- because the hotel charges an artificially high price for it!
Does it really matter? Some people will always be pricks. But not most people.
I'll see your senator, and I'll raise you two judges.
MACs are layer 2, a wifi router only will only show you the MAC of the WAN interface unless it is on bridging mode. And even if you define the MAC of the normal equipment connected there, many commercial wifi routers have an option to clone the MAC, so people configure right in the web interface the MAC of the current equipment, and you won't even know there is there a new equipment. You have already found some wifi routers configured like that on our corporate network, and when I worked for an ISP customers did that routinely too.
The problem was the employees wanting to put their personal devices on the corporate network to surf the web. The corporate wireless network is there strictly for corporate issued machines (laptops and the occasional blackberry), not for Joe Blow's laptop, iPhone, or Galaxy. Employees were unwilling to accept that there's no good reason for their personal crap being attached to the network.
I didn't design the network, I was part of a team brought in specifically to secure it where prior to us there wasn't much of a security presence. The network was like the wild west. Before I left I did manage to deploy wireless security at one site with an eye on rolling it out everywhere with corporate being next.
Fifty watts per channel, baby cakes.
I was going to suggest using a smartphone with an unlimited data plan as a hotspot, but smartphones may not be able to handle more than one or two wifi devices. I assume that the mobile wifi hotspots are able to handle more devices.
You're correct, but my point is that many people don't deploy 802.1x because it seems so complex and expensive.
port-security to 1 mac gives most of the benefits of 802.1x for no cost and very easy deployment.
Grammer Nazis - I mod you "troll" unless you actually add something on-topic. Yes, I know I have mispellings in my sig.
If they connect anything that lives inside your network, at any time, or that even has a VPN connection your internal networks at any time, you have a security problem.
If they can physically do that, then you have a problem. I hear even Windows comes with IPSEC, maybe you could do something about that.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
If your employees are using "your" network to get on the internet via WiFi, for personal crap like facebook, slashdot, personal Email, facebook ect, they should be connecting to the WiFi host located in the DMZ; connecting to a WiFi inside the private firewall is just crazy!
Apocalypse Cancelled, Sorry, No Ticket Refunds
Well, we know which asshole would be standing there pouring drinks now, don't we?
Seriously, if a business gives you unlimited (something), you wouldn't feel the teensiest bit guilty then giving it away, costing them possible business?
Pretty clearly an incentive for business to never give people like you things like free refills. Congrats - you live in Europe.
-Styopa
As I said, very easy to circumvent. Just cloning the MAC in commercial appliances or in your netbook is TRIVIAL. I worked as a consultant in a major ISP many moons ago, and to backup my work to take to our HQ, back when external hard drives were not that common and were BIG, and I was younger and foolish, I just booted up the PC next to mine, annotated the MAC, changed the MAC with a simple ifconfig command, changed the cable to my netbook issued by my consulting company and presto. Let me reiterate, MAC security is a FALSE sense of security. Most of our corporate users who are not that computer literate to sysadmin level know how to evade MAC security too from what we have found until know.
This entire argument is stupid. If you don't want employees using personal hotspots on your property, make an employment policy to restrict the usage of such devices. Employees found violating this policy could be disciplined as appropriate, including termination for a security violation. You don't need to use technology to disable other technology to accomplish this for legitimate business purposes.
Wait, you mean that the FCC actually came down on the side of the consumers and against a very minor special interest? Wow, just WOW! In other news, the FTC and the FCC are likely going to finally allow the acquisition of Time Warner by Comcast in the next few months. For the customers this will be a really great thing since it will allow them to be fleeced more efficiently and have their service issues better ignored. It will also allow the Cable companies to better lobby the FCC and the Congress to pass laws finally and forever end any hopes of net neutrality. This should finally guarantee continued control of commerce, ad dollars, and media revenues etc. by only the largest incumbent and most financially flush companies. Pop those pain pills people and call your petrologist, the ass rape they are about to release on we the average internet user is going to be nothing short of epic!
I don't know if there's a tech that could tell when packets are coming from X machine, or coming form sources 'beyond' that machine, but to me it would be legit if a hotel *could* prevent such usage. Otherwise you have a freeloader issue.
What one ISP I used once did, to prevent people with routers and networks from getting out, was to filter by TTL. Windows has a default TTL of 64. Any TTL below that was "beyond" a router. Of course, then everybody with an ounce of Google either had an iptables rule in their router to increase the TTL by one in mangle/POSTROUTING or, if the router was an off the shelf one, just tell each machine on the LAN to have a TTL of 65. The people not versed in Google-fu didn't have routers either, so everybody was blissfully happy.
Question for religious people: where do unrepentant masochists go when they die?
I would feel guilty about giving it away and taking advantage of their generous 'unlimited' offer. My point is that there are people who would abuse it. There always have been. Always will be. But that is not a reason to gouge WiFi prices or prevent customers providing their own WiFi devices.
I'll see your senator, and I'll raise you two judges.
True. As much as people like knocking PHB's and management in general, there are some problems where a technological solution isn't appropriate and a management solution is.
My sci-fi novel, Ghost Thief, is now available from Amazon.com.
(shurg) it's a matter of definition.
Here in the US, free wifi is pretty much as common as free refills. If you're GIVING away wifi - even to non guests - it seems stupid to argue over it.
OTOH, in Europe, it seems that every bloody hotel and airport feels that you should pay $10 / day or somesuch for the ability to get on the internet. To me, that's gouging. Rather than cheat the hotel, I simply don't use them, and share as broadly as possible that X hotel charges for internet.
-Styopa
As I said, very easy to circumvent
If your point is to stop employees from plugging in an access point they bought at Best Buy, this is quite effective.
If your point is actual security against a criminal, 802.1x with certificates is the only way to go.
Point is, at least stopping 1/2 of the problems is better than stopping none of them. Right or wrong, 802.1x security is seen as too complicated for most IT departments.
Grammer Nazis - I mod you "troll" unless you actually add something on-topic. Yes, I know I have mispellings in my sig.
What I have been saying all along is that I work in a Uni, and I have students (not-IT students) and teachers binging their home grade wifi routers and cloning the MAC of their equipment with a functionality of the said web interface of the equipment. This is the last time I say it. It is not quite effective, MAC-based security has not worked very well since 1995, and nowadays even consumer grade equipment has functionality built-in to circumvent it.
If it doesn't then there is your entry point into the market.
Birds are not dinosaur descendants;birds are dinosaurs, for all useful meanings of "birds", "are" and "dinosaurs"