Recent industry articles raised questions about the security of Wi-Fi in public or guest locations. including the Google Android Behind the Screens Report published on with a mention to the risks of using Guest-Public Wi-Fi — that may include identity theft, traffic interception, phishing, spoofed networks, and other attack vectors increasingly exploited by bad actors.
These concerns are real, but the industry is no longer standing still.
At the Wireless Broadband Alliance (WBA), we’ve been working with operators, identity providers, device manufacturers and technology leaders worldwide to build a new generation of secure, trusted and privacy-preserving Guest-Public Wi-Fi —addressing directly the issues highlighted in the Android report and many other articles and reports.
Here’s how modern networks — using WBA OpenRoamingTM and Passpoint® — eliminate the legacy risks of Guest-Public Wi-Fi:
1. Strong Mutual Authentication (No more fake hotspots)
Traditional open Wi-Fi is vulnerable to spoofed SSIDs and man-in-the-middle attacks. WBA OpenRoamingTM and Passpoint® networks require mutual authentication using industry-proven EAP methods such as EAP-TLS, EAP-TTLS, EAP-SIM and EAP-AKA.
This ensures the device authenticates on the correct network — making it impossible to connect to rogue access points.
2. Enterprise-Grade Encryption (Even on public Wi-Fi)
All traffic is protected with WPA2-Enterprise or WPA3-Enterprise, using AES-based encryption and protected management frames.
This brings Wi-Fi security on par with mobile networks — mitigating the packet sniffing and traffic manipulation issues.
3. User Identity Privacy by Design
Legacy public hotspots can expose user identifiers and even users’ bad behavior by sharing their Wi-Fi credentials with other persons.
WBA OpenRoamingTM and Passpoint® standards address this with:
- Unique and Anonymous identities
- Pseudonym identities for SIM-based methods
- Optional opaque Chargeable User Identity to protect personal information
This eliminates the exposure of Wi-Fi credentials, device identifiers or IMSIs over the air.
4. Secure Credential Storage on Devices
WBA OpenRoamingTM and Passpoint® enabled networks require credentials to be stored securely in:
- Android Keystore
- iOS Keychain
- Secure hardware modules/SIMs
This ensures credentials cannot be extracted or reused by users, credentials are personal.
5. End-to-End Secure Transport: RadSec, TLS & Encrypted Backhaul
To prevent interception beyond the Wi-Fi link layer, WBA OpenRoaming mandates secure AAA transport using RadSec (RADIUS/TLS) or VPN.
This protects the traffic (including authentication, accounting, and policy exchanges) from end to end.
6. Layer-2 Traffic Isolation (No devices attacking each other)
WBA OpenRoamingTM and Passpoint® networks enforce:
- Client isolation
- L2 filtering
- Proxy-ARP
- Disabled broadcast/multicast where required
These eliminate local attacks — one of the most common risks in open guest Wi-Fi.
In conclusion, while legacy Guest-Public Wi-Fi carries potential risk, the industry has already built — and is deploying globally — a secure, standards-based alternative.
With WBA OpenRoamingTM and Passpoint®, all of us as Wi-Fi users in Public locations can enjoy:
- Secure automatic onboarding
- Protected identities
- Encrypted connections
- Verified networks (no spoofing)
- Wi-Fi roaming
- A cellular-like security experience, globally
This is the future of Public-Guest Wi-Fi – read more about OpenRoaming at www.openroaming.org
And at WBA, we are committed to working with the ecosystem to ensure that every user can connect with confidence.
If you want to join the industry effort to deliver secure, seamless, trustworthy Wi-Fi everywhere, reach out — Let´s join forces and make Wi-Fi Easier, Secure and Better for everyone.
