T-Mobile, 802.1X, and connection hijacking

by Matthew Gast

Related link: http://wifinetnews.com/archives/004183.html

Earlier this month, T-Mobile announced that they have made 802.1X available nationwide. (I haven't used it yet because I haven't found instructions on how to configure my supplicant, and I don't want to load their connection manager software yet.) In the interview with Glenn Fleischman, Joe Sims of T-Mobile says that one of the limitations of 802.11 adoption has been security. By implication, T-Mobile has deployed 802.1X to enhance security for their subscribers.

There are additional benefits for T-Mobile. The first-generation wireless "security" devices were captive Web portals. Although the user's authentication credentials can be encrypted over the Web session, there is nothing that prevents hijacking an open connection. How can a Web-based authentication device, which operates on IP packets and TCP segments, tell whether a given frame is from a subscriber or a marginally sophisticated attacker who has started using the same IP address as a subscriber. (There are a variety of tricks that can be done to defeat this attack, but bear with me.)

Part of the purpose of 802.1X authentication is to derive shared cryptographic keys between the client and the network. One of the goals of 802.11i, and hence WPA, is to provide source authentication. Rather than accepting a source address on faith, it is "signed" by the sender, using a shared cryptographic key. Only the authorized station has possession of the key and can come up with the correct signature. In this environment, session hijacking is much more difficult. (Technically, the operation is a cryptographic checksum, not a cryptographic signature, but the principle holds. WPA2 uses a slightly different cryptographic operation that accomplishes the same result.)

Limiting network access to subscribers helps protect T-Mobile's revenue, so they have a strong incentive to roll out security features that prevent connection hijacking. Happily, in this case, the new security system results in better security for the users as well.

T-Mobile bought into the hot spot game to offload some of the traffic from the expensive telecommunications network. By pushing voice traffic to the hot spot, they may not need to upgrade or expand the existing expensive cellular network. Most handsets won't have Web browsers to authenticate to the network; anyway, keeping the same telephone user experience requires an alternative form of authentication. (EAP-SIM anybody?)