IT security can feel like a constant headache. From Face ID and 2FA authentication to deciphering blurry traffic light photos to prove you’re human, the roadblocks never end. And who hasn’t groaned at the dreaded “change your expired password” reminder? As irritating as these measures are, they play a critical role in keeping us safe online. Security may be annoying, but it is essential.
At technologywithin we know this challenge better than most. As creators of tech products, we are tasked with the delicate balancing act of delivering products that are both secure and user-friendly – two objectives that don’t always align.
In the flexible workspace industry the stakes are even higher. Our solutions don’t just serve building owners and operators, they directly impact their customers - end users who expect reliable and secure connectivity. As more corporate clients become part of the flex space ecosystem, questions around network and data security are becoming increasingly important. These customers want assurance that their networks will be properly secured, segregated from others in the building and compliant with their own rigorous security policies and standards.
When security fails, trust crumbles. End users must be able to trust their operator, who, in turn, relies on their tech provider for security and reliability. A failure at any point in this chain can have severe consequences.
With this in mind, we’ve become concerned with the growing presence of flexspace tech products on the market that seem to prioritise convenience at the expense of security, leading to inadequate security standards. In this article we aim to help operators better understand the risks involved and make more informed choices when choosing a tech provider.
Building private, secure networks in flexspaces
A key component of any flexspace tech system is the ability to move end users onto their own private network. This network is “ring-fenced” exclusively for the end user’s company, ensuring that their data and activity is completely isolated from other occupants in the building. While a second network for guests and visitors may exist, our focus here is on the secure networks for building occupiers.
A common feature of nearly all flexspace tech stacks is VLAN (virtual local area network) technology. VLANs have long been a trusted IT solution designed to separate networks running on common equipment. Their reliability and security make them an ideal choice for flexspaces.
The key differentiator lies in how the tech product associates a particular end user device to the correct VLAN. It is crucial that this is handled properly and securely, because if a device mistakenly ends up on the wrong VLAN, it could give unauthorised access to another end user’s network, posing a major security risk.
Why MAC address authentication falls short
Every IT device that connects to a network has a unique identifier known as a MAC address for each wired and wireless interface, similar to a fingerprint or a phone number. Because each MAC address is unique, it may seem like a logical approach to use it to pre-register the device to a specific user in the building.
Once registered, whenever the MAC address of the device appears on the network, the device is automatically assigned to the VLAN of that user’s company. Seems simple and secure, right?
But here’s the problem: MAC addresses are alarmingly easy to spoof.
It is incredibly simple to change a device’s MAC addresses to match that of any other device. No specialist equipment is necessary – this can be done in seconds on a Windows laptop, natively within Windows and without any additional software.
So, if you were to change your laptop’s MAC address to match that of another user’s device in the building and connect to the network, you would be placed on that company’s private network. This would give instant access to the company’s shared network resources. This vulnerability puts entire networks – and the sensitive data within them – at risk.
To make things worse, MAC addresses are very easy to find. Because they are essential for network communications, they are transmitted over a network in unencrypted form. A malicious actor could a snapshot of the network traffic, an action called sniffing, and identify MAC addresses within seconds.
‘Sniffing’ can be done wirelessly, and again doesn’t require any specialist equipment – just a regular laptop and freely available security software will suffice. Even more worrying, if there is a wireless signal outside the building, hackers wouldn’t even need physical access to the building to carry out this simple hack. At a recent conference, a quick scan on a free smartphone app revealed the MAC address of every device connected to the building’s wireless network.
The usability drawback of MAC authentication
MAC addresses have long been used by wifi providers to track users online, but with increasing public pressure for more privacy, both IOS and Android have introduced a feature called “MAC address randomisation”. This feature, by default, hides a phone’s real MAC address when it connects to a network and sends a different one in its place, giving users a greater degree of privacy online.
This of course presents a challenge for MAC address VLAN authentication unless users disable this privacy feature. This undermines the simplicity of the method, as it requires users to adjust their device settings, creating a less seamless experience.
The Gold Standard for wireless VLAN authentication
At technologywithin we don’t cut corners. That’s why we don’t rely on MAC address as a primary authentication method. Doing so would jeopardise the integrity of our system and erode the trust our customers place in us.
Instead we use Enterprise Encryption, which encrypts each user’s connection with a unique encryption key. This is the gold standard for wireless encryption in Flex and ensures that wireless “sniffing” cannot decrypt other end user’s data. VLAN allocation is handled securely using a radius server linked to a username and password. At no point is the device’s MAC address involved in the process.
A trade-off worth taking
As mentioned earlier, security often comes with a trade-off. In the case of WPA2 Enterprise, depending on the device used, users may need to accept a certificate the first time they connect to the network. While this adds a couple of extra clicks, it’s a one-time setup.
Once set-up, users can enjoy seamless, secure access every time they enter the building. For customers using our Nomad roaming feature, this convenience extends across multiple locations. We feel this minor inconvenience is a trade-off worth taking.
Summary
Choosing a tech provider for your flexspace is a long-term commitment, so it’s crucial to do your due diligence.
A full IT security audit should be a part of your evaluation process. The example discussed here is just one of many security points to look out for, but it is an important one. If your provider is using MAC address authentication, don’t hesitate to ask for more details and consider involving a third-party consultant to help you make your choices.
Overlooking security could come back to haunt you - whether it’s losing a major prospect who asks tough technical questions or facing the fallout of a significant security breach.
Security isn’t optional. It’s an essential component of any successful flexspace. Don’t take it for granted.
Dr Adam Case
Technical Director
technologywithin