Today’s post is going to have a fairly strong opinion of mine: that guest WiFi needs to be stopped. While there are use cases to having a network that guests have access to, I believe in this day and age that the use cases are specific and becoming a rarity. The security risk imposed by having guest WiFi is simply not worth it, to the extent that a number of insurers in the cyber security space will not insure you if you have a guest WiFi network.
Why it’s a problem
Very simple: strangers can access your network. Guest WiFi is a remnant of the past when we were naive and wanted to be nice to guests and allow them to save on exorbitant data charges. These days, mobile data has come down in price and coverage has increased, and I do not believe that there is a valid reason for a service provider to be connecting to your network instead of using an LTE / 5G connection. A service provider worth their salt should be providing their sales and implementation teams with usable data solutions in order to show demos, presentations, or other requirements.
Very often, guest WiFi is configured horribly, with no difference between the internal staff network and the guest network save for the network name. In addition to this, often the guest password is framed at reception or is visible on whiteboards in every boardroom. This is tantamount to handing the keys to your office to anyone that walks into the building. WiFi extends beyond your boundary walls, and once someone has joined the network, they can re-access it any time they are within range, inside the building or out.
One of the first tests I perform on site at any client where there is guest WiFi, is to scan the network. Roughly 9 times out of 10 my scan will return all of the computers on the network, and often these computers will not be configured with security in mind. The number of times that I have sat in the boardroom and have been able to extract databases from developers’ laptops on the network would astound you, simply by running a 25 second scan and logging in to laptops with default credentials. It’s always fun watching an executive’s eyes when you show them their client data in a meeting (subject to NDA’s and engagement agreements of course). Can you say “data breach”?
In an extreme case, I tested a hotel’s network where I was a guest (with permission) and I managed to hop onto every CCTV camera on the premises – including the management office with drop-safes etc. The risk is very real!
Why you may still need it
There are still use cases for guest WiFi (unfortunately). These are, however, few and far between. In my eyes, the most common use cases would be:
- for rural offices where there is no mobile signal, or
- where you may run a training center and attendees need to bring their own computers for the training, or
- where you run a high security data-center and mobile signal jammers are in place (in which case I’d assume you’re configured pretty darn well), or
- you’re running a hotel or restaurant.
I am hard-pressed to find additional use cases where guest WiFi is an absolute requirement and there are no alternatives available.
Caveat: From a personal, household perspective, particularly with the proliferation of work-from-home (WFH), I may turn on a dime. It may actually be important to have a guest network! If friends wish to use your network instead of their own data, it’s very kind of you to let them use your network. There are, however, threats from malware such as “KRACK” (which your friend may not even know is on their phone) where malware on a phone tries to hijack the network to steal data from other devices. In this case, a guest network is ideal in the home, providing the same recommendations below are followed.
What to do if you do need it
If you do find that you need to use a guest WiFi, there are correct ways and wrong ways to go about it. The wrong way, as discussed, is to simply have a separate SSID (network name) that just links onto the main network. The correct way is to use a combination of the following:
Guest/Wireless/Client Isolation – this ensures that any device that joins a guest WiFi network can ONLY see the Internet, and not any other devices on the network. This used to be available only in the domain of enterprise hardware, however, these same settings are now prevalent even in home consumer hardware. All three of my recent consumer grade hardware devices (all different brands) have supported this.
Separate VLANs – more geared towards the enterprise and corporate side of things, you want your guest network to be totally separate from your production back-end network. A separate VLAN or even separate physical network (extreme) can ensure that traffic does not mix between guest and internal.
Timed access – access points such as those developed by Mikrotik can issue tokens to guests, that only allow access for a certain time period before the access expires. This works very effectively at reducing your risk of access after a meeting, contract or engagement has concluded with a guest.
There are other security methods available, particularly if you are at the enterprise grade and have enterprise budgets. The above, however, should be your absolute minimum considerations.
That, or just don’t have guest WiFi at all. It’s not worth it.
Ross G Saunders Consulting offers a number of solutions that can drive your compliance and security maturity; from affordable 16 week group coaching programmes to comply on your own, through to advisory retainers and full programme management. To find out more about the offerings available, book time directly with Ross using the calendar below.