Dr Christopher Spencer

As billions of devices enter the enterprise space and chat away, administrators will be stretched to their limits to make sure that communication flows are authentic and authorized. New security challenges are likely to follow this massive increase in connected devices. Knowing the lay of the land now will help administrators develop an IoT security plan that fits their organization’s needs.

The variety of devices comprising the Internet of Things world is staggering, and standardization of security protocols across that ecosystem simply does not exist. Even within a specific segment such as lighting sensors, there’s little agreement on the use of a single flavour of security.

Each manufacturer has historically taken its own approach to securing devices. Unlike the texting, word processing and video-call-making multifunctional smartphones that administrators are used to managing, many Internet of Things devices continue to be designed and deployed for rather specific duties. The protocols used by these ‘things’ reflect the purpose the device was built for. As such broad network security policies haven’t often been a priority. For a simple example look at NEST protect smoke alarms, not only do they pair with a smartphone they connect to the Wi-Fi and also run their own 802.15.4 mesh network possibly bridging network segments?

Networks used for IOT are often considered to be isolated (though this turns out to not be the case time and time again, with devices often needing to connect to the Internet cloud), leaving classic IT-centered security efforts far down the list of priorities. So far down the list, that there is no great amount of agreement or standardization on security protocols for these ‘things’. It's not a complete free for all, but as IT and OT continue moving toward convergence in the form of IoT, the lack of commonality across the platforms will certainly become an issue.

But standardising IoT security may bring an unexpected downside: lack of choice. Between point-to-point networks where every device has a voice, and the hub-and-spoke models that minimize the number of connections, in favor of a central provisioning point, there are plenty of benefits and downsides to go around. That may be a good thing. At least for now.

Today’s Internet of Things security concerns

Device manufacturers are worried. No one wants their equipment to be involved in network intrusion. Many administrators have even bigger problems. Devices are coming to their networks that will be connecting up one way or another, and those are potential entry points. Enterprises have long had concerns about rogue wireless access points, and they don’t want to see the incoming army of connected IoT devices become similarly unsafe endpoints, especially as most connect back to the outside world.

The sheer scale of the Internet of Things justifiably causes pain to network administrators, but it comes with another issue that complicates security management even further. That’s the number of device types. There are different uses, different vendors, different generations and different capabilities, and these all make security more difficult and complex.

Knowing where vulnerabilities exist across a handful of smartphone OS is one thing, but keeping pace with the status of thousands of different sensors, cameras, meters, controllers and other machines, is another. There’s going to be not just tens of thousands of things, it’s lots of protocols and lots of connection methodologies. That quickly becomes a nightmare because you have to support all of them, read all the security bulletins and keep updated on every vulnerability that occurs in every different type of item, in every different sector. And, to top it all, some of these devices will never receive a single update from the manufacturer as time goes on ruling out patches as an option to help address emerging threats.

What administrators can do to improve IoT security

Conventional approaches to network security will likely need to be rethought before an enterprise deploys IoT to any significant degree. Recognize first and foremost that you are not going to solve this problem with just a firewall product. Many firewalls may not control Internet of Things traffic as effectively as other types of network flows, a different approach needs to be considered.

At the end of the day, a security administrator needs to be very seasoned and make sure that these are on completely separate networks. Then the compromise of one network will not facilitate access to the other. It may be a somewhat extreme data protection measure, but if highly-sensitive information is hanging around, the organization should conduct a risk assessment to understand what level of network separation is needed.

Staying up to date with evolving vulnerability assessments and advancements in security solutions will still be crucial. With an understanding of the IoT security landscape, administrators are better equipped to be part of the decision-making process when it comes to deploying connected devices. Otherwise, there will be a business reason why the enterprise wants all these things connected, and that business reason will win and the security administrators will just have to adapt to whatever is required of them.

‘You can’t win this war’ said one security researcher so the best thing to do is try to put systems in place that are going to protect the data you use, It’s really about controlling your data and authenticating devices onto your network. Information gathered and transmitted through the "IoT-osphere" could be extremely valuable (not to mention potentially damaging to the organization if lost), and a robust monitoring and authentication strategy may be one tool that helps keep it all in check.

Global Reach & Odyssys® Global Reach Technology is a software innovator and the leading provider of carrier-grade WiFi and Passpoint™ Hotspot 2.0 services. We have packaged our carrier-grade AAA solution into our Odyssys® software to provide businesses large and small with private and public WiFi built on a carrier-grade platform.

Chris Spencer (D.Sc.) Group Technical Director GlobalReach Technology www.globalreachtech.com

Together lets #makewifibetter

Google Chrome’s push notifications are now available to all

Google has released the finished public version of Chrome v42, which lets websites send you alerts (with your permission, of course) whether or not the browser is open.

You can get breaking news, for example or find out when someone outbid you on that important auction you forgot to watch and the message will just appear in the top corner of your screen without the need to have your browser open. My guess would be that Google will eventually allow some customisation of the message window, its appearance, location on the screen and the notification sound.

The feature will be more than a little familiar to Safari users who for sometime have had this feature, but with the public release of Chrome v42 this is now platform-independent -- you should see it in Linux and Windows versions too.

How do you get it? Well Google Chrome for sometime has been able to silently install updates and keep your browser updated, if you allowed this at first installation. If not two methods can be used, one is simple re-install chrome from Google or even simpler go to the About Chrome menu item in the menu this will check the version and offer any updates.

Captive Portals Push notifications can allow users to opt-in to timely updates from the venue owner to effectively re-engage them with customised, engaging content long after they have left their WiFi service coverage area.

Odyssys® can utilise Chromes new push notifications to allow captive portal owners the ability to ask users to subscribe to their venue’s messaging service. The true beauty being that the venue owners can interact with the users device well beyond the bounds of their own WiFi… Allowing Venue owners to extend their power and reach of their brand and engagement with customised tailored messages.

As of the release of Chrome version 42, the Push API and Notification API are available to developers to start working on these areas.

Odyssys® already has the essential tools in place to provide push messaging and our enhanced location engine can help target and drive brand engagement beyond the reach of the venues WiFi. Further more the messaging does not have to be a one to many message, tailored or personal messages can be sent.

When the user grants permission to receive these messages they become essentially a subscriber to the venues service and get assigned a unique subscriberID allowing for targeted message sending, based on demographics or other know information about that WiFi device, user or user habits.

Push notifications can allow users to opt-in to timely updates from a Captive Portal or Splash page and allow the venue owner to effectively re-engage them with customised, engaging content, even when they do not have their browser open!

Global Reach & Odyssys® Global Reach Technology is a software innovator and the leading provider of carrier-grade WiFi and Passpoint™ Hotspot 2.0 services. We have packaged our carrier-grade solution into our Odyssys® software to provide businesses large and small with private and public WiFi built on a carrier-grade platform.

Chris Spencer (D.Sc) - VP Technology Global Reach Technology Limited http://www.globalreachtech.com

Advanced Next Generation Public WiFi

Apparently Steve Jobs loved to walk around Palo Alto, California and after his pride and joy, the iPhone, was born, he naturally took it along with him on these walks. The first iPhone suffered with a poor slow cellular-data network, but it had a much faster data option called Wi-Fi. It even had a feature (still present, but much less talked about, infants some see it as a hassle) that popped up a list of nearby Wi-Fi networks on the screen, so you could always find one within range.

He once claimed there was a big problem with that technique, one that he wanted to fix: Most of the Wi-Fi networks that popped up on his screen couldn’t be used, because they were secured with passwords. Jobs said he understood the need for security, but he was determined to figure out a way to make free, safe, Wi-Fi sharing from homes and small local businesses not only possible, but common. He even wanted to get other companies involved, in a sort of consortium, to make this happen.

His idea was to get as many wireless router makers as possible to build in a “guest network” option — essentially a second Wi-Fi network, securely walled off from the rest of the home network, and with its own name. Then, he hoped that the industry would encourage people to share their bandwidth with strangers via these guest networks. That way, a smartphone user could walk around, moving from one Wi-Fi hotspot to another, without logging in — much like people using cellular data move from one cell tower to another.

Users of this second, guest network wouldn’t have any way to access the owner’s main network, or the computers, network drives, printers, or files on the main network. Yet they’d be able to get onto the Internet, while in range.

No such big public consortium for home Wi-Fi sharing ever really emerged. But Apple and other wireless router makers did wind up building a guest network option into their products. Not everyone though knows how to enable this on his or hers home device.

Some companies, for example European based Fon, are trying to move in the right direction. But there are strings attached that make them less attractive than free, open, Wi-Fi roaming across different routers and broadband providers. The Electronic Frontier Foundation is trying, too, with its Open Wireless Movement but is making slow progress.

But, just because it never took off doesn’t mean that tech companies shouldn’t try harder. There’s is a way to make it happen, so people needn’t rely on expensive cellular-data plans all the time, so cellular networks can be less congested, even with the advent of 4g, cellular has its limitations, over subscribed in some areas, poor backhaul in others, signals struggle to penetrate buildings, WiFi is still one of the answers so people can remain connected when there just isn’t decent cellular reception. But why should you have to wait to get to your home, or your office, or to the nearest Coffee Shop, to get a usable Wi-Fi signal?

The obstacles are real. But they’re not insurmountable.

One problem is that changing the settings on routers is, for most people, like figuring out whether to snip the blue wire or the red on a bomb in one of those movie thrillers. You might have a satisfying result, but you might cause a catastrophe (in this case, killing Internet access altogether).

Apple makes it relatively easy in its AirPort brand of routers, with a clearly marked field labeled “Enable Guest Network” in the “Wireless” tab in its AirPort utility app for Macs and iOS devices. But the key word is “relatively.” You still may have to tinker with other settings, and understand some network terminology.

This can and should be made simpler.

There are other problems to be solved before people will share their Internet. One is that people might reasonably decide that their networks will be hacked. So, even if they do bother to set up a guest network, they slap a password on it, and only make that available to known house guests to whom they wish to offer Internet service without giving out their main password, or allowing access to their files.

Another is that, unlike Mr. Jobs’s vision of iPhone users passing by for a quick check of email or other low-bandwidth services, people know that some of their neighbors will want to simply be free-riders on their pricey bandwidth plans. So people don’t want to make it easy for neighbors to suck up their bandwidth by, say, watching movies on Netflix day and night so they simply don’t share it.

Nothing is ever 100% hacker-proof, of course, but the tech industry should be able to make a convincing barrier between the two networks within in built automatic firewalls. And it should also be easy to allow home users, in a very clear, simple, way, to set bandwidth or time limits on the guest network.

The good news is that, as noted above, some companies are moving in the direction of shared Wi-Fi. Fon, which has been around for years, lets its members share Wi-Fi bandwidth, but only if they own a Fon-branded router or a third-party router with the company’s technology built in. Also, the service is mainly used in Europe, and has never caught on in the U.S., where there are so few Fon routers installed as to make Fon sharing largely unavailable.

The Wi-Fi industry is also taking steps to make using public, commercial hotspots easier with a technology called Passport, or Hotspot 2.0, which automatically connects and eliminates clumsy login procedures when you’re at, say, a coffee shop or an airport.

Passport enabled access points when connected to backend service providers and hubs such as Global Reach’s Odyssys Carrier Platform, allows for a single SSID to be broadcast for guest access, and numerous backend service providers simultaneously to offer their services across that single network, safely, securely.

Of course the users device does need to have been previously provisioned by their carrier or by someone agreeing to be their authentication identity provider, again there are products out there that allows for this such as Odyssys that has an online signup capability for Hotspot 2.0. Users are encouraged to go through this provisioning process once. Your device can then roam on any network supporting a roaming agreement with Odyssys and sharing that same NAI Realm.

It’s time the big tech companies solved this problem by working together, so that Wi-Fi sharing and roaming become a reality. Odyssys™ roaming hub is a global cloud-based platform that can allow carriers or large enterprises to interact with each other and allow interoperable roaming on their WiFi estates for their clients.

For more information on Odyssys™ and to setup a demonstration please contact Global Reach Technology Limited today.

Global Reach & Odyssys™ Global Reach Technology is a software innovator and the leading provider of carrier-grade WiFi and Passpoint™ Hotspot 2.0 services. We have packaged our carrier-grade solution into our Odyssys™ software to provide businesses large and small with private and public WiFi built on a carrier-grade platform.

Chris Spencer (D.Sc) - VP Technology Global Reach Technology Limited http://www.globalreachtech.com

Global Reach Technology Odyssys Hotspot 2.0 release 2 OSU - Online Sign Up Solution

Global Reach Technology has been at the forefront of Hotspot 2.0 development for a number of years and via Odyssys™ have provided the backend provision, certificates, authentication and carrier partner interconnects for some truly large metro scale deployments.

Odyssys™ is a cloud-based WiFi service that uses Passpoint™ Hotspot 2.0 to dramatically simplify and automate how users connect to and roam between WiFi networks. Using Passpoint™ Hotspot 2.0 certified devices (including laptops, and WiFi only phones, and tablets), information advertised by smart WiFi infrastructure tells devices how to automatically connect to the Hotspot 2.0 WiFi network and then gives users the option to automatically configure their devices to connect through encrypted connections. After being provisioned network discovery, registration, and access processes are automated, so that the user does not have to go through them manually in order to connect and stay connected.

The City of San Francisco partnered with Global Reach and Ruckus Wireless to deliver a free city wide Hotspot 2.0 service to its residents and visitors, shortly after City of San Jose did exactly the same and joined a roaming agreement with the City of San Francisco to allow users of one network to seamlessly and securely roaming between their partners city hotspot 2.0 networks. London soon followed that trend and now those three cities share a common roaming agreement. Since then three more UK Cities joined the roaming agreement, Leeds, Bradford and Birmingham. All allowing seamless, secure authentication on each cities network for users with an Odyssys™ Hotspot 2.0 profile on their device.

One issue thats has now been addressed with Release 2 of the Hotspot 2.0 standard is the ability to provision end users devices easily. Global Reach will be demonstrating their OSU solution at the Wireless Broadband Alliance (WBA) event in London, May 2015. Private demonstrations can be booked at the Global Reach Office’s.

In release 2 of the Wi-Fi CERTIFIED Passpoint™ certification program, mobile devices use Online Sign-Up (OSU) to accomplish registration and credential provisioning to obtain secure network access. Global Reach a proud member of the Wireless Broadband Alliance developed and demonstrated their own provisioning platform for Release 1of Hotspot 2.0 over year ago at the WBA event in the US, but have now gone on to deliver a standards based Release 2 OSU solution.

Odyssys™ can provide each Service Provider network with their own OSU Server, linked to an AAA Server, and access to a certificate authority (CA).

The CA is known by two attributes, its name and its public key. One of the requirements for a mobile device and the hotspot to trust each other is that OSU Server shall hold a certificate signed by a Certificate Authority whose root certificate is issued by one of the CAs authorised by Wi-Fi Alliance, and that these trust root CA certificates are installed on the mobile device. Global Reach Technology chose to work with DigiCert one of the leading trusted providers of digital certificates, and now Odyssys Global Reach’s Carrier Grade AAA solution now supports Release 2 OSU Specification.

A CA performs four basic CA functions:

Issues certificates (i.e., creates and signs them)

Maintains certificate status information and issues Certificate Revocation Lists (CRLs)

Publishes its current (unexpired) certificates and CRLs so users can obtain the information they need to implement security services

Maintains archives of status information about the expired or revoked certificates it issued

All certificates for Release 2 of the Passpoint™ program are governed by the Hotspot 2.0 Online Sign-Up Certificate Policy Specification.

DigiCert DigiCert is a leading trusted provider of digital certificates, including Wi-Fi certificates. DigiCert partners with businesses of all sizes to ensure end-to-end encryption for wireless and wired devices. As a PKI expert, DigiCert participates in the Wi-Fi Alliance's push for higher security standards and plays an active role in moving the industry forward. DigiCert offers SecureWiFi Certificates worldwide in its effort to support a globally secure internet. DigiCert takes pride in offering best-in-class customer support in all areas of certificate management, including certificate ordering, installation, and implementation. We continue to be the go-to partner for emerging markets such as the Internet of Things, Wi-Fi security, and the Directed Exchange of healthcare information.

Global Reach & Odyssys™ Global Reach Technology is a software innovator and the leading provider of carrier-grade WiFi and Passpoint™ Hotspot 2.0 services. We have packaged our carrier-grade solution into our Odyssys™ software to provide businesses large and small with private and public WiFi built on a carrier-grade platform.

Chris Spencer (D.Sc) - VP Technology Global Reach Technology Limited http://www.globalreachtech.com

WiFi Captive Portals - There may still be life in the odd splash yet..

Google recently released Chrome version 42 to its beta channel for Android, Windows, Mac, Linux and Chrome OS. The latest Chrome beta shows of an interesting feature that makes web pages (web apps or more specifically for this article WiFi Captive Portals and Splash Pages) more like native apps including full push notifications …

Push notifications can allow users to opt-in to timely updates from the venue owner to effectively re-engage them with customised, engaging content long after they have left their WiFi service coverage area.

Chrome 42 Beta allows web developers to support push notifications to users through Google’s cross platform web browser. Similar to Safari on OS X, push notifications on Chrome require user permission before being turned on. Requiring the end user to effectively opt-in to receive these messages.

After the user has granted permission and effectively opted in to receive these messages, a developer can use the new Push API to remotely wake up their devices service worker using Google Cloud Messaging. Once awake, the service worker may run JavaScript for a short period, this Javascript at its minimum can receive a message and show a user-visible pop up notification. These notification can contain a short message, and a web link and a small icon. Driving engagement on or off the venues own WiFi network.

Odyssys™ can utilise Chromes new push notifications to allow captive portal owners the ability to ask users to subscribe to their venue’s messaging service. The true beauty being that the venue owners can interact with the users device well beyond the bounds of their own WiFi… Allowing Venue owners to extend their power and reach of their brand and engagement with customised tailored messages.

As of the release of Chrome version 42, the Push API and Notification API are available to developers to start working on these areas.

Odyssys™ already has the essential tools in place to provide push messaging and our enhanced location engine can help target and drive brand engagement beyond the reach of the venues WiFi. Further more the messaging does not have to be a one to many message, tailored or personal messages can be sent. When the user grants permission to receive these messages they become essentially a subscriber to the venues service and get assigned a unique subscriberID allowing for targeted messaging sending, based on demographics or other know information about that WiFi device, user or user habits.

The Web Push Protocol is a new standard which push providers can implement, allowing developers to not have to worry about who the push provider is. The idea is that this avoids the need to sign up for API keys and send specially formatted data, Currently in this Chrome implementation we do need to setup up an API key, as Google rolls out these features it is expected Chrome will adopt the full push standard just as Safari has and later remove this requirement.

Global Reach & Odyssys™ Push notifications can allow users to opt-in to timely updates from a Captive Portal or Splash page and allow you to effectively re-engage them with customised, engaging content.

Global Reach Technology is a software innovator and the leading provider of carrier-grade WiFi and Passpoint™ Hotspot 2.0 services. We have packaged our carrier-grade solution into our Odyssys™ software to provide businesses large and small with private and public WiFi built on a carrier-grade platform.

Chris Spencer (D.Sc) - VP Technology Global Reach Technology Limited http://www.globalreachtech.com

Carrier WiFi, It's no longer about cellular offload, its more about Mobile Convergence

Abbreviated as FMC or F/MC, Fixed Mobile Convergence is the term used to describe integrated seamless connectivity between fixed (cellular) and wireless (WiFi) networks.

Fixed Mobile Convergence is used by carriers to provide seamless switching between a cellular and local networks for mobile on the move users.

In the enterprise, the goal of FMC is to provide business users with one phone number for business calls, while being able to access corporate applications and data in a variety of different ways, via a variety of networks. To be a secure seamless connection, FMC would address network-based solutions, owned and run by the wireless operator; on-premise software that essentially provides a gateway between corporate data and the public network; and hybrids, third-party software built in partnership with the carrier that adds a layer of mobility software between the enterprise and the carrier.

With Hotspot 2.0 and WiFi calling that vision is now entirely possible. VoIP tried but wasn’t able to deliver, not because VoIP technology did not live up to expectations but mainly due to the hurdles connecting to every different mobile WiFi network and the interoperability between all the network operators and connection types ‘Network switching’, or ’Network Twitching’ became the issue.

A successful Hotspot 2.0 deployment can allow an operator to create global secure networks with near seamless connectivity and network switching, by ‘partnering’ with WiFi network operators.

In the background global Hotspot 2.0 roaming hubs like the Global Reach ‘Odyssys™’ platform have created an easy to connect mobile convergence solution for carriers to connect to and extend their footprint well beyond cell towers.

End user devices connect seamlessly to WiFi without the need to enter client credentials or signing up on every partner network just to get connectivity to make or receive that call or send that email. EAP-SIM or EAP-TTLS (and others) handle the security mechanism so all data is secure even in the air

Non SIM based devices have not been forgotten either, Odyssys™ also provides an Online Sign Up server or OSU as the term has become, allowing users to authenticate against their operators or enterprises client database to prove authenticity and have an on demand mobile configuration profile created, digitally signed and delivered securely to their device.. Allowing them to roam between networks just as any SIM based device can do.

Creating a mobile converged solution is possible today, Global Reach have pioneered the way with a number of world class Hotspot 2.0 enabled networks already delivering that ‘converged’ experience for carriers.

Chris Spencer (D.Sc) - VP Technology Global Reach Technology Limited http://www.globalreachtech.com

—-

EAP-SIM EAP for GSM Subscriber Identity Module (EAP-SIM) is used for authentication and session key distribution using the Subscriber Identity Module (SIM) from the Global System for Mobile Communications (GSM). GSM cellular networks use a subscriber identity module (SIM) card to carry out user authentication.

EAP-TTLS EAP-TTLS Authentication Protocol. EAP-TTLS (Tunnelled Transport Layer Security) is designed to provide authentication that is as strong as EAP-TLS, but it does not require that each user be issued a certificate. Instead, only the authentication servers are issued certificates.

Global Reach & Odyssys™ Global Reach Technology is a software innovator and the leading provider of carrier-grade WiFi and Passpoint™ Hotspot 2.0 services. We have packaged our carrier-grade solution into our Odyssys® software to provide businesses large and small with private and public WiFi built on a carrier-grade platform. —-

A Smartphone needs a Smart Network

We have all been into a location and found you have little or no cellular connection, you see the little ‘E’ or ‘GPRS’ on your phone and you know its going to be a slow day… You then notice the venue has WiFi, so you go to your devices WiFi manager and attempt to connect to one of the numerous networks (SSID’s) you see listed. You try each, one at a time getting more and more frustrated as you do, some you get an IP address but get the dreaded ‘Page not found’ some you don’t get an IP address and your device just sits there with a spinning wheel, some require a password just to connect, then eventually you find one that gives you an IP address, and you appear to have some sort of connection only to be presented to a webpage that now asks you to sign in or register, or choose from one of the numerous roaming partners, buy access, go to the counter and get a voucher… 

Shouldn’t a smart phone be a smart phone and sort this for you automatically? Your devices cellular connection does this for us all without us having to get our device out our pocket, just like when you step of a plane on vacation and get nice text message from your home network to say hola welcome to Spain, you are now connected over our partner network.. It simply works.. 

Well now WiFi is making a leap forwards into that grown up world, WiFi is becoming smarter, more intelligent with the latest draft specification from the WiFi Alliance® Hotspot 2.0 Technical Task Group, and network operators are taking this serious and deploying Smart WiFi ready for the demand, and the demand will be there we know from our ever increasing WiFi connections on our existing access points, more and more apps, games and business apps require a constant connection to the outside world. How many of us check our email, Facebook, twitter, linkedin, instagram or our bank account balance! When we are out and about, all requiring a secure fast reliable data connection, something WiFi has struggled with for years but failed often due to the complexities of the connection process being different at each location we visit. 

Hotspot 2.0 and more importantly release 2 of the specification allows our smart phone to make a smart choice to get us connected securely and quickly even before connecting to the access point our device has short listed the possibilities and our connection happens securely and seamlessly using our home network or subscription service credentials.

How does this magic happen?

Well the specification introduces a new method of connection, our mobile device (know as a station) will request information from nearby access points using a new protocol Access Network Query Protocol (ANQP) before making a choice on which access point to physically associate and connect to.

The Access Network Query Protocol is a query and response protocol that will inform our station of the services offered by an access point (AP), typically at a WiFi hotspot but this could quiet easily be a corporate headquarters, metro network, hot zone, airport or other such deployment.

The ANQP protocol requests metadata from the access point to help in the device's network selection decision including the APs operator's domain name, the IP addresses (Internet Protocol addresses) available at the AP, and information about potential roaming partners accessible through that AP or network and if the AP is actually operational and with a working backhaul link. It then uses this information to shortlist down to the networks you have valid credentials for. These credentials could be from your home mobile network operator or from a roaming consortium you pay a subscription to.

When a our device queries an AP using ANQP, that device receives a list of items (Metadata) that describe s the services available to you and at that location, without having to connect to the access point to test it first. 

This metadata can include such things as • Capabilities of the network(s) being accessed. • Venues associated with the AP. • Authentication types required by or available with the AP. • Network Address Identifier (NAI) realms accessible through the AP. • Information about 3G (third-generation mobile telephony) cellular networks available through the AP. • Emergency Alert System (EAS) message Uniform Resource Identifiers (URIs). • Emergency calling instructions (telephone numbers, for example to use in that location). • The geospatial and civic locations of the AP.

ANQP was also designed to be extensible and allows for third parties to add their own metadata, for what could become some new feature in the future. As yet it is to be seen what this could be, but as an idea it maybe possible to gather venue specific information to an app on a device or for better way finding.

ANQP forms the basis for 802.11u Institute of Electrical and Electronics Engineers (IEEE) specification, an amendment to the IEEE 802.11 set of protocols for wireless local area network (WLAN) operation. Originally published in February 2011, the 802.11u standard provides for connection to external networks using common wireless devices such as smartphones and tablets. One of the most notable applications of 802.11u is the emerging standard called Hotspot 2.0 (HS 2.0) for public-access WiFi. Release 2 of the specification published in February 2014 makes more leaps forward in bringing the cellular vision to out mobile devices.

Hotspot 2.0 release 2 devices that are Passpoint certified and that do not have valid credentials for any of the APs in the vicinity have not been forgotten about either in the new standard, those stations without credentials for any nearby APs can also query ANQP for a secure service to connect too that has responded as an Online Sign Up server (OSU).  The station then using one of its own pre-installed root certificates can create a secure connection to the OSU via the AP, before going through the OSU purchase or choice of service process to gain access to a WiFi plan at that location. Allowing all devices that are Passpoint certified to connect securely during the sign up and login process also.

Security and encryption is a big part and lies at the heart of Hotspot 2.0, its been designed to ensure a user entering information on the guest network to gain access is encrypted all the way to the OSU server as well as securing communication with your home network Authentication And Accounting server (AAA). Once authenticated and your station has been granted access, usually to the Internet your device is free to communicate to the outside world. 

The specification also allows where needed the means to advertise a service where your own data is carried back to your home network (tunnelled) before being allowed out to the internet, allowing for your home network operator (HNO) to offer the same or similar services to the user as they would expect on the real HNOs network, for example policy control or content filtering. It is guessed though that many HNOs will forgo this opportunity as the cost of tunnelling the users data and latency from various 3rd Party networks worldwide means this feature may go under utilised and the HNO will simply opt to allow the users data to break out to the Internet locally or from the AP operator’s own network.

Smart phones and Smart WiFi equals a Smarter Safer way to connect

This is where Odyssys plays a part

Introducing Odyssys. Every WiFi network needs a control platform. Odyssys has been built from the ground up over 7 years to deliver the ‘Next Generation of WiFi’. Used today to control access to large metro networks around the world.

Odyssys was chosen by Virgin Media to control access to the entire London Underground WiFi Network and installed in under 12 weeks in time for the London 2012 Olympics. Currently Odyssys controls and delivers over 2.2 million sessions a day and integrates into every UK Mobile Network Operator, O2, Everything Everywhere (Orange & T-Mobile), Vodafone providing the RADIUS hub for clients authentication requests, and all delivered over a single SSID fro Virgin Media.

The strength of scale that Odyssys brings has since been used by multiple Metro Networks, including a 26 mile long network in the Heart of London, the city centres of Leeds, Bradford, Birmingham and Hackney to name a few, and has also been used in Enterprise installations for Major Banks and NHS trusts.

In 2014 The City of San Francisco and San Jose wanted to bring together their Municipal networks as one. Offering the ability to sign up in one City and be able to roam, safely, securely and seamless between cities. Odyssys was their chosen partner. The captive portal prompts users with Hotspot 2.0 (Passpoint certified) devices to download a digitally signed mobile configuration that allows their devices to seamlessly connect in either city. These connections are permanently secure and seamless.

The City of San Francisco and San Jose now have a secure and scalable ‘Smart Network’ truly built for smart phones and smart devices. Both Cities are already in talks with other cities around the world that also want to extend and secure their public municipal networks and share in this seamless secure roaming experience for their citizens.

Odyssys allows interoperating roaming partnerships to be agreed between municipalities and delivers this vision today. Any Hotspot 2.0 access point hardware can be used with Odyssys providing a vendor agnostic approach seamless to the clients connecting.

Smart networks for smart devices exists today. Make the smart choice; ask for a demonstration of Odyssys Manger today.

Chris Spencer (D.Sc) - VP Technology Global Reach Technology Limited http://www.globalreachtech.com