Hospitality Wi-Fi Security
As a hotelier, your most important concern is to provide a secure environment for your guests, both on your property and on your Wi-Fi. Your property is easy to protect. You have personnel dedicated to ensuring the safety of you and your guest’s persons and property. Your Wi-Fi security is quite a bit harder; and you’re a hospitality expert, not a cybersecurity professional.
Luckily, you don’t need to have degrees and certifications in IT to protect your guests, you only need to partner with the right managed Wi-Fi service provider. So how do you find the right provider? Just ask the right questions and listen for these answers.
Should my property have a WPA2 or WPA3 security solution?
You should choose the newest standard, WPA3. WPA3 replaces the older WPA2, first introduced in 2004, which has been under increasing attack.
WPA mitigates these types of attacks:
- KRACK attacks
- Evil twin attacks
- Wireless sniffing
- Unauthorized computer access
- Shoulder surfing
What other problems does WPA3 solve?
The PSK problem
What is PSK? It’s pre-shared key or simply put, a password. PSK mode is part of the WPA2-Personal security protocol. You probably use this at home and that’s fine. However, you don’t want to use this at your place of business. This type of protocol was found to be vulnerable. An attacker could capture an over the air data exchange, go offline and through brute force try every password imaginable till one validates them into the network. This sounds like a lot of work, but it can be done in as little as a few seconds.
WPA3 to the rescue! As Wi-Fi access points have become more powerful, they are able to perform stronger and stronger cryptographic operations. WPA3 takes advantage of these new hardware advances by introducing Simultaneous Authentication of Equals (SAE) protocol. In this protocol, the access point and the authenticating user, each use “zero-knowledge proof” to prove they each know the password. Each party sends an encrypted key which the access point decrypts and authenticates. They do this without ever exchanging the real password, thus eliminating the danger of being hacked.
Another problem solved with WPA3 is the daunting complexity of the WPA2 EAP mode. This mode was created as an effort to reduce the workload on older access points and still allow for strong, encrypted authentication. Involving not just the access points, but correctly configuring a stand-alone server, it was overly complex and costly. Even worse, on the user side it required users to possess knowledge they should not be expected to have to connect to the network. Even trained professionals could erroneously misconfigure a network and end up with low-level encryption of 60- to 80-bits.
WPA3 introduces a new configuration option for 802.11x/EAP call CNSA (Commercial National Security Algorithms). This configuration eliminates the misconfigurations of WPA2 EAP mode and has been adopted by governments, and enterprises that have strong security requirements.
This will sound cryptic, we know, but WPA3 has a 192-bit key-based encryption with a 48-bit initialization vector option. Use it. You don’t need to know the specifics of how it all works. Just understand that this is what was requested by security institutions and governments as a minimal level of security. It was introduced in June of 2018, first arrived on peripherals in 2019, and is ready today.
Securing open networks
Often there are segments of your property, such as the coffee shop or lobby, who would like an “open” network. Under WPA2 this is a huge security risk. Not so under WPA3. It introduced a new protocol called PSK-Wi-Fi CERTIFIED Enhance Open with Opportunistic Wireless Encryption (OWE). To the user, this network looks like an open network, it displays no “padlock” symbol. Users can click to connect.
However, behind the scenes, something different is happening. It performs an unauthenticated Diffie-Hellmen. No that’s not a dance move, it’s a form of authentication which creates a key which only the AP and device know. This key is used to encrypt all management and data send and received by each.
While this is still not the best solution, if you do require an “open” network, OWE provides a higher level of security than a shared and public PSK with WPA2-PSK. This can also be used within a captive portal scenario.
While no network is perfectly secure, within WPA3 great strides have been made both in security software and taking advantage of new hardware technology. Today, networks are more secure, easier to manage, and more convenient for your guests. With the right partner, you can provide a secure guest and back-of-house network capable of streaming, controlling room environments, conducting secure financial transactions and more. You can do all this, and you don’t have to be a computer networking genius. You just need to know one.