Enterprise-grade authentication needed to secure exploding public Wi-Fi services

Growing demand for wireless data has boosted usage of public Wi-Fi networks for mobile traffic offloading, but a wireless expert has warned that it's still early days for new standards boosting the security and roaming capabilities of public Wi-Fi services.

Those standards – collectively known as Hotspot 2.0 and based on the 802.11u standard for flexible network connectivity – offer a higher level of authentication by requiring devices to authenticate themselves to the network as well as to the hotspot.

Broad implementation of the standard – currently supported on Apple iOS7 and iOS8 devices, some Samsung Galaxy phones and some other mobile devices – will help address the lack of low-level encryption over existing public Wi-Fi networks, Ruckus Wireless technical engineer David Wright told CSO Australia.

“Most Wi-Fi is open-access technology,” he explained, “and once you've been authenticated the actual traffic going across the network is not encrypted. You may be doing higher-level encryption at the service layer, but you can't count on the security of the air link itself.”

This insecurity has been flagged by some security experts as potentially putting enterprise data at risk when employees connect to insecure Wi-Fi hotspots, or even to fraudulent hotspots designed as honeypots to collect users' details.

Hotspot 2.0 specifications address this by enforcing tighter authentication principles and enabling support for digital credentials – a mobile device's SIM card, a conventional username and password, or a full X.509 certificate issued through a Wi-Fi Alliance backed PKI infrastructure – that must be validated by a back-end RADIUS server in order for access to be granted.

Compatible hotspots advertise a range of information, including using the Access Network Query Protocol (ANQP) to advise with which global carriers its operator has Wi-Fi roaming agreements.

Other information, such as the capacity of the backhaul, services available, a digital certificate attesting to the identity of the hotspot, and other details can also be exchanged using the Access Network Query Protocol (ANQP) before the client device initiates the actual connection process.

The entire link remains encrypted throughout the session, relying on dynamically generated keys that expire after the session finishes.

While the technology works, adoption remains spotty despite growing reports such as those suggesting that some carriers are injecting advertisements into public Wi-Fi services. Telstra last year announced it would be Australia's first Wi-Fi provider to offer Hotspot 2.0 capabilities over the nationwide Wi-Fi network it expects to launch this year after a trial late last year.

iiNet, for its part, is also building a major public Wi-Fi network in the ACT that will see over 700 wireless access points installed by next month. Victorian cities including Melbourne, Ballarat and Bendigo will also receive coverage.

This process would also facilitate the automatic logon of customers belonging to frequent-flyer, hotel or other loyalty programs, allowing them to add global roaming as a value-add.

“It's quite a fundamental overhaul of the way Wi-Fi works,” Wright explains. “Until now, the client has only been able to access very limited information about the access point before it makes a determination about whether to connect or not.”

“With Hotspot 2.0, we can provide a wealth of information about the client and hotspot. The client can validate that it's talking with a trusted infrastructure component before it passes any information to the server.”

Ruckus – which dominates the provision of public Wi-Fi infrastructure in numerous countries – has been adopted by “hundreds of thousands of access points” managed by US-based Time Warner Cable and Boingo, with telcos in Europe and Asia also running the technology across a range of cities.

Back-end equipment requires certification to the v2 standard, but Ruckus is “now waiting for client support to catch up,” Wright said, noting that once it's widely adopted the active validation of connecting devices will boost user security to “the same level of security in public Wi-Fi that we've used in enterprise environments for years.”

This article is brought to you by Enex TestLab, content directors for CSO Australia.

Feeling social? Follow us on Twitter and LinkedIn Now!

Tags iiNetenterpriseauthenticationsamsung galaxySecure WiFiHotspot 2.0Apple ios7wireless dataBendigoiOS 8CSO Australiapublic Wi-Fi networksAccess Network Query Protocol (ANQP)

Show Comments