Security breach by sharing wifi through smartphone hotspot

  • 1
  • Question
  • Updated 3 months ago
Dear All, 

We use radius authentication for all our Wifi SSIDs, Machine auth/user auth. But I've realized that if somebody enables a mobile hotspot tethering via its smartphone, keeping its wifi connected, he will start sharing de corporate wifi and all people who connect to the hotspot SSID (ex AndroidAPxxx), they can only submit that simple mobile hotspot password, and through this they can bypass all the authentication settings. How can we avoid this? 

Thanks, 

Joy, 
Photo of joy

joy

  • 21 Posts
  • 0 Reply Likes

Posted 3 months ago

  • 1
Photo of Fabien Gaille

Fabien Gaille

  • 53 Posts
  • 3 Reply Likes
Hi Joy,

Can your users connect to the Corporate WiFi with their own mobile phone ? That's not good at all if you want my standpoint. We do have the same but at worst, they will share the BYOD network... So Internet only.

May I ask you how did you configure your double authentication (Machine/User) please ?

Cheers,
Fabien
Photo of joy

joy

  • 21 Posts
  • 0 Reply Likes
Hi Fabien, 

We use machine auth for laptops only, and user auth for smartphones.. And some users can get more access through the radius attributes returned to Aerohive + there's a MAC authentication as well, But if somebody connects with a priviliged user account and turns a hotspot to share wifi. everybody after that hotspot connection can bypass the user+MAC auth. That's the issue. 

Thanks,

Ibrahim   
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
Hi Joy,

Where this is a concern, you would need to lock down and pick appropriate clients so that they are fully managed and cannot easily be tampered with. This involves aspects such as restricted end-user permissions, full disk encryption, use of a TPM.

This is not something that an APs can conceptually enforce and control.

You need to be able to control the integrity of your clients.

Cheers,

Nick
Photo of Crowdie

Crowdie, Champ

  • 972 Posts
  • 272 Reply Likes
When you are looking at who and what is accessing your domain you are interested in the risk to your network.  A staff member (low risk) on a domain laptop (low risk) represents a low risk to your network.  A staff member (low risk) on a smartphone (high risk) represents a higher risk and so should not have the same access.  Generally I create a BYOD VLAN/subnet to handle BYOD devices so I can apply stricter security settings.

I suspect your issue is that you are using PEAP MSCHAPv2 authentication so you can't use 802.1x to handle the different risk levels.  With EAP-TLS you can but that requires implementing a PKI infrastructure (certificate management) and this is an issue for smaller companies.  PEAP MSCHAPv2 is commonly a major security risk with smartphones and tablets as you can't use group policy to apply security settings to the smartphones and tablets.  This makes the MSCHAP hash of the user's Active Directory credentials vulnerable to man in the middle attacks.  Many people argue that WPA2 passphrase authentication (Private PSK is even better) is a better option than PEAP MSCHAPv2 for smartphones and tablets as if it is compromised the user's Active Directory credentials are not compromised.

Put the two issues together and you may consider having a Private PSK authenticated SSID with a BYOD VLAN/subnet which allows Internet only access.  Which domain resources are the staff accessing with their smartphones anyway?  If the SSID is compromised you just give away some free Internet that people can get from McDonalds anyway.
(Edited)
Photo of joy

joy

  • 21 Posts
  • 0 Reply Likes
Hi All, 

Thanks very much for your suggestions/idea's. Especially separating network with an Internet-BYOD vlan is indispensable. 99% of our users can only get access to the internet VLAN.. and only priviliged users mostly IT staff has full access. The main reason that we use the user authentication is for having less work with managing PPSK credentials. There's much more work to do and you have to keep an eye on it.. when a user is disabled in AD, he won't get access anymore, while on PPSK you have to remove it manually. 

My conclusion is that in this case the authentication type doesn't really matter.. If the end-user device is able to share wifi (enabling a hostednetwerk), on a smartphone or laptop. this will allow users to share corporate wifi. This is not only the case for smartphones, but also corporate laptops. You can use whatever authentication type, If they are able to enable a hostednetwerk on their laptop, they will be able to share their connection. So the solution could be indeed a GP to deny this on laptops, and to let only internet access to smartphones. 

Thanks,

Greetz