Public roaming Wi-Fi: secure and convenient hot spots


Yesterday, the municipality of Amsterdam officially launched its initiative for public, secure Wi-Fi hot spots basic on public roaming. Over the course of 2019 I have (through Dialogic) been involved in this project, first in designing the pilot project, and subsequently in executing it.

Even with highly capable 4G mobile networks having excellent coverage almost everywhere in the Netherlands, there is still a demand for Wi-Fi, as we found during the first stages of this study. First, there are tourists – especially those from outside the EU, who are unable to enjoy the luxury of free mobile roaming throughout the EU. A second group of users are those who cannot afford larger data bundles on mobile. Finally, there is a group of more professional users (e.g. roaming professionals).

Wi-Fi is usually available in public spaces, such as government buildings, hospitals and coffee bars. Usually these are public networks without any security whatsoever. To make accessing hot spots as convenient as possible, most places simply use ‘open’ Wi-Fi which is not secured with a password. What is less know however is that such networks also fail to encrypt communications between the user and the base station, leaving its users vulnerable to eavesdropping. Indeed Dutch banks are advising their customers not to use any form of public Wi-Fi for this reason.

Universities have long solved the problem of roaming Wi-Fi users through eduroam. Eduroam uses enterprise features of Wi-Fi to authenticate users when connecting to the network (and importantly, also the network is authenticated to the users!). Students from all over the Netherlands can use the credentials for their own university’s network on any eduroam network in the Netherlands. Unfortunately though eduroam requires you to be an enrolled student or employee of an educational institution. Similarly, govroam allows Dutch government employees to roam about Dutch government buildings, but remains closed to visitors (such as myself!). (Interestingly I found out that one of the initiators of govroam is also a Dialogic alumnus).

Publicroam – an initiative by the other govroam godfather Paul Francissen, intends to solve this problem by becoming the roaming provider for all. Publicroam is technically equivalent to eduroam and govroam on the Wi-Fi side of things. However, Publicroam allows anyone to create an account and access the network. Publicroam takes care of the initial authentication through SMS verification. The nice thing about Publicroam is that the Wi-Fi features it requires (WPA2 Enterprise with RADIUS) are available on virtually all Wi-Fi access points in existence.

Using Publicroam, the connection between user and base station is encrypted. Once registered, most devices will auto-connect to a publicroam network once in range. Additionally, the user is able to authenticate the network and will be warned when connecting to a ‘fake’ publicroam network. Publicroam is able to identify abuse and has the ability to kick malicious users from the network. Technical users will remark that it is still possible to eavesdrop on connections from the base station onwards. To counteract this, Publicroam maintains strict contracts with venue owners, which guarantee user privacy, among other thigns.

Over the course of the pilot for Amsterdam, we decided to approach various public venues, asking them to convert their ‘open’ Wi-Fi to Publicroam. The idea was generally positively received, albeit meeting some resistance.

To resolve technical issues, I assisted Publicroam in the development of a “Publicroam-in-a-box” solution. The ‘box’ is a Wi-Fi base station that will broadcast the Publicroam network after being plugged in to a wall outlet as well as an Ethernet port on a router or modem. Behind the scenes it sets up a VPN connection to the Publicroam platform to secure the authentication as well as to be able to deal with multiple layers of NAT and dynamic IPs.