VAST’s hotspots do not use Wi-Fi Protected Access (WPA) or similar security, but that does not mean they are unsecure.
This is according to the CEO of VAST Networks, Grant Marais. “We run a feature called client isolation,” said Marais.
If you run a scan on the network, it will look like you are the only user. The only devices you would see is your own and the gateway.
“We also run a Generic Routing Encapsulation (GRE) tunnel from the access point to our gateway.”
A GRE tunnel is a protocol developed by Cisco which can carry different passenger protocols.
These tunnels are virtual point-to-point links, which means every user has their own “lane” for data traffic.
Marais said VAST also uses a pop-up login and has mechanisms to identify users which want to use the network for malicious purposes.
You can’t use the network without authenticating, and new subscribers have to input a one-time PIN sent to their cellphone number to create an account.
This means a VAST Wi-Fi account is linked to a payment method and a valid cellphone number, which should be RICA registered.
The pop-up login has the additional benefit of ensuring subscribers won’t connect to VAST’s hotspots and lose throughput on their device if their Wi-Fi package expires, said Marais.
VAST also stays abreast of new security threats, such as the key reinstallation attacks (KRACKs) recently found in the WPA2 standard.
Marais said that in this instance, they have the benefit of not using WPA2 on their public network.
However, in isolated networks such as the one they operate for Netcare, they do use WPA2 – but not features like fast roaming that allow for KRACKs to be used.
“The density of our network is such that we don’t have to run fast roaming,” said Marais.
He said there are also several security settings you need to leave “unticked” for KRACKs to be effective.
VAST deployed manufacturer patches to combat the attack, however, in case it needs to run WPA2 on its consumer network in the future.
Another step VAST takes to secure its network is using access control lists.
This ensures that only network elements it trusts will work when plugged into the core network.
“If you plug in anything on our network, you wouldn’t be able to see any traffic or connect to the Internet,” said Marais.
To test this and other security measures on the network, VAST procures the services of SensePost for penetration testing.
Marais said he does not believe any system is invincible against attacks, with tech giants like Yahoo and LinkedIn falling victim to malicious players in the past.
“Unfortunately, there are a lot of malicious people [out there], but we are taking all the steps we’re able to to mitigate the effects.”