Slashdot Mirror
FCC Prohibits Blocking of Personal Wi-Fi Hotspots
alphadogg writes: The FCC on Tuesday warned that it will no longer tolerate hotels, convention centers or others intentionally interfering with personal Wi-Fi hotspots. This issue grabbed headlines last fall when Marriott International was fined $600,000 for blocking customer Wi-Fi hotspots, presumably to encourage the guests to pay for pricey Internet access from the hotel.
Just like modems on laptops or in the server room are not a security risk?
The problem is that people can, and do, connect the same device simultaneously to the hotspot or the modem and to the internal network. And then they port forward. I've certainly caught people doing this, especially among non-technical staff who try out "this cool thing they read about". I'm afraid it's often even worse among software architects who use passphrase free SSL or SSH keys "to save time", who lock their passwords to never expire, and who are very careful never to explain what they're doing to anyone else.
I've encountered far too many cases of such setups used for business critical services, unknown to anyone else, that collapse during network cleanup efforts or when the employee finally moves on.
> If the employees are turning on their personal hotspots and using that, you don't have a security problem.
If they connect anything that lives inside your network, at any time, or that even has a VPN connection your internal networks at any time, you have a security problem. It may be one you choose to accept as a matter of policy, but the risk is very real. Worse. Most admins simply do not have the tools are buy-in to review and monitor systems for gateways, remote console access, or network tunnels that may expose your internal network through precisely such a hotspot or modem access.
I agree that by current regulation you may not run a hotspot jammer. The FCC regulations are quite clear about this, partly because they block other cellular communications and services such as telephones and GPS. But I'm afraid I disagreee vehemently with you that their use does not constitute "a security problem".
What I find most baffling about the whole affair is how something that one would ordinarily think of as a fairly overtly malicious exploit, spoofing the appropriate management frames to break a network you don't have authenticated access to the configuration interface for, became a 'respectable' tool for 'management', even included out of the box in fancy commercial products from vendors with risk averse legal teams and so on.
This seems like the place where somebody who has been dealing with enterprise wireless gear long enough to have observed the change might be found. Did this 'feature' cross over from what was initially a proof of concept by a security researcher? Was it recognized as a possibility before the standards had even been hammered out and was available from day one? Do we know what vendor adopted it first? Were there any who specifically didn't offer it for legal, rather than technical, reasons?
At this point, it is certainly the case that at least some wireless management consoles adopt a very...possessive...tone, detecting 'rogue' APs, despite those APs being no more or less legitimate than any others, in terms of spectrum use, and offering 'containment' or various similarly clinical euphemisms for dealing with them. How, historically, did it come to be that this nasty DoS trick went all legitimate, even as generalized hacker hysteria can get you a stiff dose of CFAA charges for almost anything that involves a CLI and confuses the DA?
I'd love to have my hands on all the versions of various vendors' wireless management and administration packages, to see how this feature evolved over time. I can certainly see its appeal; but I find it hard to believe that nobody had serious doubts about its legality from time to time.
If I jammed the hotels WiFi it'd be a criminal (more likely 'terrorist') attack. Should I be surprised there isn't a criminal investigation into hotels doing this to it's own customers?