Enterprise-grade authentication needed to secure exploding public Wi-Fi services

Growing demand for wireless data has boosted usage of public Wi-Fi networks for mobile traffic offloading, but a wireless expert has warned that it's still early days for new standards boosting the security and roaming capabilities of public Wi-Fi services.

Those standards – collectively known as Hotspot 2.0 and based on the 802.11u standard for flexible network connectivity – offer a higher level of authentication by requiring devices to authenticate themselves to the network as well as to the hotspot.

Broad implementation of the standard – currently supported on Apple iOS7 and iOS8 devices, some Samsung Galaxy phones and some other mobile devices – will help address the lack of low-level encryption over existing public Wi-Fi networks, Ruckus Wireless technical engineer David Wright told CSO Australia.

“Most Wi-Fi is open-access technology,” he explained, “and once you've been authenticated the actual traffic going across the network is not encrypted. You may be doing higher-level encryption at the service layer, but you can't count on the security of the air link itself.”

This insecurity has been flagged by some security experts as potentially putting enterprise data at risk when employees connect to insecure Wi-Fi hotspots, or even to fraudulent hotspots designed as honeypots to collect users' details.

Hotspot 2.0 specifications address this by enforcing tighter authentication principles and enabling support for digital credentials – a mobile device's SIM card, a conventional username and password, or a full X.509 certificate issued through a Wi-Fi Alliance backed PKI infrastructure – that must be validated by a back-end RADIUS server in order for access to be granted.

Compatible hotspots advertise a range of information, including using the Access Network Query Protocol (ANQP) to advise with which global carriers its operator has Wi-Fi roaming agreements.

Other information, such as the capacity of the backhaul, services available, a digital certificate attesting to the identity of the hotspot, and other details can also be exchanged using the Access Network Query Protocol (ANQP) before the client device initiates the actual connection process.

The entire link remains encrypted throughout the session, relying on dynamically generated keys that expire after the session finishes.

While the technology works, adoption remains spotty despite growing reports such as those suggesting that some carriers are injecting advertisements into public Wi-Fi services. Telstra last year announced it would be Australia's first Wi-Fi provider to offer Hotspot 2.0 capabilities over the nationwide Wi-Fi network it expects to launch this year after a trial late last year.

iiNet, for its part, is also building a major public Wi-Fi network in the ACT that will see over 700 wireless access points installed by next month. Victorian cities including Melbourne, Ballarat and Bendigo will also receive coverage.

This process would also facilitate the automatic logon of customers belonging to frequent-flyer, hotel or other loyalty programs, allowing them to add global roaming as a value-add.

“It's quite a fundamental overhaul of the way Wi-Fi works,” Wright explains. “Until now, the client has only been able to access very limited information about the access point before it makes a determination about whether to connect or not.”

“With Hotspot 2.0, we can provide a wealth of information about the client and hotspot. The client can validate that it's talking with a trusted infrastructure component before it passes any information to the server.”

Ruckus – which dominates the provision of public Wi-Fi infrastructure in numerous countries – has been adopted by “hundreds of thousands of access points” managed by US-based Time Warner Cable and Boingo, with telcos in Europe and Asia also running the technology across a range of cities.

Back-end equipment requires certification to the v2 standard, but Ruckus is “now waiting for client support to catch up,” Wright said, noting that once it's widely adopted the active validation of connecting devices will boost user security to “the same level of security in public Wi-Fi that we've used in enterprise environments for years.”

This article is brought to you by Enex TestLab, content directors for CSO Australia.

Read more: Developing a successful mobile authentication strategy

Feeling social? Follow us on Twitter and LinkedIn Now!

Join the CSO newsletter!

Error: Please check your email address.

Tags BendigoApple ios7Secure WiFiiiNetenterpriseauthenticationpublic Wi-Fi networksHotspot 2.0Access Network Query Protocol (ANQP)wireless dataCSO Australiasamsung galaxyiOS 8

More about ACTAppleCSOEnex TestLabGalaxyIEEERuckus WirelessSamsungTime Warner

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place