In today's digital environment, public Wi-Fi networks, as critical network access points, directly impact personal privacy, corporate data, and even national security.

In-depth Analysis of Public Wi-Fi System Security Issues

The risks of public Wi-Fi go far beyond mere "information leakage"; they represent a complex attack surface encompassing the physical layer, data link layer, and application layer.

1. Data Link Layer Attacks: Core Threats:

Rogue Access Points (Rogue APs): Attackers set up malicious hotspots with spoofed SSIDs (such as "Starbucks_Premium" or "Airport_Free"). Advanced attacks use floods of deauthentication frames to force terminals to disconnect from legitimate APs and reconnect to malicious APs, thereby enabling full traffic monitoring.

Man-in-the-Middle Attacks (MITM): In open or WPA2-Personal networks, tools (such as Ettercap and BetterCAP) can easily achieve ARP spoofing or DNS hijacking, redirecting user traffic to the attacker's host. WPA2 Enterprise Edition, if improperly configured (e.g., server certificate verification not enabled), is also vulnerable to EAP handshake attacks.

Protocol Vulnerability Exploitation: The WPA2 protocol inherently contains a KRACK (key reinstallation attack) vulnerability, allowing attackers to reinstall the nonce during the four-way handshake, causing the encryption key to be reset. Some traffic may be encrypted with an all-zero key, thus being decrypted.

2. Application Layer and User Layer Attacks:

Protocol Analysis and Session Hijacking: In scenarios without end-to-end encryption (such as HTTPS), attackers can obtain cookies and session tokens through traffic analysis, directly hijacking users' social media and email accounts. Even with HTTPS, DNS queries (usually in plaintext) can still expose users' access patterns and behavioral profiles.

Malware Distribution: Attackers can hijack HTTP traffic to inject malicious code into software update or download requests, or impersonate legitimate websites to trick users into downloading Trojans.

A springboard for advanced persistent threats (APTs): For high-value targets, attackers may use public Wi-Fi as an initial entry point to implant targeted backdoors, establish long-term, covert command and control (C2) channels, and carry out lateral movement and data leakage.

WPA3 Security Protocol: Architectural Innovation and Technical Implementation

WPA3 is not a simple patch to WPA2, but a system reconstruction based on a new cryptographic standard, mainly divided into WPA3 Personal Edition and WPA3 Enterprise Edition.

WPA3 Personal Edition

WPA3 uses SAE for encryption. SAE is based on the Dragonfly handshake protocol, and its core is the key exchange using cryptographic authentication (PAKE), which completely solves the offline dictionary attack problem of pre-shared keys in WPA2-PSK.

1. Encryption Process

The client and AP each independently generate an elliptic curve point (PWE) based on a shared cipher (PMK).

Through a hash commitment (Commit-Exchange) exchange process, both parties confirm that the other knows the cipher without exposing the PWE.

After confirmation, both parties exchange key materials, generating a paired master key (PMK) through elliptic curve Diffie-Hellman (ECC DH) exchange.

2. Security Issues

Perfect Forward Secrecy: Each handshake generates a unique session key. Even if the PMK is leaked in the future, it is impossible to trace and decrypt historical sessions. Defending against offline dictionary attacks: Attackers cannot brute-force the handshake packet offline after capturing it; each guess requires online interaction with the access point (AP), making it highly susceptible to detection by intrusion detection systems (IDS).

WPA3 Enterprise Edition: 192-bit Security Suite

Designed for scenarios with stringent security requirements, such as government and financial institutions, it mandates the use of a suite based on GCMP-256 encryption, GMAC-256 integrity verification, ECDSA-384 certificate signing, and SHA-384 hash function, achieving a security level comparable to the Commercial National Security Algorithm (CNSA) suite.

OWE Mechanism: Clients connect to the open network (passwordless).

The client and the access point (AP) automatically negotiate and generate a unique encryption key through Diffie-Hellman key exchange.

All subsequent communications are encrypted using this key.

In general, threats to public Wi-Fi are systemic, ranging from protocol flaws to sophisticated APT attacks. The WPA3 protocol, especially its SAE and OWE mechanisms, provides revolutionary security enhancements at the link layer, effectively addressing some of the most critical weaknesses of the WPA2 era. However, the adoption of technical standards is a lengthy process, and security is always a dynamic game of offense and defense. For scenarios with extremely high security requirements, WPA3 must be integrated into a defense-in-depth system that includes VPN, endpoint security, application encryption, and strict security management in order to form a complete defense against complex threats to public Wi-Fi.