The WBA Wi-Fi Security report is designed to identify the key network security concerns head-on, by addressing the major attack surfaces and specifying concrete controls for each one.
Here are the highlights:
1. Stops users connecting to rogue / fake networks
Concern:
Users accidentally connect to fake hotspots (coffee shop SSID clones, evil-twins) and have their traffic sniffed or credentials stolen.
How the paper addresses it:
- Mandates 802.1X + EAP mutual authentication (client authenticates the network and the network authenticates the client).
- Recommends only strong, Passpoint-certified EAP methods (EAP-TLS, EAP-SIM/AKA/AKAʹ, EAP-TTLS with MSCHAPv2).
- Requires clients to validate server certificates (Root CA, CN/SAN checks) before sending credentials.
Result: a device will only complete authentication with a legitimate, certificate-validated network, making rogue APs much harder to exploit.
2. Protects data in the air (no easy sniffing / MITM)
Concern:
Attackers sniff traffic or tamper with frames over the air (classic café Wi-Fi issue).
How it’s handled:
- Uses WPA2-Enterprise / WPA3-Enterprise with:
- AES-CCMP / AES-GCMP for strong encryption
- Per-session keys derived via EAP (MSK → PTK).
- Optional (mandatory with WPA3) Protected Management Frames (PMF) to protect:
- Deauth/disassoc frames
- Against deauth and some MITM attacks.
Result: traffic between client and AP is strongly encrypted, and key management is robust. This brings Wi-Fi much closer to cellular-grade security.
3. Preserves user identity privacy (while still allowing traceability)
Concerns:
- User identities exposed in the clear during authentication.
- Operators unable to correlate sessions for legal / accounting purposes without exposing PII.
Mitigations:
- Uses anonymous outer identities (e.g. anonymous@example.com) for initial EAP identity exchange.
- Keeps real identity inside the encrypted EAP tunnel (inner identity).
- Recommends Chargeable-User-Identity (CUI) as an opaque ID to:
- Correlate sessions for billing / incident handling
- Refresh regularly to protect privacy.
- For SIM-based methods (EAP-SIM/AKA/AKAʹ), relies on pseudonyms and fast-re-auth identities instead of exposing raw IMSI.
Result: roaming and AAA routing work, regulators can still tie traffic back to a subscriber when required, but day-to-day traffic doesn’t spray PII all over the network.
4. Secures credentials at rest and in use
Concern:
Credentials (passwords, certificates, IMSIs, tokens) are stolen from devices or back-end systems.
How it’s addressed:
- On devices: store credentials only in secure OS key stores (iOS Keychain, Android Keystore, etc.).
- In the network: IDPs must store credentials in secure, hashed/encrypted databases, never in plain text or weak hash formats.
- For SIM-based methods: rely on tamper-resistant SIM/USIM smart cards for credential storage.
- Provides patterns for mapping encrypted IMSI ↔ real identity via RADIUS and logs, to satisfy lawful intercept/charging without exposing that mapping widely.
Result: credentials are hardened across the full chain: device → AP → AAA → IDP.
5. Hardens the access network (APs, controllers, cables, backhaul)
Concerns:
- Someone plugs into AP wiring, hijacks or sniffs traffic.
- APs are physically tampered with.
- Backhaul links to controllers or hubs are unprotected.
Controls:
- Physical security guidance for controllers and APs (placement, tamper-resistance, no sensitive secrets stored on AP if compromised).
- Over-the-wire protection:
- Secure tunnels (VPN/MACsec) between AP and controller/switch.
- Local Breakout architectures to avoid backhauling sensitive or high-bandwidth traffic unsecured over long links.
- Backhaul security:
- Use IPsec or equivalent tunnels where traffic is centralised.
- Encourage end-users to use application-layer VPNs for additional protection over the wider internet.
Result: it’s not just the radio link; the whole path from AP to core is considered in the threat model.
6. Secures AAA and roaming/hub signalling (RADIUS)
Measures:
- Strongly recommends RADIUS/TLS (RadSec) or RADIUS/DTLS instead of classic RADIUS/UDP with weak MD5.
- Aligns with WRIX and OpenRoaming requirements:
- All AAA links between ANP ↔ hub ↔ IDP must be over secure tunnels or RadSec.
- Certificates and TLS configurations follow modern best practices (RFC 9325, service identity RFCs).
Result: the control plane (auth/accounting) is encrypted and authenticated, not just the user data plane.
7. Adds Layer-2 protections inside the Wi-Fi domain
Concerns:
- Clients attacking each other on the same SSID (ARP spoofing, broadcast abuse, worms).
- Excess broadcast/multicast traffic enabling attacks or data leakage.
Mitigations:
- L2 traffic inspection and filtering:
APs/network devices can inspect and block suspicious frames between clients. - Proxy ARP, broadcast/multicast suppression:
- Reduces noise, mitigates some broadcast-based attacks.
- Client isolation as a best practice in many public deployments.
Result: even if a malicious client connects, its ability to attack neighbours at L2 is significantly reduced.
8. Wraps it all in a legal & federation framework (OpenRoaming + WRIX)
Finally, OpenRoaming isn’t just technology; it’s:
- A federation + legal + policy framework (built on WRIX) that:
- Defines responsibilities between ANPs, IDPs, and hubs.
- Sets expectations for security, privacy, and logging.
- Reduces the risk of “bad actors” inside the federation.
That means security isn’t just “best effort per operator”; it’s contractually and technically enforced at the federation level.
Short answer
The report addresses Wi-Fi network security concerns by specifying concrete, layered controls:
- Strong mutual authentication (EAP + Passpoint)
- WPA2/WPA3-Enterprise with AES + PMF
- Privacy-preserving identities and CUI
- Secure credential storage and lawful intercept-aware logging
- AP, backhaul, and RADIUS/RadSec hardening
- L2 filtering, client isolation, and multicast/broadcast controls
- A legal and operational framework via OpenRoaming/WRIX
Together, these turn Wi-Fi from “open hotspot risk” into something that behaves much more like a secure, carrier-grade access technology.
