Upgrade Magazine


Securing open hotspots

By Louis Au, Vice President, Asia Pacific, Ruckus Wireless

Louis AuAccording to estimates by Wireless Broadband Alliance and Informa, the number of public hotspots is predicted to rise by 350% to 5.8 million, and private hotspots are expected to hit over 640 million by 2015.

While global public and private hotspots are exploding so is identity theft, fraud and other criminal activities that can be made possible through access to unencrypted confidential information.

So despite this insatiable desire for connectivity, users are becoming more aware and fearful that their communications at open hotspots could be compromised. In particular, most public hotspots are not encrypted or protected in any way. This means that users are potentially vulnerable to attacks or confidentiality breaches.

To provide a more secure hotspot experience, authentication (i.e., the user’s identity) and encryption (data scrambling) are the two primary security items that should be addressed. Security at the transport layer (e.g. HTTPS) does help by encrypting transmissions between the client and the destination server. However users want more assurances at the link layer (layer 2) as their traffic goes flying through the air.

Security at Today’s Hotspots

Traditional approaches to link layer encryption require users to select an SSID and enter some sort of shared encryption key or passphrase to scramble their data before transmission. Wi-Fi access at hotspots, like your typical Starbucks or airport, is generally provided over an open SSID that is easy to find but with no encryption of their data transmissions. This is because most hotspots do not offer IEEE 802.11i security framework that leverages WPA2-Enterprise (Wi-Fi Protected Access II) encryption and EAP (Extensible Authentication Protocol) authentication. As a result, users have no assurance their connection is secured and their data protected. In other words, the security setting in hotspots is typically “open.” So while users will be authenticated, there is no attempt to ensure that the on-going access provided is encrypted to prevent security breaches.

Finally, the use of WPA2-Enterprise can make it difficult for clients to roam among different Wi-Fi hotspots. If the mobile device’s connection manager doesn’t recognize the SSID for a roaming partner’s network, it won’t attempt to join that network. And most of the time, users don’t know the SSID for a roaming partner’s network.

What if there was a way to automatically provide encrypted access through an open SSID without users having to do anything other than click a box to select a more secure connection? That could be the holy grail of hotspots.

Cool New Technology Secures Hotspots

Secure hotspot technology pushes much of the Wi-Fi security process; typically a manual process performed by each user, into the network while providing new methods for configuring client devices without cumbersome keying of SSIDs and encryption keys. Doing this can completely transform and protect users’ hotspot experience with little to no effort.

At the heart of secure hotspot technology are two essential tasks:

1)    generating unique encryption keys for each user and
2)    automating the configuration of these keys and other Wi-Fi information within the user’s device.

Two exciting technologies either in progress or already available to solve these problems: Hotspot 2.0 and new secure hotspot technology.

Hotspot 2.0 is a global initiative championed by the Wi-Fi Alliance (WFA) and Wireless Broadband Alliance (WBA) to address a myriad of Wi-Fi hotspot concerns ranging from automating the authentication and security of Wi-Fi connections to provisioning policy, establishing roaming agreements and ultimately the seamless transition between Wi-Fi and cellular networks. Hotspot 2.0 is an ideal way for carriers and enterprises to address some of these specific Wi-Fi hotspot security concerns when commercial Hotspot 2.0 network services become available in the future.

Beyond the larger Hotspot 2.0 framework, recent advances in Wi-Fi and Wi-Fi security now provide a way for public venues, enterprise and carrier to offer secure hotspots through an open Wi-Fi network. This has the advantage of requiring no new protocol or software support (Hotspot 2.0) and works across nearly all Wi-Fi enabled devices.

With secure hotspot technology, once a client associates to an open SSID from an access point, the wireless LAN (WLAN) controller sends the client device to a predetermined Web portal. The end user is then asked if he or she wants a secure or open connection.

After signing in, a unique 63-byte encryption key with a limited life span is generated and bound to the user device by the WLAN controller. Vendors often call this capability Dynamic Pre-Shared Keys (DPSK). There is no need for pre-defined user credentials whatsoever. The Web server simply instructs WLAN controller to create a unique encryption key based on whatever information that hotspot operator wants to use to track users such as an email address, name, etc.

Once the key generation process is complete, the unique PSK and all the requisite WLAN information necessary to establish a secure connection is installed within the user’s device connection manager using a dissolvable provisioning file that it automatically created and pushed to the user’s devices without having to install any additional applications. The user device then automatically associates with the encrypted hotspot Wi-Fi network.

The end-user sees the option to connect more securely or not. There is no need for the hotspot administrator to pre-configure any user, although they can log details on each user and usage within the hotspot. The administrator’s set-up is very simple: configure an “open” (provisioning) SSID and an encrypted hotspot SSID for devices to automatically connect, once the user has agreed to setup an encrypted connection.

Ultimately secure hotspot technology breaks the traditional paradigm between higher levels of security and higher complexity in implementing stronger security giving organizations a unique way to easily offer encrypted connections over open networks with little to no effort.

Hotspots will never be the same again.


To Top