Look Past Marriott To The Bigger Wi-Fi Issue

I fear that many of my professional WLAN colleagues and industry watchers are wearing blinders when it comes to the Marriott issue. Of course I’m talking about the FCC finding fault with the hotel chain for employing wireless containment measures against customers who would rather use their own Mi-Fi devices than pay for the hotel’s wireless network service, and Marriott’s subsequent request for the FCC’s blessings to continue the activity (which is being studied now). On the surface, it’s hard to be sympathetic to any hotel that charges for Wi-Fi, but this is far from a simple issue, and I’m here to tell you that the time is right for regulatory, technical, and behavioral change. Read on, and I have little doubt that this will likely ruffle at least a few feathers.

The point of this article goes beyond the Marriott buzz, but let’s look at that a just little closer first.

“No hotel should be CHARGING for Wi-Fi anymore! It’s such a ubiquitous expectation, Wi-Fi should be as free as elevator service!” Oh really? According to who- people that do wireless and travel a lot? Why is it OK for airlines to charge for Wi-Fi, but not hotels? When I stay at Mandalay Bay in Las Vegas, I am PISSED that they charge $4 for a cup of instant coffee and $7 for a package of a few busted up cookies the size of rabbit turds in my room. But they get away with it, and I’m welcome to stay elsewhere if it bothers me that much. The same can be said with the hotel situation- some give Wi-Fi away, and others charge. And yes, often the for-fee WLAN service really sucks. But no one says you MUST stay in these places. There are two sentiments I want you take away here: first, every business has the right to charge whatever they want for any service, and we can take our business elsewhere if we don’t like it. Secondly- I actually agree that it’s bad business for hotels to charge for Wi-Fi, and agree that people just “expect it” by now when it comes to Wi-Fi everywhere. That notion of “just expecting” a service becomes even more important here in a bit, so please keep it handy.

Why did the Marriott do what they did? Why do other business do the same thing?

In the case of Marriott, it seems like they are working different angles- they blocked customer Wi-Fi to herd people over to their expensive in-house service. They did it for the clients’ own good, because it’s pretty easy for anyone to pop up a Pineapple and trick users into falling for bad Wi-Fi juju. But Marriott also blocked clients’ Mi-Fi devices because their WLAN vendor built the capability into the WLAN management tool and the WLAN industry has created a state of mind where using these tools for exactly what Marriott did is acceptable. Except it turns out that it’s not acceptable. Go figure.

“Wi-Fi works in unlicensed spectrum. Everyone can interfere and use their own stuff anywhere they like and your Wi-Fi can just deal with that because the FCC regs say so and if you don’t like that then it’s just tough tittie for you.”

Uh, okay. Sure, Wi-Fi works in unlicensed spectrum. That’s what makes it so inexpensive to buy and deploy- which is great. It’s also what makes issues like Marriott so contentious. And here’s where I implore you to stop focusing on Marriott and look at the bigger WLAN picture. Hospitals are the easy one, because nothing makes a point like a loved one dying. Under current FCC regs and the “Marriott Mentality”, I can bring my Mi-Fi into the hospital and pop it to life regardless of the impact on wireless medical equipment. So can any other visitor with a Mi-Fi; they’re all covered by the same FCC regs. Forget “hospital policy”- Marriott got boned for their own policy, and we’re all covered by the same FCC regs.

More environments are ditching legacy phones and going to the likes of Microsoft Lync with heavy emphasis on WLAN use. In my own environment, I have Wi-Fi door locks, lab monitoring equipment, cameras, event and retail barcode scanners, and a number of other critical or quazi-critical utility devices running on a multi-million dollar WLAN. Those of us USING wireless everyday for both huge client access numbers and an increasingly IOT-feeling compliment of utilities have to look at Marriott and scratch our heads. Are we really that powerless to protect our WLAN investments? I get that others not in the same demographic can easily and smugly say “well, then you shouldn’t be using wireless for all this stuff.” To them I say…yeah,  and you should pull your heads out of wherever they might be inserted and to get with the times. The same FCC that is studying the Marriott thing has had a hand in the explosive growth in business WLAN, where many of us EXPECT (remember, I asked you keep that thought handy) to be able to preserve the performance of our own carefully designed Wi-Fi environments within our own borders.

Why invest in training, surveys, good design, and the best components if at any given time in any of our cells anyone can locally DOS our networks with “legal” hardware?

If you haven’t noticed, we’re collectively at a stupid, unsustainable place.

I’ve gotten that call from the stadium in the middle of the game when several Mi-Fi devices were laying waste to the robust Wi-Fi we have for the press. I’ve seen my own network interfere with Mi-Fi devices used by the Red Cross during blood drives to the point where they needed to use another technology. It happens, especially in dense WLAN environments, and the Mi-Fi makers own a lot of the problem. These devices are heavily marketed by Verizon and AT&T, they fire up out of the box on idiotic channels. People who use Mi-Fi fall in love with the devices, and Mi-Fi becomes their de facto way of connecting their laptops, tablets, smartphones, etc.  For many, it matters not whether there is decent, free wireless designed to meet their needs in a given location- their Mi-Fi is easy, comfortable, and something they own. And there is no technical etiquette training provided with their purchase. 

I’ve heard the claims of “c’mon, Wi-Fi should be resilient enough to tolerate  the occasional Mi-Fi device.”  Perhaps, and it all depends on the environment and the number of these popular devices that show up.

So what’s next? How does this whole mess get reconciled?

Here’s part of the answer, from my friend Jake Snyder:

Jake

Right on, Jake. Here’s the whole fix, according to me:

  • Somehow, Mi-Fi needs to be rethought to be friendlier to business WLAN- Let’s start with Novatel explaining why everything has to be on channel 2 or 4 or 9
  • The FCC has to take a nuanced, business friendly approach to protecting prod WLAN environments, or to let environments protect themselves
  • If the FCC says that the tools Marriott used are not legal, then these tools need to be gutted out of WLAN management frameworks and not marketed as features
  • Yes, hotels and other venues need to provide good FREE Wi-Fi, and the WLAN industry needs to come up with a way to provide SECURE guest Wi-Fi (Hotspot 2.0 ain’t going anywhere, sorry)
  • It’s probably too late to put the genie back in the bottle, but Mi-Fi users should get some sort of education at time of purchase about the impact their devices potentially have on WLANs that they operate in the middle of

Marriott is just the tip of the iceberg. If we (all parties) don’t face the underlying factors that have brought us to the point where the FCC is reviewing the current status quo, nothing will get “fixed”.

Agree? Disagree? I’d love to hear from you- not just your opinion, but what your role in Wi-Fi is.

60 thoughts on “Look Past Marriott To The Bigger Wi-Fi Issue

  1. Ben Kirton

    I agree with pretty much everything except the part about users. They are incapable of making good decisions on these type of issues and they shouldn’t have to and so the MiFi devices etc need their own standard/guidelines that allows them to provide a connection to their users without killing surrounding WiFi.

    Possibly force 1, 6, 11 (other channels disabled altogether) or a few 5GHz channels, maybe the DFS ones if their guidelines keep the power low. This stops them being everywhere on odd channels and in some environments (those that avoid the DFS channels by nature) the MiFis would cause no real issues.

    Reply
    1. Frank

      I 100% agree about the channel issues. I’ve seen half a house get its wireless performance trashed because a printer was idly broadcasting on channel 4 (and this was with all visible wireless settings set to “off”).

      I would have love to seen 11ac come with a rider that any devices beaconing *must* default to 1/6/11 (or the equivalent set based on regulatory domain) unless *explicitly* configured otherwise by the owner/administrator. The check box should have a big red blinky warning saying “This is almost certainly really stupid and will make your neighbors hate your guts when you screw up Netflix. Proceed?”

      It wouldn’t be a perfect solution, but it might help some of the more chronic offenders who apparently are new to the wireless game, like Verizon and HP.

      Reply
      1. wirednot Post author

        Well said, Frank. And just a great example of how loose all of this has become from an RF sensibility perspective. Is ironic that Verizon and AT&T sell these things made by the likes of Novatel, while the carriers are pushing for Wi-Fi offload etc. They need reliable Wi-Fi to happen too, but work against it by not tightening up the Mi-Fi tech stuff.

  2. christian clasen

    Good post. I’m gaining more and more experience as an engineer with overcrowded spectrum and the politics involved.

    I recently made it through a painful period of “laying down the law” in a medium-size shared tenant office space where many tech start-ups reside. Even though there is a 300Mb fiber circuit and Ethernet everywhere, most of these folks choose to only use the wireless network (another discussion altogether). Serious connectivity issues started once we accumulated nearly thirty SSIDs in a two-story building. Predictably, as the network admin, my gear and design took the brunt of the blame. It took weeks of explaining to management and the tenants (I learned that many developers have very little knowledge of basic networking) before I got the go-ahead to rip out these “bring your own Linksys” devices. Once we removed them and the air cleared, performance was once again at an acceptable measure.

    Reply
  3. microagent007

    I think of the process of boarding a plane and placing transmission devices in airplane only mode when the gate door is closed. It isn’t 100% perfect (some people forget, get distracted, intentionally ignore the requirement because they don’t believe the impact, etc). Of course, all the passengers have a vested interest in maintaining the operational safety of the plane. I also don’t remember a time, and I fly a lot, where RF scanners were used to identify and mitigate abuses.

    I can imagine the same process could be followed in areas such as hospitals, where critical life/health monitoring equipment may be adversely impacted by personal RF transmission device use, after all, who wants to be responsible for someones death and how many wouldn’t put themselves in the shoes of the unfortunate patients.

    Two cases above and both demonstrate the serious ramifications for adverse use of unauthorized (based on some visible policy) wireless equipment.

    It is a continuum of impacts that would be brought to all parties attentions.

    There is no straight forward technical solution here when unlicensed spectrum is utilized and the devices utilizing that spectrum meet the technical requirements for doing so. This is a people problem.

    Reply
  4. Dave Wright (@wifidave)

    Lee,
    Thanks – IMO this is a much-needed post, as there are a lot of angles/nuances to this that are being glossed over in most of the mainstream coverage. I also agree with your conclusion that it’s ultimately a ‘people problem’. It therefore becomes a critical question of “Why do people fire up Mi-Fi’s in the presence of available, publicly accessible venue Wi-Fi?” You alluded to this motivation, “For many, it matters not whether there is decent, free wireless designed to meet their needs in a given location- their Mi-Fi is easy, comfortable, and something they own.”
    It’s only my opinion, but I’d say that the two primary reasons people use Mi-Fi in those situations are either 1) the venue Wi-Fi stinks or 2) these people think enabling Mi-Fi (either standalone or Smartphone Wi-Fi tethering) is easier than connecting to the venue network. From personal experience, enabling Mi-Fi on a Samsung phones takes 4 touches/swipes and all my devices, and my family’s devices, will autoconnect as they know the SSID and passphrase. Contrast that with the typical experience of connecting to a Public Wi-Fi network today. [Security concerns may also be a driver, but I believe those are less a factor than convenience for the majority of such folks.]
    To mitigate against the first reason, venues need to deploy and maintain networks that perform well. I doubt this will be controversial.
    I’d contend that one of the best ways to deal with the convenience factor would be the use of Hotspot 2.0, which I don’t believe is quite dead yet (yes, I’m a Holy Grail fan). If the venue has a well performing network, and the guests auto-connected to that network upon arrival, I suspect the use of Mi-Fis would decrease substantially.
    And, of course, it would address the Public Wi-Fi security issue as well.

    Reply
    1. wirednot Post author

      Thanks for reading and commenting, Dave. I’m onboard with all of your points, but man I wish something would blow serious life into Hotspot 2.0. It may not be dead, but it’s not exactly showing many signs of life either.

      Reply
  5. Colin Daniel

    Many thanks for fighting the good fight Lee.
    I’ve received the same “Press Box Down” call during a game and as much as I like to employ low-tech solutions, controlled the urge to let peer pressure solve the problem. Many of the sports reporters are former players as are almost all assistant coaches, and several thousand pounds off peer pressure would take care of the MI-FI device and its proud owner!
    Controlling the wireless environment in Higher Ed. is like herding cats.
    Many users don’t know or care about the consequences of their wireless actions on themselves or others, although it is their best interest to do both.
    To Jake’s (who is way beyond a typical user) point about options.
    My adaptation of “leading a horse” might go:
    You can sell a horse a MI-FI, but you can’t make it think.

    Reply
  6. revolutionwifi

    Lee,
    Good post. I’m right there with you on most of your points. I agree that businesses are placing critical applications and workloads on Wi-Fi networks and need some method to mitigate the risk of outside transmitters wreaking havoc. The argument that it’s just unlicensed May and that’s life may have worked a decade ago, but the entire economy and utility of Wi-Fi has sped past that point and there is no going back. Regulations need to be updated to change with the times. We can’t expect regs from the mid-80’s to cover how our use of the technology has evolved over the last 30 years.

    I also believe that most WIPS products that allow blatant FCC regulations violations are irresponsible. These vendors should have some culpability for this as well. These products are haphazardly developed to fill marketing check boxes, can’t provide the security they claim to in most cases, and have features that frankly have no chance at distinguishing a real security threat from a false positive (cue my rant on RSSI based rogue rules).

    Regarding Hotspot 2.0, I’m with Dave and believe the technical framework is in place to make public Wi-Fi awesome from both a user experience and a security perspective. The problem lies in the political space here. The Wi-Fi industry has allowed carriers and telcos to come in and essentially dominate the roadmap, discussion, and priority of this industry. If you doubt that, just look at most of the major conferences taking place – they are all around carrier Wi-Fi, offload, and that dreaded user exploitation -err I mean “monetization.” There is great potential for HS2.0 in enterprises, especially with phase 2 inline signup. But we, as an industry need to stop letting these carriers dictate the priorities for technical development. The Wi-Fi Alliance needs to step up and straighten this out!

    Thanks,
    Andrew vonNagy

    Reply
    1. wirednot Post author

      Andrew, thanks much for taking the time to read and comment. Your feedback is excellent, and helps put a sharper context on the issues in play. I wish Hotspot 2.0 no ill will, just not sure how a voice of reason might emerge to jump start its adoption. One thing is for sure- something has to give. And your points on WIPS are dead on, if the FCC says the functionality is illegal to use as Marriott did, it needs to be stripped from WLAN system code.

      Happy New Year to you,

      Lee

      Reply
  7. Devin Akin

    Great blog Lee! This one has an early lead on being blog of the year.

    The whole time I was reading it, “you damn skippy!” was ringing in my brain. You said it brother…we should be looking at the big picture here.

    Imagine the repercussions if the FCC did outlaw WIPS features…geez.

    Wi-Fi is well on its way to becoming Wi-FU. The Wi-Fi industry is already heavily regulated, but much of it is hidden from the view of consumers. Just ask an infrastructure manufacturer how much time and money it takes to get DFS certification for a new AP or perhaps to have an antenna certified for an AP. It’s ridiculous.

    With IoT vendors pumping out gozillions of 802.11g devices still, a variety of train wrecks are on the way to airspace near you.

    Luckily, many of today’s MiFi devices are 11b/g/n, so we can escape to 5GHz in some cases.

    Who’s next on the FCC’s radar? (Pun intended) Whose WIPS is is going to land them in the FCC’s web? It could be resolved with a simple review and basic config changes.

    If lawsuits by the FCC doesn’t scare you into proactive spectral responsibility, then IoT’s hammer will force the conversation soon enough anyway.

    To solve this problem, we need look no further than a phrase from Arthur Burt, “Nothing happens until the pain of staying the same outweighs the pain of change.” We can sit on our thumbs and wait for the pain or we can get proactive now.

    Keep preaching it brother. They’ll hear us at some point.

    Devinator

    Reply
  8. Jeff Rensink

    I agree with a lot of what you say. I hate this ruling as it basically says that it is illegal to ever to purposefully interfere with someone else’s network, even if it has no right being there in the first place! And evidently, you don’t even have the right to tell them that they cannot use MiFis (or any wireless device) on your property. I’m not talking about signals bleeding over into your property, I’m talking the radio transmitter being on your property. As you mentioned, now we can legally DoS any network that we want and they can’t do anything about it as long as we are using FCC licensed technology.

    Also, if the FCC actually wants to stand by this ruling, then they are obligated to take action against Cisco, Aruba, or anyone who sells equipment with a contain feature for advertising and selling this hardware.

    http://www.fcc.gov/encyclopedia/jammer-enforcement

    “The use of “cell jammers” or similar devices designed to intentionally block, jam, or interfere with authorized radio communications (signal blockers, GPS jammers, or text stoppers, etc.) is a violation of federal law. Also, it is unlawful to advertise, sell, distribute, or otherwise market these devices to consumers in the United States.”

    Any bets on if they do that? I’m guessing that they won’t.

    In the public notice found at https://apps.fcc.gov/edocs_public/attachmatch/DA-12-1642A1.pdf, an example of jamming operation is something that can “prevent your Wi-Fi enabled device from connecting to the Internet;”

    That is insanely broad. Does every WiFi enabled device have an inherent right to Internet access at all times in all locations? If so, then my own AP jams me when it prevents me from getting on my network when I fail authentication. Yes this is a silly example. But prior to the ruling, it seemed silly to me that containing rogues in your own building was illegal. The point is that if the FCC has let companies sell this feature for this long, there must be legal uses for it. So evidently this needs to be clearly spelled out for us in the industry. Either ban it outright, or tell us when we can actually use it legally.

    Lastly, Marriott was not specifically targeting MiFis, they were targeting rogue APs. They have no legitimate way to identify a rogue as a MiFi or as something like a Linksys wireless router. You can make a guess based on location and maybe the OUI of the radio MAC. But there’s no way to tell if it’s a MiFi or if it’s a real rogue on wire without a physical inspection. Thanks FCC for making it ridiculously more expensive to secure a network from rogues on wire. The only real defense now is wired 802.1x.

    rant over.

    Reply
    1. wirednot Post author

      Extremely well said, Jeff. I hope anybody at the FCC (and the personal hotspot makers, and the Wi-Fi Alliance) is getting wind of the angst all of this is causing well beyond the confines of the Marriott situation. Thanks for reading and for a great, eloquent opinion.

      Reply
  9. Keith R. Parsons

    Lee,

    Thanks for taking the time to write up this post on some of the other issues surrounding the FCC, Wi-Fi, unlicensed spectrum, etc.

    I think companies, like Marriott, or other who specifically ask the FCC for permission to counteract the entire unlicensed nature of Wi-Fi are in for a rude awakening. This is NOT going to happen.

    There are lots of other frequencies available – that are licensed and controlled if a company wishes to use them.

    The issue stems from companies wanted it both ways. Wanting to have ubiquitous access to client devices – if you don’t have a client device with the proper radios and firmware, you won’t get any traction. (we’ve seen lots of failures here) – So companies WANT their customers to use Wi-Fi devices so they don’t have to produce special hardware/software to provide access.

    On the other hand, they now want to control that very same device from doing things the company deems are not wanted. (like turning on a Mi-Fi)

    You can’t have it both ways. Either pick a controlled, licensed frequency, and end up paying for custom hardware/software or use Wi-Fi devices and stop complaining that you don’t have control over your environment. You can’t have it both ways!

    Some have floated ideas of some hybrid approach, or changing the regulations to allow for selective control over unlicensed frequencies. I don’t believe either of these will work. I think we’ll all see how terrible this turns out if LTE-XX ever starts impinging on the unlicensed 5GHz frequencies.

    Your example of hospitals as a place where control should be used is a poor choice. There are already frequencies dedicated to medical equipment, but hospitals CHOOSE to use unlicensed spectrum to keep costs down, and make connections easy. They can’t then complain about not having control or some-how blaming a non-controlled Wi-Fi for ‘making a loved one die’. The Mi-Fi don’t cause the problem… the problem was caused by the hospital choosing an unlicensed frequency for life-endangering medical equipment.

    I personally believe the answer will be for the FCC to open up MORE unlicensed spectrum. The issues most are concerned with so far are Mi-Fi devices in the 2.4GHz frequencies. What if there were additional frequencies in the 5GHz range opened for Wi-Fi, and Mi-Fi’s were moved there?

    There is also the crazy ironic situation where Cellular Carriers are being self-duplicitous. On one hand they are pushing hard towards 3G/4G offloading to Wi-Fi to lower their costs of delivering packets of data. (Wi-Fi packets costs a carrier 10X or more less than 3G/4G packets) – and on the other hand they are pushing the direct opposite, selling Mi-Fi gear that puts Wi-Fi packets back over on their over-crowded 3G/4g networks. Ludicrous!

    I don’t think it is a ‘tools’ problem – nor a ‘Mi-Fi’ problem. But an opportunity for people who provide Wi-Fi to make access Fast, Free, and Easy. Get rid of all the barriers that make public Wi-Fi difficult, and remove the reasons for using Mi-Fi devices.

    I don’t believe there is a way to allow “environments to protect themselves” – that, by definition is the exact reason for the FCC’s ruling against Marriott.

    Thanks for starting out the year with a great blog that has triggered lots of useful discussions and dialog.

    Keith

    Reply
    1. wirednot Post author

      Keith, thanks for taking the time and the the thoughtful response. Is interesting to me, as I have a left brain/right brain thing going on. As the guy driving the big, expensive, carefully designed WLAN I want every tool available to keep my kingdom healthy and in compliance with my organizational policies. I buy good gear from market leaders, and assume that they have done the work of regulatory compliance on my behalf when it comes to features. Why would it be in there if it’s not legal?

      There’s that… then there are your valid points about poor technology choices based in thrift and convenience- that’s certainly one version of reality. But we (you, me, and all of the Wi-Fi cheerleaders of the world including the FCC, IEEE, Wi-Fi Alliance, CWNE, and the WLAN industry) have all created the expectation that if you do Wi-Fi right, it can be transformative. It can cut operational costs and push Ethernet to the margins. We tout that wireless can be AS ROBUST AND AS SECURE as wired networking. We train WLAN Pros to buy that and to preach that. Which means we’re all building houses of cards and living in a bit of a fantasy world if at the end of it all it boils down to “boo hoo on you- you shoulda used wired!” I think we’ve moved past that world, or are at least stuck in the unpleasant purgatory that spans that mindset and the other that hypes the begeezus out of all the great things you can do with enterprise WLAN.

      I don’t have the answers, but agree that it needs to be talked about. I do feel in my heart of hearts that an evolution to the regulatory framework of wireless is in order to give business WLAN a fighting chance in an increasingly complex (and arguably out of control) wireless device landscape. But I’m not sure how I’d even craft those changes if the Commissioner himself handed me the pen.

      Again, thanks for your comments (and friendship),

      Lee

      Reply
      1. Keith R. Parsons

        Yep – no clear answers to this dilemma. That’s why it is good to be in this industry at this time. Lots and lots of work to do.

        What I see is the 2.4GHz frequencies are overly saturated already – adding more Mi-Fi to a tuned network makes it even worse. But if we had more spectrum – not just the measly TLPC channel 14 that GlobalStar wants to ‘lease’… but actual real larger chunks of spectrum we might be able to have enough options to keep Wi-Fi moving forward for the next couple of decades.

        But the FCC is going to have to move faster than they have in the past. The rate of change in the RF world is moving much faster than the regulatory bodies are used to working with. There are lots of potential chunks of spectrum that could be allocated to Wi-Fi – if the spectrum was there, the hardware vendors would make chipsets to support it within a single year. Within 3-5 years we could have a full new set of client devices. (augmenting our current 2.4GHz and 5GHz)

        Lets see if the FCC can be forward looking enough to make some drastic changes and help alleviate many of these issues by getting more spectrum into the unlicensed side.

        You’ve sparked a great conversation here with this post. Thanks!

        Keith

    2. Jeff Rensink

      Hey Keith,

      I get your point about wanting to have it both ways. It is indeed unlicensed spectrum, so we have to deal with other devices in the spectrum. I don’t think that people have a legitimate expectation that wireless signals should never be able to bleed into their airspace. But I think where the main conflict arises is what control do we have over what happens on our property. Again, not what is bleeding into our property, but what is happening from a device perspective on our property.

      Essentially what the FCC is saying is that we have no right to say what devices are allowed to be used on our property when it comes to wireless transmitters in the unlicensed spectrum. Doesn’t it seem absurd? We can say “no phones allowed”, “no cameras allowed”, “no guns allowed”, “no shoes no shirt, no service”, but not “no MiFis”? Could we ask the person to leave our property, but not ask them to take their MiFi with them as that would somehow violate constitutional rights for the MiFi to exist and be connect to the internet anywhere it want’s to be? It just seem so against common sense that wireless transmitters are such a protected class of devices.

      Reply
      1. Keith R. Parsons

        Jeff,

        You nailed it in one! – Exactly… the FCC is saying you do NOT have the right to say “No Mi-Fi”. Unlike the other things you mentioned, guns, phones, cameras – they are all physical items that don’t have any ‘rights’ by themselves. Mi-Fi devices have rights to use unlicensed spectrum. You can’t control the unlicensed spectrum.

        Now you CAN, if you wanted to police it, post signs and state “No Mi-Fi” devices. You can control the physical devices. What the FCC is stating is you can’t limit the Mi-Fi device from accessing the unlicensed spectrum using denial of service attacks. You can physically stop Mi-Fi’s from entering your property no different that you would with guns, or cameras. But you can’t stop the Mi-Fi that is on your property from using the spectrum.

        So if you do want that level of control, feel free to stop the actual devices from entering your property. The FCC isn’t saying anything at all about you asking someone to leave your property. The device isn’t in a ‘protected class’ – but the frequency it uses is. There is nothing at all in the FCC ruling that doesn’t allow Marriott Hotels from banning physical items from their property. They are only in trouble for using denial of service attacks against devices that DID have rights to use the unlicensed spectrum.

        Marriott could easily post signs, and implement a “No Mi-Fi” policy on all their properties. That would then mean no one could bring their smartphones with tethering capabilities on site. That just isn’t going to happen.

        I’d also like the DoJ to go after ISP’s who inject content into Internet streams for ‘monetization’ to be subject to the entire weight of criminal laws… no different than if hackers did a Man-in-the-Middle attack on their targets.

        Keith

      2. Keith R. Parsons

        Jeff,

        One more thought. You don’t have control over the air inside your property either. Properties come with all sorts of rights. Surface rights, mineral rights, water rights, etc. But the federal government has explicitly stated the RF spectrum is a common good for all citizens and has divvied up the spectrum according to their regulations. Those frequencies that have been allocated as unlicensed also have certain rights associated with them. It is the FCC’s mandate to support those rights no different than they do the frequencies that companies have leased and paid billions of dollars for.

        Keith

    3. Jeff Rensink

      Not sure how to reply to your reply of my reply. So I had to go up the chain….

      What would be really nice from the FCC would be specific direction on what they consider interference and what they don’t. The line separating legal/illegal actions when dealing with rogues is definitely not where must of us assumed that it was. So we need some specifics. If the vendors have been able to sell equipment that contains rogue clients for years, then there must be a legitimate use case. We need some help to understand this rather than guess and risk hundreds of thousands in fines.

      The unlicensed spectrum seems to be an interesting beast. It’s unlicensed, so any device can use it, but they obviously can’t use it in any way that they want. Containing your neighbor is definitely one of those no-nos. There is a directive to essentially play nice with each other. But there seems to be apparent exceptions to this if the other party is being malicious. The Marriott ruling seemed to infer that the MiFi use was legitimate because they were just using the Internet and there was no security risk. So if there is a security risk, can we take action? If so, what action(s)? What defines a security risk?

      I think the case sheds a light on either how little us engineers truly understand the rules, how unclear the rules are, or that the FCC is redefining the rule (or some combination therein). We have definitely been sold a bill of goods by the vendors that does not reflect reality. But what’s new there?

      Reply
      1. Andrew von Nagy

        Jeff,
        There is definitely a “play nice to each other” directive with regards to unlicensed spectrum. However, one must ask the question – is playing nice only a security consideration, or could it also be a performance degradation question? If you were to ask me, any Mi-Fi coming onto corporate private property and blasting out transmissions on channel 4 is decidedly NOT playing nice and causing substantial interference to the legitimate use of the spectrum by other users.

        Like Lee said, I don’t have the answers but something needs to change. I believe updated regulations are in order. At minimum clarification of the current regulations. I also believe that what Keith said about “go play in licensed spectrum” is a bit of a narrow interpretation. Unlicensed spectrum exists so that anyone has access. This has created enormous flexibility by entrepreneurs to try new ideas and innovate. It also creates incredible economic value by enabled services that frankly wouldn’t otherwise be developed or deployed due to cost. We can’t say “go innovate” then turn around and say “well hold on, don’t use that stuff because it’s too risky being built on a house of cards that could tumble at any moment and we won’t allow you to do anything to prevent that.” We are beyond that point. Innovations happen and technologies emerge that make both consumer and businesses thrive. I think there is a bigger risk in saying there is no compromise to allow a business to control the security, stability, and performance of it’s network… which would stifle new business ventures and slow economic growth. We have already experienced it. Just look at any number of businesses that have taken a very cautious approach to relying too heavily on Wi-Fi because there is no real control over the unlicensed spectrum. What business processes have been held back? What expense reductions have failed to be realized? What is the economic impact of that?

        Overall, I guess that I’m saying technology evolves and our regulations and approach to spectrum regulation needs to evolve with it. The current approach to unlicensed spectrum has no doubt served us admirably. And we need to keep the most important aspects of it, such as the freedom to innovate without licensing burdens. But I think we also need to seriously consider changing the regulations to allow some semblance of stability and risk mitigation for production networks. Perhaps it’s as simple as segmenting consumer Wi-Fi spectrum from corporate Wi-Fi spectrum… who knows.

        As a side note to Glenn’s comments, the FCC does occasionally reach out to technical experts for advice. I happen to have opportunities with my current employer to engage with the FCC and am attempting to make the most of it on a number of issues (Globalstar TLPS nonsense, DFS issues, spectrum sharing initiatives, LTE-U / LAA hybrids, etc).

        Cheers,
        Andrew von Nagy

      2. Jeff Rensink

        Andrew,

        I would definitely agree that some change is desired. The playing nice directive could be taken in many different ways. There is a general requirement of having to put up with other devices in the spectrum. But there seems to be instances where actions can be taken if the other device isn’t playing nice. Unfortunately, it isn’t really spelled out anywhere under what conditions you are allowed to take action and what actions are allowable to take.

        From my reading, there seems to be a strong inference that one reason that would allow you to take some sort of action is due to security issues. Evidently if someone is threatening the security of your network, you can take action. But what security threats allow for action, what level of proof is needed, and what responses you can take are a big question mark.

        I don’t seem to find inferences to being able to take action based on performance impact. And this is probably what we care about the most, since that’s what we tend to run into most often. Rogues are rarely malicious, but in larger numbers they can be performance impacting. I don’t know what the answer to this is. It’ll probably come down to changing protocols that remove the big issues (channel overlap and really low data rates) and hope the old protocols die off.

        One trouble with separating consumer and corporate is that they so often mix. At least from a client perspective. BYOD is built on consumer devices on our corporate networks. We as corporate users use consumer devices for our jobs all of the time. So it would be a tough thing to separate.

        The issue is definitely a tough one. We want low cost and robust solutions that we have a high degree of control over. That seems to be a tough combination to get.

  10. gcatewifi

    Great blog, Lee and excellent responses! Some of my brief thoughts:
    1. The FCC NEEDS some Wi-Fi engineers (say, CWNEs!) to work with them to make wise decisions! Do they have any at all? Yes, the FCC needs to move ‘faster’, but without proper 802.11 knowledge, they will make silly decisions that will need to be reversed later!
    2. As a WLAN engineer, can I get in ‘trouble’ if I set up WIPS for a client? Someone at Marriott set theirs up. I know corporations, not individuals are sued. But still wondering…
    3. Educating end users is frustrating and not a solution.
    4. A variation on Devin’s comment comes from a consultant friend: “Pain is a great motivator for change”! However, I’m not sure how much pain is needed, nor who will experience it. Marriott has experienced ‘pain’ already. Now, can the FCC experience pain too and make a change? Unfortunately, the FCC is controlled by the federal government, an organization not characterized by wisdom and efficiency.

    -Glenn (gcatewifi)

    Reply
  11. Jeffrey Kuehn

    Great blog Lee. It has also sparked a great discussion. The one question that I still have is who does this FCC ruling truely apply to? Clearly any and all commercial and consumer unlicensed band users, but as a consultant who deals only with the Federal government; are they subject to the same FCC regulations? I happen to know of one very large, former customer of mine down on capital hill that has a dedicated security engineer whose main responsibility was to identify rogue devices, contain them and then remove them from the campus. Has this ruling made his job more difficult since he is unable to contain the rogue devices or are federal agencies exempt? There is a three letter agency near Ft. Meade who would tell you yes, most federal agencies are excempt to the laws pertaining to jamming of RF devices on Federal land. However, I have had some civilian agency customers tell me different. Either way, the regulations are extremely unclear and something clearly needs to change.

    Reply
    1. wirednot Post author

      Jeffrey, thanks so much for that. Being ex-military and a licensed amateur radio operator, I am of the belief that many federal radio services are outside of the FCC’s scope, but NOT for things like WiFi used in those agencies’ offices. But i have no doubt this space is rife with abuse too, as many in government develop God complexes simply because of who their employers are.

      Reply
    2. Jeff Rensink

      In the public advisory at https://apps.fcc.gov/edocs_public/attachmatch/DA-12-1642A1.pdf, there seems to be an exception clause for certain federal government users. It doesn’t detail which federal users are authorized though.

      “Illegal to Operate Jammers in the U.S. Unless you are an authorized federal government user, you may not operate a jammer in the U.S., even on private property. This means that it is illegal to use a jammer on mass transit (e.g., train, bus) or in a residence, vehicle, school, theater, restaurant or in any other public or private place.”

      Reply
      1. Jeffrey Kuehn

        I’m sure they have some list that includes all of the intel agencies and most of the DoD, DHS, Justice and State Departments. Regardless, Jeff; I still think you bring up the best point to all of this in that this ruling cripples Security and Network administrators at the knees with respect to rogue AP mitigation. Before this ruling, the best mitigation toward rogue APs was to contain it until the device could be located and removed from the facility. Now that containment has esentially been relegated illegal by the FCC, administrators have one less tool at their disposal to mitigate these threats. It is made worse as more and more 11ac capable access points and devices are introduced to the market because now attackers can potentially gather more information in a shorter period of time. This ruling has also increased the amount of time attackers have at their disposal, since the attacker can stay on the network as long as it takes an administrator to identify, locate and remove their device. In some cases that might even be days or weeks before they can get someone to the site to search for it. Especially in the case of HREAP deployments. While there will always be cases where an organization will leverage this technology in a negative fashion (i.e. Marriott using it to force people to buy WiFi), in the end; I would much rather pay for WiFi if it means that my PII is less likely to become compromised due to some Target or Sony employee connecting to a rogue AP or worse; a rogue AP is used as the launching point for a more sophisticated attack that compromised troop movements or opperative names that results in loss of life.

      2. Keith R. Parsons

        I don’t think the FCC ruling on Marriott said anything at all about Rogue containment. If a device is using your own wired network, you have rights to stop it from sharing your internal network.

        But that is NOT what Marriott was doing. They were using the containment function, but to stop someone who was NOT using their wired network, only sharing the unlicensed frequency. Entirely different things!

      3. wirednot Post author

        But a rogue is a rogue is a rogue, when it comes to DoSing business WiFi on RF side. Matters not whether its “on the wire”, RF damage done.

  12. wirednot Post author

    Thanks for the link, Jeff. Typical to read one of these and come away with as many questions as answers. One big question- did the FCC just officially expand the definition of jamming to include what the Marriott did? If so, it needs to be spelled out for the good of all.

    Reply
  13. Keith R. Parsons

    Sorry to disagree with you Lee, but there is a HUGE difference between an access point that is on your wired network, sharing your internal network without your permission/control, and someone else who is merely sharing the same unlicensed frequency.

    The first may be called a rogue… the second, ala Mi-Fi device is not at all a rogue. But merely someone legally using the unlicensed frequency as the FCC intended.

    I don’t think the FCC ruling changed anything at all. It has never been right to jam/DoS a device that isn’t on your wired network. All previous rulings, like Logan Airport, supported this position.

    Nothing has changed in the area of containing real rogues that are sharing your wired network.

    Reply
    1. wirednot Post author

      Again, evolution is in order. These terms seem to be murky, and if you can point to authoritative sources I’d love to see them: “rogue wireless”, “the public” as it relates to people coming onto a business property, “Denial of Service” and “jamming”. What makes your definition of a rogue more accurate than others in this case? I’m not declaring that you are wrong, but security concerns take many forms. If I DOS your corporate web site, you’re going to call that a security issue. If your Mi-Fi DOSses my Head of Sales’ VoWLAN phone, I call that a security issue. In both cases service has been disrupted and financial damage might occur. Too many hairs are being split on what’s an OK DOS and who determines that.

      Again- I’m not saying “Keith, you are wrong.” But I am asking how reasonable people are supposed to cut their way through this fog in the absence of binding, clear TIMELY (as in written for today’s circumstances) lexicon? We both mean well, we both know what the terms are to us individually. What makes one any more right? I’m not even talking Marriott and de-auth here, I’m getting even lower level by asking what is DOS, what is rogue, what is public, etc.

      And thanks for keeping good dialogue going.

      -Lee

      Reply
    2. Jeff Rensink

      If you follow Cisco jargon, according to the WLC, a rogue AP is basically any AP not in your WLC’s RF group. More generically, it’s any AP not under your administrative control. You could rename it to “unauthorized AP”. Regardless of definition, the difficulty that we face is if we just identify rogues using our wireless gear (which is what we almost all do), there is no real way to determine if that other AP has a wired connection to anything or not. And if it does have a wired connection, is it on our wired network? Yes, there are some methods to try and discern if the rogue AP is on our wired network, but none of them really work effectively. None of them would determine if a regular Linksys wireless router was on our network assuming it was using WPA-PSK and not an open network.

      So to our wireless management systems, all we can honestly ever see are very basic pieces of info like MAC addresses, SSID, security, etc. Nothing that would definitively say that this is a MiFi, or a phone hotspot, or a home wifi router, etc. So with the ruling from the FCC, if we guess wrong, we get fined hundreds of thousands of dollars. So now we cannot guess. We have to physically locate the device (not always an easy task), determine if it is on our wired network, and then we can take action. At that point, you just unplug it. So containment becomes an essentially useless tool.

      Because of this, all that our wireless systems can do now is detect and locate rogues. There won’t be any wireless mitigation for fear of the FCC. Mitigations will have to be physical removal. Now our only real protection from rogues on wire becomes implementing security on the wired network (namely wired 802.1x). For those that have implemented that solution, we can tell you that it takes some significant resources and there are loopholes that can be exploited thanks to the necessity of MAB due to the large number of devices that do not support 802.1x. Ways to make MAB more secure translate into higher operational expense. So our rogue on wire security options just jumped from almost no cost to very high cost.

      Maybe this is the way it’s ultimately supposed to be, and maybe not. But without much better clarification from the FCC about what we can do and under what circumstances, we are being forced into a “play it extra safe” stance. Most of use probably would have simply considered what Marriott did was in bad taste and not illegal. We don’t know where the line is any more. And the penalty of crossing the line is huge fines and probably losing your job as a result.

      Reply
  14. Colin Daniel

    Having spent the early years of my career working with FCC licensed spectrum (VHF broadcast, C-Band satellite and analog microwave) I’ve burned a lot of midnight oil deciphering FCC-speak. As has been mentioned, they are governmentally slow to respond to change and it seems to me that the unlicensed spectrum challenge has snuck up and bit them on the backside.
    I predict 2015 will be an exciting year for the FCC with this issue and Net-Neutrality looming large.
    While I don’t envy them, I would gladly serve on the FCC, or better yet nominate Lee, Jake, Keith, Andrew, Glenn, Jeff or Jeffery, etc. to serve. This would bring some boots on the ground (wings in the air?) experience and common sense to bear on these problems.
    I hope no one here suffers from motion sickness, it’s going to be a wild ride.

    Reply
  15. Keith R. Parsons

    Not sure if there is a precise FCC supported definition. We do NEED one of those. But in typical legal/government fashion I think it will end up being the ‘precedents’ category rather than an explicit definition.

    I see it as very clear cut. On the wired network, or not on the wired network. SImple. There are legal precedents and lots of anti-hacking laws on the books to support this.

    But that doesn’t address your ‘VoWLAN Phone’ issue.

    The only precedents from the FCC on this are things like the Logan Airport or Marriott rulings. Both of which are also explicit in stating you can not stop someone from legally accessing the unlicensed RF spectrum.

    The only people looking for clarification seem to be those in your shoes, where they WANT to stop the effects of sharing unlicensed spectrum after choosing Wi-Fi devices because of their ubiquitous nature. (cheap, easily obtained, no licensing, etc.)

    The FCC, in their infinite wisdom, is acting more like a supreme court. Only giving enough information to the public to support their stated position, without answering all possible questions. And without giving a specific definition of what they are stating. It is terribly frustrating.

    In the short term, we can simply continue with what we’ve had in Rogue Containment for many years now. If they are on your wire, you can stop them. If they aren’t, you have no rights to stop them using an unlicensed spectrum.

    Like Andrew Von Nagy and others have suggested, perhaps there is a need for regulations to change. But in the near term, we have our answers.

    Reply
    1. wirednot Post author

      Good response. What are your feelings about:

      – authoring and posting policy that prohibits personal hotspots on your premises
      – asking the Mi-Fi person to shut it off
      – asking them to leave if they won’t
      – Walking them out if you feel the interference is impacting business continuity

      And they are a non-paying visitor to a private business setting?

      Reply
    2. Jeffrey Kuehn

      Keith,

      While I agree that a rogue on wire or even a rogue that is re-broadcasting your corporate SSID are clearly identifiable threats. The problem is that I do not know if the SSID that says MiFiXXXX is truly someone’s MiFi or perhaps a malicious rogue that is simply rebroadcasting SSIDs that it learned from a client’s beacon frame in an attempt to get that client to associate and gather data or even compromise that client. If this is a BYOD client it might not do too much harm if the client associates, but if it is a corporate device; this could become a launch point to wreak more havoc on the network. Since the FCC ruling, gone are the days of contain first and apologize later, since that policy might cost my company or customer $600K or more in fines. The biggest issue I have with this is that on a firewall, you’re not going to do a ‘permit all’ and then black-list ports. You’re going to block first and then white-list them. Why should wireless security be any different?

      Reply
  16. wirednot Post author

    Sure- just looking for a conversational baseline. But back to topic- on your last point, isn’t your unlicensed frequency DoSing my unlicensed frequency which brought all of this to a head (after Marriott went full stupid, of course)? One DoS OK, the other not?

    (I know what comes next, but this is a healthy exercise)

    Reply
    1. Jeff Rensink

      Here’s an interesting thought exercise brought on by this…

      So say we have a policy that says MiFis (or any rogue AP) are not allowed to be used on premises. Someone decides to use it anyways.

      So evidently we can essentially force them to turn it off (breaking client connectivity to the Internet through the device), but we cannot contain the MiFi (breaking client connectivity to the Internet through the device).

      The FCC is very clear that legitimate signals should not be interfered with. I agree with that. But is the signal from a banned device on your premises legitimate?

      Reply
  17. Keith R. Parsons

    Lee and Jeff,

    There is a big difference between stopping a person from entering or using a Mi-Fi device on your property… just like stopping someone from carrying a concealed gun… and doing a jamming, blocking, or Denial of Service attack keeping the same Mi-Fi from legally accessing the unlicensed frequency.

    As a property owner you can do the former, but not the latter.

    I don’t understand people’s confusion on this point. One is dealing with the physical device. You have rights to control what people bring onto your property. Movie theaters don’t allow outside food, schools don’t allow concealed guns, etc.

    The other is breaking the FCC’s rules about blocking access to unlicensed frequencies.

    It is about as clear cut as you can get. Pretty darn simple distinction.

    You can stop rogue AP’s on your wired network. You can also stop or block your own client devices from accessing a Rogue AP’s connection. They are your devices, and you can control what AP’s they join.

    What you have no rights to stop are non-your clients from joining non-your access points.

    Here’s a quick re-cap table:

    OK to Stop – Non-Your AP’s on Your Wired Network
    OK to Stop – Your Clients on Non-Your AP’s
    NOT OK to Stop – Non-Your Clients on Non-Your AP’s
    NOT OK to Stop – Non-Your AP’s sharing same Frequencies as Your AP’s

    Any questions?

    Reply
    1. Frank

      I think you’re missing a very important third case – off-wired 3rd party APs that are spoofing your SSID. You have no way to easily mitigate them except over the air, as they can easily be in an adjacent building, never mind on your wired network, and if they are malicious they can do an exceptional amount of damage if your security isn’t set up exactly right.

      Reply
    2. Jeff Rensink

      That’s one interpretation of it. Reading the public notice about jammer from the FCC to me paints a slightly different picture.

      https://apps.fcc.gov/edocs_public/attachmatch/DA-12-1642A1.pdf

      “Illegal to Operate Jammers in the U.S. Unless you are an authorized federal government user, you may not operate a jammer in the U.S., even on private property. This means that it is illegal to use a jammer on mass transit (e.g., train, bus) or in a residence, vehicle, school, theater, restaurant or in any other public or private place.”

      Based on this description alone, either something is a jammer or it is not. Outside of being an authorized federal user, there is no allowance for using a jammer. There is no mention of using a jammer if it’s done for security reasons. I also haven’t seen this clause in any of the other related docs about this stuff (though I may be missing it). So if using an AP to contain rogues makes it a jammer, that is illegal always. It should also be illegal to sell hardware with this feature.

      “Illegal to Sell or Advertise Jammers Online or in Stores. You may not sell or advertise jammers to individuals or businesses on online auction or marketplace sites, in retail stores, or even at your local flea market. Selling even a single jammer is illegal. You also are prohibited from shipping a jammer in the U.S.”

      So the doc goes on later to describe jammers.

      “What are “jammers”? Generally, “jammers”—which include devices commonly called signal blockers, GPS jammers, cell phone jammers, text blockers, etc.—are illegal radio frequency transmitters that are designed to block, jam, or otherwise interfere with authorized radio communications.”

      There is a way to twist this to say containment falls under the category. Let’s look further.

      “How do jammers work? A jammer can block all radio communications on any device that operates on radio frequencies within its range (i.e., within a certain radius of the jammer) by emitting radio frequency waves that prevent the targeted device from establishing or maintaining a connection. Jamming technology generally does not discriminate between desirable and undesirable communications. For example, jammers can:

      -prevent your cell phone from making or receiving calls, text messages, and emails;
      -prevent your Wi-Fi enabled device from connecting to the Internet;
      -prevent your GPS unit from receiving correct positioning signals; and
      -prevent a first responder from locating you in an emergency.”

      Well, the description of “prevent your Wi-Fi enabled device from connecting to the Internet;” could definitely infer containment. But prior to the examples, it more seems to be referring to devices that tend to simply damage the RF signals while they are in the air. Hence, “Jamming technology generally does not discriminate between desirable and undesirable communications”.

      Containment absolutely discriminates between desirable and undesirable communications. They leave it open to having exceptions to this rule though.

      They go on to say why jamming is bad.

      “Why are jammers prohibited? Jammers do not just weed out noisy or annoying conversations and disable unwanted GPS tracking. Jammers can prevent 9-1-1 and other emergency phone calls from getting through or interfere with police and other law enforcement communications. For example, the recent use of a cell phone jammer in an office building disrupted communications of a nearby Fire Department. WhenEnforcementBureau agents investigated the incident, we found that a CPA who apparently did not want to be disturbed during the busy tax season was using a small, inexpensive cell jammer inside his office. But, the jammer was disrupting critical public safety communications outside his building as well.”

      I don’t see how containing rogues in your environment violates the spirit of this. But I guess you could always run into interesting corner cases.

      You can also play fast and loose with the phrase “interfere with authorized radio communications.” What constitutes authorized? Is it any signal (which doesn’t violate FCC rules) in any place at any time? Is a device that we have specifically banned from our premises sending authorized radio communications? If the device is attacking our network is it authorized radio communications? The phrase is way too generic.

      If you aren’t actually damaging the radio signal, but rather persuading the device to not send radio signals, is that interference? If so, why are you ever allowed to unplug (power wise) a rogue AP on your premises, as that sort of does the same thing?

      Keith, I think your definition is probably closest to reality. But I don’t think that people would typically come to that definition solely on the public notices/laws. The notices get us part way, and then the massive FCC smackdowns reveal the rest. Not very helpful or fair in my opinion.

      Reply
      1. wirednot Post author

        To boot, the Commission Document regarding the Marriott very much implies that “jamming” took place, resulting in Marriott’s spanking.

  18. wirednot Post author

    Just need to clarify why the WLAN makers seem to think selling the feature is OK. 🙂 Also, as much of the point is that many of us feel it’s time to evolve- within limits- exactly what you describe here.

    Reply
  19. Keith R. Parsons

    WLAN Vendors have a reason to sell the feature to block devices. It is valid and useful in the two cases listed above.

    Just don’t use the same feature to cause harm to non-your AP’s or non-your devices.

    Reply
    1. Andrew von Nagy

      I have to agree with Lee on this point. WIPS products cannot guarantee that they will only mitigate (deauth) rogues on-wire. These products just aren’t that reliable because they are attempting to secure the wired network (in essence). I have done extensive testing of almost every major WIPS vendor and found that their accuracy is hit or miss, with both false positives and false negatives. Furthermore, most of their methods that attempt to infer if a device is on the wire or not are horribly inaccurate.

      As was pointed out earlier, there are other valid security issues that such as honeypots, evil twins, and your clients associating to unauthorized 3rd party APs that could warrant a WIPS mitigation (from a WLAN operator’s perspective). And I haven’t seen any language by the FCC that permits DoS / deauth for security reasons, although I haven’t seen them crack down on that either.

      As to Jeff’s point about wired 802.1X is the only think left, I agree that it is horribly difficult to implement wired 802.1X in a production network due to legacy and new clients that simply don’t support it. MAB is a gaping hole, as are other forms of 802.1X subversion such as the Pwnie Express MiTM device which can get around it.

      Ultimately, in every network that I have operated, I’ve found the BEST security is never achieved through WIPS. Instead I rely on a combination of good security design into the infrastructure (WPA2 with 802.1X, network segmentation, principle of least privilege), AAA (proper EAP configuration), clients (validating AAA server, encrypted storage, etc.), MDM / EMM (validating client OS, security profile, enrollment status, etc.), wired IPS (which can look into application layer payloads and detect anomolous activity), and… very importantly proper network monitoring, correlation with other systems, alerting, and incident response procedures. This last point allows a properly monitored network to quickly identify threats and allow a human to take action such as shutting down a switch port (it’s all about filtering out useless data and making alerts actionable and relevant). However, implementing such security as a daily / ongoing process is more work than throwing money at the problem and buying a WIPS system which claims to be a magical cure for all your security concerns (it’s NOT).

      Frankly, I could care less if WIPS mitigation for security purposes is lawful or not. I advise all my customers NOT to use it. Use WIDS instead if you want over the air visibility, and tie it into your security correlation system (e.g. ArcSight).

      For me, the bigger issue that this whole Marriott debacle has raised is the ability to rely on the corporate WLAN for mission-critical business systems. That requires some semblance of risk mitigation to the disruption of network performance. Keith had mentioned making more spectrum available to alleviate this issue. That’s just kicking the can down the road and doesn’t solve the fundamental problem. Plus, we already have more than enough spectrum today – the problem is we don’t use much of it due to issues with DFS (risk of instability, not knowing whether radar is present in your environment easily, client scanning and roaming performance degradation due to passive scanning only, etc.).

      What we need is two-fold:
      1.) Simplify DFS regulations to allow us to take advantage of the spectrum already allocated (U-NII 2A and 2C), and the new spectrum that we are likely to get which will be opened for unlicensed use but be secondary priority to existing federal uses (such as U-NII 2B and U-NII 4). My thinking is that the risk of Wi-Fi disrupting radar is low for indoor installations below a specific power level (say 100-200mW). And there is precedence for the FCC allowing shared use of spectrum and forbearing Wi-Fi restrictions when certain conditions are met – they just did this with the U-NII 1 power level changes in 2014 (read: http://www.revolutionwifi.net/blog/2014/04/impact-of-fcc-5-ghz-u-nii-report-order.html).

      2.) Unlicensed spectrum regulations updates to U-NII bands that somehow, someway, recognizes that unlicensed spectrum use has evolved beyond small scale deployments, and the innovations brought to market now need to be supported more formally at larger scale and densities. The reality is that the market, for right or wrong, is using unlicensed spectrum for critical uses that provide new services that benefit our economy greatly. We need to keep the spirit of innovation and access for everyone without bureaucratic hurdles, but layer on top some semblance of priority or control within private spaces.

      Cheers,
      Andrew

      Reply
      1. Keith R. Parsons

        Thanks to all who have taught me and given me lots more to think about in this discussion. We have a long way to go. It is nice to have friends who can constructively carry on intelligent conversations and share ideas and thoughts with each other.

        I salute you.

  20. Glenn De Haes

    Hi Lee

    Thanks for starting this discussion.

    FCC is uniform in ruling. In Europe, we have rulings per country or even per region! This makes a discussion like this even more difficult.

    I have had a few customers that were experiencing bad connectivity and dropped connections etc. After investigation, I found that they were actually the victim of rogue mitigation deauths from their neigbours WiFi network. Not all of these cases were sorted by just walking there and asking to disable this “feature”.
    When the regulatory body got involved, the message they gave was ‘that it is allowed to use this on your own property but that it is illegal to disturb anyones operation outside your premises’.

    This is of course very dubious and I cannot find immediately the law text that reflects this but I will have a closer look.

    What is certainly said is (and I try to translate legal Dutch to acceptable English)
    “He who deliberately and without the consent of the rightful claimant hinders the access to or the use of an automized work by offering data or sending data to the automized word, will be punished” (remember this line for a bit)

    So basically if you are sending deauth which blocks access to the network or will not allow you to work consistently on that network, you are in a bad place. How this can be joined with the fact that you could do this on your premise, could only be explained if ETSI or local legislation defines exactly the opposite of what FCC seems to do and that is saying that the air is not from everyone but basically is part of your property.

    Since it is unlicensed spectrum, the legal bodies only act upon a complaint. I guess this triggers them to basically act in this way and saying that if you bother anyone else outside your premise, you must stop it. In general, you will not immediately get a complain from someone within your premise. To my knowledge, we don’t have a ‘Marriot case’ yet.

    Another slightly related case (from a legal aspect) that we have know is based on net neutrality. In the Netherlands, T-Mobile operated the free wifi on the train. They wanted to block access to YouTube and Netflix as this would create ‘too much traffic jams’ and interfere with others experience. In the end, the legal body decided that this is legal and that they were allowed to block this. Reasoning was:
    “they can block these services because of an exception in the laws on netneutrality. If certain services put too much load on the network and that the other users suffer from this (experience less a service than one would expect or normally get) then the blocking is allowed”
    There was one extra point to keep the net neutrality:
    They were not allowed to just block YouTube. They then must block NetFlix as well for instance.

    Of course, this is on a train so the capacity is limited. Nonehtless, you could also blame bad design for the problem.
    So apart from those points, I find this attitude could be a good basis for a guideline/law that would allow use of VoWiFi, hearth monitoring in hospitals etc while also protecting the other side.
    If you bother the other service too much by doing what you do near or in their premises, you could be asked by a legal body to stop doing this.

    Like it has been said before, the technology is there and people want to use it. We cannot stop this. Whether it is a good idea to put hearth monitoring on WiFi or not is a completey different disucssion. But when you do this, there should be some protection to make sure that when you manage your environment well, someone that walks in with a disturbing device can actually be asked to shut it down. Because basically, that person haveing a Mi-Fi on channel 2 is acting almost the same way as your WIPS deauth: it is sending packets to the network that will hinder the lawful owner of this network to gain access to his own network or to normally work on it. Hence, this user is equally guilty as you if you would deploy a WIPS policy against him.
    Sure, two wrongs don’t make one right but it is certainly something to think about and let common sense rule rather than legal stuff that comes from the eighties.

    Just my two cents.

    Best regards and thank you all for enriching my professional life with great content!

    Reply
  21. Pingback: Oh Grow Up – TR Dispatch v2n2 | TechReckoning

  22. Pingback: Show 221 - Marriott, Wifi, + the FCC with Glenn Fleishman & Lee Badman - Packet Pushers Podcast

  23. Freedom Domains

    I don’t see any recent comments, but was just wondering if there are any new FCC decisions, clarifications, etc .. on this issue. I am a parent with a young child. I use a “family friendly” internet filter because not all material available on the internet is appropriate for my 8 yr old son. I live in an apartment building and there are always at least 10 other wifi hotspots available besides my own, and unfortunately, recently my son has noticed this and connects to one of them, making my own filter useless. I talked to the neighbors that I noticed had unsecured wifi, and two of them were quite happy to set it up with a password (it just hadn’t occurred to them before), however, one gentleman didn’t think that was necessary, and was rather offended that I would suggest he should secure his wifi, as it was “none of my business.” How is it ok for my son to be subjected to hard-core porn in spite of all my efforts to filter that out? (I went through several parental control solutions before finally finding one that worked well). I do install a filter directly on his iphone, but a friend of his helped him disable it.
    I would love to be able to “jam” or interfere with wifi hotspots ONLY within the range of my own apartment, and I know the technology exists to do that, but I understand it is illegal. Doing so would not prevent anyone else using their own personal wifi access points in their own homes, or anywhere in the common areas, pool, patios, etc… they would only not be able to connect if they were inside my apartment (in which case they could use my wifi of course). I find it ridiculous that child protective services could take away custody of my son from me if they were to find out some of the images he has seen, and yet the law gives me no way to keep that stuff out of my home.

    Reply
    1. wirednot Post author

      Sometimes​ networks with no passwords also have no admin passwords on the router, and sometimes when one goes to the router’s admin page (which is same IP address as the gateway for that network) they see the login page tell what model the router is so it’s default password is easily Googled. Then sometimes these routers are easily reconfigured with both a new network and admin password, or so I hear. Sometimes this occurrence gets the attention of the owner and motivates them to not leave their network open anymore, or so I hear.

      Reply

Tell me what YOU think.

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s