Riding the WiFi train, securely

Opinion by Nathan Pearce

Most Londoners will have seen by now that the Tube is due for an upgrade prior to the Olympic Games this summer.

Most Londoners will have seen by now that the Tube is due for an upgrade prior to the Olympic Games this summer.

This upgrade will also add a WiFi network for passengers waiting at platforms to enable them to surf the web, access emails and do their shopping online. WiFi will be accessible to staff and passengers and, consequently, may also carry communications between employees on the platform and those in the control room.

In the aftermath of the 7/7 bombings, the need for a more advanced communications system was identified and, as a result, Transport for London (TfL) put in place the £2bn Connect digital radio system. The WiFi upgrade will add another layer of sophistication on top of this, providing another advanced communications channel to staff.

With most underground platforms in the region of 140 metres long, range is no problem for a couple of WiFi access points on each platform: the effective range of WiFi is usually between 30m and 95m, depending on the power, number of antennae and the wireless standard used.

Although the eastbound platform at Hornchurch (at 231 metres) may cause a few headaches, there should be few issues providing an effective connection. Indeed, most consumers using smartphones and tablets on the move will be used to 3G speeds (on average, around 2.7Mbps in London), meaning that internet access underground may actually be quicker than that experienced above ground.

Furthermore, because the service is restricted to platforms, maintenance will be much easier than if access points were located in the tunnels and WiFi were granted to passengers on trains. However, with staff and the general public sharing WiFi access, there are a few obvious security and technical concerns.

The two main implications for staff and consumers sharing WiFi are security and availability. It is absolutely imperative that staff can continue to communicate and access both internal and external resources (such as intranet or website content) however crowded the station platform and however many consumers are using the WiFi.

While many of the conversations and data exchanges between staff will be reasonably mundane, a number will also be confidential, so these WiFi streams must not only be available, but also separate and secure.

There are a number of ways to accomplish this, but the simplest is to take a two-tier approach. TfL could segment the available bandwidth from the routers between staff and the general public, using a policy to define these amounts, based on availability.

There should also be the provision for overriding these limits in the event of an emergency and platform staff needing high bandwidth for high-resolution repair manuals or engineering diagrams.

On security, while the public should enjoy reasonably open WiFi access, staff should connect via SSL VPNs, whereby all traffic is encrypted and each user has their own secure tunnel.

Mobile users will be used to roaming between masts, but this is not typically common with VPNs over WiFi. Many do feature automatic reconnection so that data and downloads are not lost, but with staff connecting on platforms and WiFi range generally extending for most of this distance, this should not cause problems and roaming/automatic reconnection may not even be necessary.

SSL VPNs that use encryption and tunneling protocols to keep data secure should safeguard private information, and in an extreme case should not be intercepted by vandals or other parties. Consequently the security standards will need to be revisited periodically, so it should not be a challenging issue. 

The WiFi system will need a degree of application awareness: emergency phone calls made by staff should be given absolute priority, whereas web browsing is much less important (in most cases); but these policies will need to be set by TfL, or by individual stations according to their needs.

There are a small number of other security concerns that TfL should bear in mind, one of which is that of rogue access points. Although it is unlikely, it is possible that someone could set up a WiFi hotspot concealed in a station, connect it to an authentic access point and configure it to look identical and intercept all of the network traffic and private data.

This is reasonably simple to avoid by configuring an extra access point at each station to monitor for any changes to WiFi configuration and alerting the relevant staff. However, given the physical geography of the average underground station, this would be quite difficult to do undetected.

There is little doubt in most people's minds that WiFi on the London Underground will be a huge asset to the city before, during and after the Olympics. While there are a number of concerns, TfL will undoubtedly have done its due diligence and both secured and separated WiFi data streams for passengers and staff. As long as a few straightforward steps are followed, it should enhance the lives of both commuters and tourists significantly.

Nathan Pearce is EMEA product manager at F5 Networks


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming Events