Hospital Wifi security review

I managed to land in Denmarks second largest hospital, the Odense University Hospital (refered as OUH in danish). Since i’ve been informed that i will have to stay here for several days, i began to accomodate myself (networking wise as in doing my first wifi security review). There is only one free network available for patient/guest access, and several other for staff usage. Most users wouldn’t be interested in the deeper information about the networks, but i was so i started digging a bit into it. Brace yourself, it’s a long one.

Informative brochure about the guest wifi

I found informative brochures around the hospital, one specificaly about the guest wifi. It was only in danish. Instructions are listed clearly enough, pointing the users to SSID (Gaestenet) and to the specifical page where they must log in using their name, address and danish civil registration number. You are also warned about activity tracing along with time usage and, At the request of legitimate authority, the hospital is obligated to disclose any user related information.

patient-brochure

There are also some “common-sense” rules stated:

  • you agree to comply with the law for using the Internet (thanks for NOT pointing the exact law)
  • you must not visit certain pages with content that may seem objectionable to other people  (i can guess what are they refering to but i think they could have been more specific)
  • stick mainly to the servicse from well-known companies or organizations
  • the free gaestenet is provided by Region Syddanmark as a service – capacity is limited and shared between multiple users.
  • download from the Internet may only be made if it is not contrary to the laws and rules, in particular copyright
  • avoid video streaming so that you are not putting a strain on the network

And some advices regarding safey:

  • protection is not provided and the user has the responsability to protect his equipment with firewall and/or antivirus software
  • the providers disclaim any responsability for “virus attacks” and abuse as a result of use

For a typical user the brochure is informative enough but for a more technical user, it’s not specific enough. I was asked by one of the visitors how can she get internet access. The reception staff told her to connect to the SSID, but she wasn’t redirected automatically to the authentication page.

Network setup and authentication

I couldn’t help noticing and i’ve realised that the wireless repeaters are placed in the visitors proximity. In other words, anybody can just unplug them and walk away (with or withouth them).

close-wifi-repeater

I guessed it from the beginning and yes, they are using RADIUS with either an internal database or SQL authentication with the civil registration numbers in Denmark. A session lasts for about 8 hours. Considering the visitor average stay is shorter than 8 hours, the session can be shorten so that network tables aren’t that “crowded”. They are also checking if the name, address and registration number actually match (i’m not sarcastic i actually didn’t expect that).

ouh-login-fail

The interesting thing is that they eliminated the case-sensitive confusion and they also allow only the firstname or surname.

Altough users are asked not to clog the bandwidth too much, there is no network restriction to this. There is no speed nor port restriction, as i was able to test this using speedtests reaching download speeds up to 2 MB/s on a Saturday night. Pretty good for a guest wifi network.

ouh-test-dwd

Abuse is detected at one point though and internet access is restricted.

Bypassing abuse restriction

After i lost my internet connectivity, my first thought was how to bypass this. My first idea was to use different DNS servers (googles servers – 8.8.8.8 and 8.8.4.4) than those appointed by the DHCP server. I got some refused queries.

ouh-dns-refused

My next idea was to change my MAC address and reauthenticate. Yes, it worked, but this wasn’t everything. Reverting back to the DNS servers appointed by the DHCP stopped my connectivity. I suspect it to be a hostname detection issue, because reconnecting with the normal MAC address and the external DNS servers worked the second time.

Conclusion

I take free access to information seriously, as well as security awareness and informing the user properly. The wireless network setup at OUH is good but as almost anything on this earth, it can be improved, from a security and user experience point-of-view. I am aware that this is a public institution and of course, this is dependent on budgeting and established purposes.

The good

  • network separation for guests
  • encrypted authentication

The bad

  • although the coverage is good, the network can’t support the (very many) visitors on week days
  • relatively easy to do denial of service attacks ( clogging the bandwitdh – no port / speed restriction , late abuse detection ; devices in physical reach)
  • relatively easy bypassing

 Suggestions

  • reception staff must be informed better
  • leaflets/brochures must be more visible,available in at least one international language and more detailed to avoid “misinterpretation”
  • restricting usage of external DNS servers