Glynn Taylor of Washington, D.C.-based WiFiConsulting first conceived the idea for HotspotVPN, his firm’s pioneering public virtual private network (VPN) service, at a conference in 2002. Taylor came across a couple of cowboys using sniffer software on a laptop to intercept traffic passing over the conference WLAN. In one private IM session the two were capturing, a man and woman were ending their relationship, messily.
“It was hilarious the names [the couple] were calling each other,” Taylor recalls. “These guys laughed their heads off about it.”
Taylor himself was using a corporate VPN link back to his company’s servers, so he didn’t have to worry about data being intercepted. It occurred to him, though, that a lot of people – Wi-Fi hotspot users in particular – don’t have VPNs, and could be sending usernames, passwords or sensitive company information in the clear. Or embarrassing private conversations.
HotspotVPN, which WiFi Consulting beta tested in 2002 and launched in 2003, was his solution. Client software on the user’s computer establishes a VPN connection over the public network with remote HotspotVPN servers, and then encrypts all data passing over the link. The HotspotVPN servers decrypt the data streams and pass them on to their final destination.
The fact that the data continues to its destination unencrypted is not important because the risk of interception on Internet backbone networks is slim, Taylor says. Corporate VPNs encrypt data end to end, but their main purpose is to protect office systems during remote access rather than securing data as it travels over the public Internet.
The latest generation of the HotspotVPN service uses up to 256-bit AES (Advanced Encryption Standard) encryption and costs $8.88 to $13.88 a month. Taylor claims his firm’s service was the first and until recently the only one of its kind on the market. “Last year, we were wondering, ‘Why isn’t anybody else doing this?’ Then poof – three that I know of popped up,” he says.
One of the newcomers is PublicVPN.com. Its VPN service costs $5.95 a month or $59.95 a year. Others include personalVPN from WiTopia.net and SpotLock by JiWire.
All are aimed primarily at frequent users of hotspots who do not already have a VPN connection to their corporate LAN. PublicVPN CEO Manny Veloso says his prime target is small business owners and contractors who travel, those that especially need to guard against price lists and contract proposals ending up in the hands of competitors.
The first clients for the HotspotVPN service were “tech-savvy early adopters,” Taylor says, but then professionals such as doctors and nurses, concerned about privacy of patient information, started using it. Now the market has widened to include just about anyone who uses public networks, he says.
The market appears to be waking up to the need for such services. While Taylor won’t reveal how many subscribers HotspotVPN has, he does say that the number has grown on average by 30 percent per month for the last 10 months. PublicVPN, without any active marketing, has attracted between 50 and 100 subscribers in less than two months, says Veloso. “We’ve been surprised at how many people have found us,” he says.
Part of the growth in demand is the result of growing use of Wi-Fi hotspots, Veloso suggests. “When we were first doing research on hotspots, it was unclear whether anybody was using them,” he says. “But looking around now, Wi-Fi hotspot usage is huge. If you go around to coffee shops [with hotspots] you may see only six people using them, but if you multiply that by all the hotspots out there, it’s actually a big market.”
According to an October 2004 report from In-Stat, the hotspot user base should continue to grow steadily. The report also predicts that worldwide hotspots will grow from 43,850 locations in 2003 to over 200,000 in 2008. It is somewhat more difficult to determine just how serious the security risk is from using hotspots unprotected. Certainly, tools for intercepting and capturing data passing over WLANs are easily downloaded from the Web. In at least one case of identity theft currently being prosecuted in the U.S., the alleged perpetrators apparently captured some of the personal information they used at hotspots, Taylor says.
Gartner analysts this week included the statement “wireless hotspots are unsafe” among their top five most over-hyped security threats — but they went on to say it is only over-hyped because the solutions like 802.1X authentication, client-based software for validation, and of course corporate VPNs are readily available.
However, Veloso and Taylor both concede that it’s difficult to quantify the risks. Nobody, so far as they know, has randomly visited hotspots and done tests to detect the presence of users actively sniffing packets. Their assumption, though, is that given the availability of the sniffing tools and the vulnerability of data sent at hotspots, the risk can only increase.
“It’s still a little like I’ve written a virus protection program before the first virus is let out into the wild,” Taylor admits. “There aren’t any quantitative answers [about the level of risk].”
On the other hand, given the relatively low cost of the public VPN services, Veloso and Taylor argue that it’s not worth taking a chance. Not having a lock on your door doesn’t necessarily mean that somebody will burgle your home, Veloso points out, but everybody puts locks on their doors. The same principle applies here, he suggests.
“I’d really rather not have someone know my e-mail address and password,” Veloso says. “I used to be in sales and traveled a lot. If I was sitting in an American [Airlines] lounge, using a T-Mobile hotspot, my competitors could also be sitting there next to me. And it really wouldn’t be that hard for them to [intercept company information].”
Taylor says if he was going to a trade conference today, knowing how poorly protected most Wi-Fi computers are, he would likely take along an extra computer and dedicate it to sniffing LAN traffic in the off-chance of picking up “competitive intelligence.”
Wi-Fi hotspots pose the biggest risk. For users of wireline public access services, “the business case isn’t quite as compelling,” Veloso says. Taylor, however, says the tools are available to sniff packets on public wireline networks and, especially at big conferences, the risks are still significant.
Public VPN services can solve a couple of other problems, even for wireline users. In some countries – China and United Arab Emirates, for example – Internet users may find some sites blocked, including Google. Using a public VPN service can hide a user’s true destination from interfering ISPs – until the ISP figures out that such services exist and shuts down access to their server sites.
HotspotVPN has one client, a VoIP provider, that routes all its voice traffic over the VPN. Taylor explains that some broadband ISPs that offer their own VoIP services may interrupt the flow of packets destined for another provider’s servers as a way of degrading the competitor’s service. This is illegal under current FCC regulations, he notes, but his client knows it was being done.
There are alternatives to public VPN services – at least for the majority of users who are just looking for data security. One is application-level encryption. While it’s possible to encrypt outgoing e-mail from Outlook, for example, it’s not easy to set up, and not many people use encryption features in such programs. As Taylor notes, “If it takes more than 45 seconds or two pages of reading to figure out how to do something, most users aren’t going to do it.”
Another alternative is to use a hotspot aggregator service such as iPass, which provides encryption. However, those services are expensive, Veloso points out. There are also Wi-Fi router products, such as Buffalo Technology’s model WZR-RS-G54, that let small and even home-based business users set up VPN links back to their office systems – but they’re more expensive than most routers and tricky to set up.
If all you ever do at public hotspots is surf the Web, you probably don’t need the protection, but if you use any application such as e-mail or IM, or online banking or shopping, that requires sending passwords and you’re doing it in public, it would be foolish not to be protected.