The Guest networks offered by most routers are a nice security feature. By keeping visitors away from the main network (both wired and wireless), they allow for the safe sharing of Internet access without divulging the private Wi-Fi password.
Up till now, the Guest networks I had run across, in consumer routers, all worked basically the same, although some routers offer far more control over them than others. Guest networks are defined just like the private Wi-Fi network(s) but with their own name (SSID), encryption (WEP, WPA or WPA2) and password.
Or so I thought. A recent article by Chris Hoffman at How-To Geek describes a security omission in the Guest networks created by Linksys Smart Wi-Fi and Belkin routers.
Hoffman reports that these routers do not offer WEP, WPA or WPA2 encryption on their Guest network.And, although the Guest network is password protected, the password is requested on captive portal web page using HTTP, rather than HTTPS, insuring that it travels over the air in easily-captured plain text.
To verify this, I turned to a dual band Linksys EA6200. It's controls for the Guest network are shown below.
Yes, I said the Guest network. The EA6200 offers a single guest network on the 2.4GHz band.
Typically, a dual band router (one with radios for both the 2.4GHz and 5GHz bands) will offer two guest networks, one on each frequency band. Higher end routers, offer multiple guest networks on each band. Below is a screen shot from an Asus router that offers three guest networks on each band. When combined with the two private wireless networks it offers, this Asus router can create up to eight independent Wi-Fi networks.
Noticeably missing from the Linksys Guest network configuration, as Hoffman reported, is encryption. There is no option for WEP, WPA or WPA2.
The use of a captive portal is indicated by the exclamation point in the orange circle, shown below.
Captive portals make sense for businesses that want to display their Terms of Service before letting people get online, but it's much too confusing for home users.
I say this because captive portals force new users on the network to start their online experience with a web browser - and, by and large, no one tells them this. If, after joining the Guest network, a new user starts their online day with email, messaging or anything but a web browser, they can't get online.
Last summer, a hotel where I stayed used a captive portal to inform hotel guests of their policies before letting them out to the Internet. One day, in the lobby, some guests were having WiFi problems. I told them to run a web browser and go to any website. Problem solved. Not only were the hotel guests un-informed, so too was the person at the front desk. Bad documentation is the rule in IT rather than the exception.
Linksys does explain how their captive portable works - but only to the person that sets up the router. End users are on their own.
As a Defensive Computing guy, I tend to avoid open, unencrypted wireless networks. But testing the Linksys EA6200 illustrated how the security warnings about open networks are being de-emphasized. Ease of use has come to trump security.
The oldest system I tried, Windows XP, had the hardest to miss warning. As shown below, it is really in your face before you connect, warning that "Information sent over this network is not encrypted and might be visible to other people".
With Windows 7 and 8, Microsoft still displays a warning, but it's easier to overlook, they did away with the standalone modal notice. No one else issues a prominent warning either.
I tested Android 4.4.4, Chrome OS 42, OS X 10.10.3 and iOS 8.3. Each system let me connect to an open WiFi network without a peep. Thanks for nothing.
I was able to confirm that the captive portal on the Linksys EA6200 asks for the password with HTTP. The screen shot below shows a Firefox password prompt generated from the private IP address 172.18.254.146.
Along the way, however, I found another problem with the captive portal. Most of the systems I tested failed to generate the password request above, even when using a browser to visit a website. The problem, it turns out, was because the router was off-line. There is no reason for this.
Any connection from a WiFi device to a router is just that, a connection between the device and the router. With normal WiFi networks, it matters not if the other side of the router (the WAN side) is connected to the Internet. If the WiFi network is open, or using WEP, WPA Personal or WPA2 personal, the router can handle things on its own. Only WPA2 Enterprise may need an Internet connection to validate users to the router.
But, even with the router online, the captive portal was still a bit problematic.
Only Android 4.4.4 worked as I expected. That is, after joining the Guest network and going to any website, I was prompted for the Guest network password and after providing it, could get to the intended website.
On Windows 8, I used the Chrome browser, and after entering the password I was taken to msn.com, which was NOT the website I asked for initially. It seems Microsoft is up to something, but I can't explain what.
Windows 7 seemed aware of the captive portal. After connecting to the Guest network, it prompted me, with the message shown below, "Additional log on information may be required. Click to open your browser". But, it falls on you to remember this in the future, the yellow balloon only popped up the first time the system connected to the Guest network.
Chrome OS 42 was much the same. After connecting to the Guest network, it put up its own pale yellow notice that "The Wi-Fi you are using (<SSID>) may require you to visit its login page".
Windows XP was a disaster. No matter what I tried, every browser generated DNS lookup errors instead of the Guest network password prompt. Rebooting didn't help. I could see from an "arp -a" command that XP was able to communicate with the router, but even HTTP access to the router by its IP address failed.
iOS 8.3 was the exact opposite. After connecting to the network, the system immediately prompted for the Guest network password. Unlike Windows 7 and Chrome OS, I didn't need to read or do anything. After entering the password however, I was left at captive.apple.com with a "success" message on the screen. The user interface was such that it wasn't clear if I was even in a web browser.
With OS X 10.10.3 Yosemite, I was also taken to the password login page immediately after connecting to the Guest network. The page title was "Join LinksysGreyStripe2-guest" and, as with iOS, after entering the password it displayed a white box with the word "Success". The URL however, was www.airport.us.
All told, the Linksys EA6200 Guest network provides a terribly inconsistent user experience, and no encryption.
Guest networks can be a really great feature, one that is certainly worth investigating, if your router offers it. They let you entertain visitors without divulging the private WiFi password, keep guest users away from shared resources on the LAN (normally but not always), and, as we saw last time, they can also help defend against the NetUSB router flaw.
But, anyone interested in Router Security should probably avoid the Linksys Smart Wi-Fi line.
Finally, another issue with the EA6200 - the Guest network name is fixed. It is always the name of the 2.4GHz network with "-guest" appended on the end. You can see this in the earlier Windows XP screen shot, the 2.4GHz network is LinksysGreyStripe2 and the Guest network is LinksysGreyStripe2-guest.
Updated: June 26, 2015 to add OS X Yosemite experience connecting to the Guest network.