The latest country in Asia to fall to WiFI Master Key is Thailand. Last week it was Taiwan and before that Malaysia and Vietnam. The app allows users to crowdsource WiFI login credentials for WiFi hotspots allowing users to retrieve the credentials for a hotspot without ever having to know the details. So far the app has recorded 500 million users and there have been 1.7 billion connections to hotspots.
Once users have installed the App it will look for available WiFi hotspots near the user. Those hotspots where a user can connected for free are shown with a blue key. All a user has to do is click on that hotspot and then login credentials are shared to their device enabling them to immediately connect to the hotspot. The tool is free to use and the users never get to see the login credentials.
This latter is important because the login credentials are not only sent encrypted but according to the app owners they are never stored on the local device.
Should WiFi Master Key worry IT security teams?
According to the FAQ, the answer is , no. In practice the answer could very well be Yes.
This is not unlike Windows 10 where WiFi users can end up sharing their work WiFi to friends and business partners. To activate a hotspot all that is required is for the WiFi owner to use the app and insert the credentials. That said, the only way WiFi Master Key seems to decide if you are the WiFi owner is because you know the username and password.
There is nothing to stop employees choosing to share the login credentials with WiFi Master Key making your enterprise hotspots available to everyone who uses the app. This raises the question over insider threat to a business. If any user who knows the login credentials can pretend to be the hotspot owner then they can share the details to people they know to access the hotspot.
A social dimension for businesses
One of the challenges that mobile operators have faced in areas where signal is weak, especially in large cities, is getting businesses to install a picocell that could then be shared with non business users out of office hours. Although they have had limited success they had also tried to get companeis to share WiFi credentials using a Guest system. This has had even less success as security access even to guest networks still requires a username and password.
One of the opportunities here for companies is that they can now create the guest network and then share it with WiFi Master Key. There is no charge for sharing access and it may mean that in areas where commercial free WiFi access is poor, this could provide an alternative approach.
Nothing is ever for free
WiFi Master Key talks about there being no charges for users or hotspot owners. However, nothing is ever free and the new virtual currency is privacy data. In this case, ever time you use the service WiFi Master Key will capture the phone number (not stated if this is registered phone number or IMEI), IP address and length of visit.
In truth, this is a reasonably minimal data grab and WiFi Master Key explain that they need some of this, such as the details of the IP and the length of connection in order to monitor the hotspot and their application usage. Gathering the phone number on top of that makes sense as countries increasingly require operators of mobile services to capture this data as part of ongoing security legislation.
What is refreshing is that WiFi Master Key provide an email contact for their Data Protection Officer enabling users to ask for their details to be removed from the system or any other queries. This is something that can often be hard to find on many websites.
In an increasingly mobile world this is an interesting app that will get the attention of a lot of users. While there is a need to tighten the method by which hotspots need to be shared the system at least does not share login credentials in clear. It will also update details if the owner changes the password.
There may be some technical and even legal challenges to bringing the app to Europe but if WiFi Master Key can overcome these and deliver support for other platforms such as iOS, it would be likely to repeat its success in Asia.