Securing open hotspots

Recent advances in Wi-Fi technology that automatically secure client devices in open hotspots have the potential to forever change mobile data access.

Hotspots are the thing. People everywhere now have an insatiable demand for constant connectivity. You’re probably one of those people.

That’s why public hotspots are predicted to rise by 350% by 2015, and the number of private hotspots is expected to hit over 640 million.

public wifi hotspots worldwideprivate wifi hotspots worldwide

While global public and private hotspots are exploding so is identity theft, fraud and other criminal activities that can be made possible through access to unencrypted confidential information.

So despite this insatiable desire for connectivity, users are becoming more aware and fearful that their communications at open hotspots could be compromised.

Most businesses with a knowledgeable IT staff will take the time to secure their internal wireless infrastructure with suitable encryption techniques. But most public hotspots are not encrypted or protected in any way.

This means that users are potentially vulnerable to attacks or confidentiality breaches. This is also a major problem for enterprises with limited IT staff that want to offer safer guest access but don’t have the time or expertise to implement robust wireless security. To provide a more secure hotspot experience, authentication (i.e., the user’s identity) and encryption (data scrambling) are the two primary security items that should be addressed.

Security at the transport layer (e.g. HTTPS) does help by encrypting transmissions between the client and the destination server. However users want more assurances at the link layer (layer 2) as their traffic goes flying through the air.

Security at Today’s Hotspots

Traditional approaches to link layer encryption require users to select an SSID and enter some sort of shared encryption key or passphrase to scramble their data flying through the air. Wi-Fi access at hotspots, your typical Starbucks or airport of choice, is generally provided over an open SSID that is easy to find – requiring users to simply accept general terms and conditions of use with no encryption of their data transmissions.

Because today’s hotspots employ open connections, which don’t offer any form of link-layer security, users can be subject to the following attacks:

  • Hi-jacking. This where an attacker impersonates the access point to which the user’s device is associated, causing the device to disassociate from the Wi-Fi network. The attacker then assumes the user’s session, effectively stealing their service.
  • Cookie-cutting. In this case, the attacker snoops on unencrypted Wi-Fi communications and intercepts a user’s session cookie allowing the attacker to access private user content on Web pages.
  • Evil twin. In this attack, an attacker sets up a rogue access point whose SSID is set to the same name as that of an access point deployed by a legitimate hotspot provider. This attack can be used for identity theft.
  • Eavesdropping. This is where unencrypted Wi-Fi communications are intercepted by an attacker, compromising personal information such as passwords, credit card numbers, and email information.

Most enterprise networks don’t have these Wi-Fi security problems because they make use of the IEEE 802.11i security framework that leverages WPA2-Enterprise encryption and EAP authentication. In hotspots however, 802.1X communications are typically not offered. As a result, users have no assurance their connection is secured and their data protected. In other words, the security setting in hotspots is typically “open.” So while users will be authenticated, there is no attempt to ensure that the on-going access provided is encrypted to prevent security breaches.

Finally, the use of WPA2-Enterprise can make it difficult for clients to roam among different Wi-Fi hotspots. If the mobile device’s connection manager doesn’t recognize the SSID for a roaming partner’s network, it won’t attempt to join that network. And most of the time, users don’t know the SSID for a roaming partner’s network.

What if there were a way to automatically provide encrypted access through an open SSID without users having to do anything other than click a box to select a more secure connection? That could be the holy grail of hotspots.

Cool Technology Behind Secure Hotspots

At a high level, secure hotspot technology pushes much of the Wi-Fi security process — typically a manual process performed by each user, into the network while providing new methods for configuring client devices without cumbersome keying of SSIDs and encryption keys. Doing this can completely transform and protect users’ hotspot experience with little to no effort.

At the heart of secure hotspot technology are two essential tasks:

1) generating unique encryption keys for each user; and

2) automating the configuration of these keys and other Wi-Fi information within the user’s device.

Two exciting technologies are in progress or already available to solve these problems: Hotspot 2.0 and new secure hotspot technology.

Hotspot 2.0 is a global initiative championed by the Wi-Fi Alliance (WFA) and Wireless Broadband Alliance (WBA) to address a myriad of Wi-Fi hotspot concerns ranging from automating the authentication and security of Wi-Fi connections to provisioning policy, establishing roaming agreements and ultimately the seamless transition between Wi-Fi and cellular networks. Hotspot 2.0 is an ideal way for carriers and enterprises to address some of these specific Wi-Fi hotspot security concerns when commercial Hotspot 2.0 network services become available in the future.

Beyond the larger Hotspot 2.0 framework, recent advances in Wi-Fi and Wi-Fi security now provide a way for public venues, enterprises and carriers to offer secure hotspots through an open Wi-Fi network. This has the advantage of requiring no new protocols or software support (Hotspot 2.0) and works across nearly all Wi-Fi enabled devices.

Figure: How Secure Hotspot Technology Works

how to secure wifi connection

With secure hotspot technology, once a client associates to a open SSID from an access point, the wireless LAN (WLAN) controller sends the client device to a predetermined Web portal. The end user is then asked if he wants a secure or open connection.

After signing in, a unique 63-byte encryption key with a limited life span is generated and bound to the user device by the WLAN controller. Vendors often call this capability Dynamic Pre-Shared Keys (DPSK) or Private Pre-Shared Keys.

With secure hotspot technology there is no need for pre-defined user credentials whatsoever. The Web server simply instructs the WLAN controller to create a unique encryption key based on whatever information that hotspot operator wants to use to track users (e.g., an email address, name, or so on).

Once the key generation process is complete, the unique PSK and all the requisite WLAN information necessary to establish a secure connection are installed within the users’ device connection manager using a dissolvable provisioning file that it automatically created and pushed to the user’s devices without having to install any additional applications. The user device then automatically associates with the encrypted hotspot Wi-Fi network.

The end-user sees the option to connect more securely or not. There is no need on the part of the hotspot administrator to pre-configure any users, although they can log details on each user and usage within the hotspot. The Administrator’s set-up is very simple. They need only configure an “open” (provisioning) SSID and an encrypted hotspot SSID for devices to automatically connect to once the user has agreed to setup an encrypted connection.

Ultimately secure hotspot technology breaks the traditional paradigm between higher levels of security and higher complexity in implementing stronger security, giving organizations a unique way to easily offer encrypted connections over open networks with little to no effort.

Hotspots will never be the same again.

Author: David Callisch, VP of Marketing, Ruckus Wireless


  1. Thank you for enlightening me for securing open hotspots. Thanks Esme! 🙂