Chief Strategist Teresa Cottam looks at why WiFi security concerns are good for the CSP WiFi business.
Opportunity Makes The Thief, Paul-Charles Chocarne-Moreau, 1896
One frequently cited use case for WiFi monetisation is security, or rather security-as-a-service. Yet the problem with this use case is failure to translate the concept into cash. Many WiFi users, both consumers and business users, may have concerns about WiFi security, but most aren't translating their worries into bankable actions.
That might be set to change, as WiFi security slowly rises up the customer agenda. In Europe, Internet behemoth Google was one of the first to create public anxiety around private WiFi when it was found to have illegally sniffed unsecured hotspots while collecting data for its Street View Project. It confessed in 2010 - after German authorities questioned what it was doing - to collecting WiFi data such as passwords and emails from unsecured WiFi hotspots in about a dozen countries over a three-year period. In November 2010, it was ordered by the UK's Information Commissioner to destroy all the data it had collected. This story was widely covered in the UK press and raised general concerns around WiFi security, which were heightened further when it was discovered that Google had not complied with the Information Commissioner's demands and still retained illegally-collected data in February 2012.
But just how big is the problem? How many private routers are unsecured? Well Wigle.net(Wireless Geographic Logging Engine) made a serious effort to log unsecured WiFi networks in 2010, and of 26.8 million Wi-Fi networks logged by its volunteers around 49% were using encryption, nearly 28% were not using encryption and for the remaining 23% the security level was unknown. A more recent study in Central London (August 2013) found that 36% (322) of the WiFi hotspots identified were not secured. It wasn't clear how many of these were private, and how many public hotspots, but the worrying factor was that according to Experian, who conducted the study, 50% of respondents “do not understand whether a WiFi network is secure or open”.
This brings us to another problem - the success of free public WiFi in itself is a risk that many customers aren't yet fully aware of. While those of us in the industry may know that using unsecured WiFi is a bit like using Twitter or any other public site, as it takes relatively few skills and a bit of freeware to eavesdrop on all those connected to an unsecure hotspot, most other customers are not fully aware of the risks involved.
This is backed up by the Experian study which found that 96% of UK mobile users are unsure or do not know how to select the most secure settings on their mobile devices for WiFi.
While drive-by WiFi hacking is a big enough risk, the risk profile is set to increase even more. In February 2014, researchers at Liverpool University (UK) demonstrated how a WiFi network could be infected by a native WiFi virus that spreads as efficiently as the common cold. The group used a virus called Chameleon to simulate an attack which showed how easily a virus could be spread between homes and businesses using WiFi access points. Chameleon was able to avoid detection and pinpoint the most vulnerable WiFi access points partly because anti-virus systems are trained for viruses that are present on the internet or computers, rather than those designed specifically for WiFi or mobiles.
Interestingly, the denser the number of access points, the faster the virus propagated. Alan Marshall, Professor of Network Security at the University of Liverpool commented: "When Chameleon attacked an AP [access point] it didn’t affect how it worked, but it was able to collect and report the credentials of all other WiFi users who connected to it. The virus then sought out other WiFi APs that it could connect to and infect.”
While Chameleon is only an academic exercise rather than a global threat, it demonstrates some interesting points. Firstly, our vulnerability to threats targetted at a network that has quickly become ubiquitous in many markets. Secondly, that user behaviour is not trained to be sufficiently security-conscious around WiFi, and assumes that products designed to protect them over the Internet will be sufficient when they are out and about using public WiFi.
In fact, the level of risk is now so significant that the EU law enforcement agency Europol, issued a warning to the public in March 2014, informing them that sending sensitive information over WiFi was not a smart idea. According to Troels Oerting, the head of the cybercrime center at Europol: “We have seen an increase in the misuse of Wi-Fi, in order to steal information, identity or passwords and money from the users who use public or insecure Wi-Fi connections.”
What this presents though, is an enormous opportunity to CSPs to rollout premium WiFi products that have added security. And, as awareness of vulnerability rises, small and medium-sized enterprise (SME) users, in particular, are key targets for this type of secure WiFi service.
WiFi security will obviously need to be layered, as no single solution is likely to fix every problem. Security strategies will include better anti-virus protection that is extended to new classes of virus directed at mobiles and WiFi, more provision and wider understanding of hotspot security, as well as personal security strategies. Among the latter is the use of personal VPNs, provided by a range of companies including the UK's Millenoki, whichon top of its core data compression and reporting capabilitiesincludes an any-network (including WiFi) VPN connection for business customers using its paid-for service.
All of these options offer the opportunity for carriers to aggregate security services into a solution, provided for a small fee to their customers. Importantly, security solutions will need to be comprised of multiple components, and not just available over one network, but over any network or access point the user connects to - including public WiFi.
Carriers can't afford to ignore this issue, because not only is it potentially revenue-generating for them, but left to its natural conclusion lack of security could undermine the entire WiFi business. After all, it will only take a small number of serious security breaches for customers to be wary of using WiFi, and fall back onto mobile data - presenting a body blow to a nascent opportunity with much commercial potential.
Telesperience: operational efficiency, commercial agility and a better customer experience
Telesperience is the community for telecoms software (BSS and OSS) and data professionals. We help service providers improve their operational efficiency, commercial agility and the customer experience they provide.