Abstract: Securing Wi-Fi hotspots is challenging because hotspots typically can provide little or no on-site technical support. Therefore, any security solutions need to be easy to use and readily interoperate with user-owned equipment. Security schemes based on IPsec or 802.1x are being promoted for enterprise Wi-Fi networks, but they are difficult to configure and interoperate and are thus considered inadequate for hotspots. Current hotspots typically rely instead on SSL-secured captive portals to authenticate users. Captive portals are intuitive and do not require special client equipment. However, captive portals are vulnerable to session hijacking and freeloading attacks. The latter were previously unreported and, surprisingly, are strengthened by the increasing use of personal firewalls. We propose and evaluate novel defenses against these attacks, session id checking and MAC sequence number tracking. We also introduce a novel method that allows a single access point to employ a captive portal or 802.1x to authenticate users. This allows hotspots to provide 802.1x-based security (e.g., WPA or 802.11i) without disrupting legacy captive portal users. Experiments show that our proposed solutions are effective against the mentioned attacks, impose little performance overhead, interoperate with a variety of commercial network interface cards, and do not require special configuration of client computers or PDAs.

Joint work with Haidong Xia.