Get Started

 

Public Wi-Fi Safety Baseline (v1.0)

A practical minimum standard for safer municipal and public-space Wi-Fi.

Publisher: SafePublicWiFi (QState Cyber Security)
Version: v1.0
Status: Public Draft (for consultation)

1. Purpose and Scope

Public Wi-Fi enables digital inclusion and access to essential services, but it also significantly expands the attack surface of public institutions. This baseline defines what reasonable protection looks like for operators of public Wi-Fi networks.

The scope of this baseline is intentionally focused on network-layer safety and operational assurance, including detection, monitoring, and response. It does not address content filtering, user surveillance, or end-user device management.

2. What This Baseline Is and Is Not

What This Baseline Is

  • A minimum set of technical and operational controls for public Wi-Fi safety
  • A threat model aligned with realistic public-space Wi-Fi attacks
  • A monitoring and reporting framework designed to protect user privacy
  • A practical reference for municipalities, libraries, and public institutions

What This Baseline Is Not

  • A guarantee that security incidents will never occur
  • A replacement for enterprise or zero-trust network architectures
  • A content filtering or surveillance standard
  • A certification or compliance mandate by itself

3. Threat Model for Public Wi-Fi

Public Wi-Fi attacks often occur before application-layer protections (including VPNs) are effective. The following threats are prioritized because they are realistic in public venues and can lead to credential theft, session compromise, or malware delivery.

Evil Twin / Rogue Access Point Impersonation

Attackers deploy fake access points that mimic legitimate SSIDs to lure users into connecting. These attacks may downgrade security or present malicious captive portals.

Primary impact: Credential capture, session theft, traffic interception.
Baseline expectation: Detect SSID/BSSID impersonation patterns, unexpected security modes, and abnormal beacon or probe behavior.

Deauthentication and Disassociation Attacks

Attackers force clients off legitimate access points to trigger reconnections or herd
users toward rogue networks.

Primary impact: User disruption and increased likelihood of evil twin compromise.
Baseline expectation: Detect abnormal deauthentication and disassociation rates and correlate them with nearby SSID or BSSID changes.

Rogue DHCP and DNS Manipulation

Malicious hosts provide unauthorized DHCP leases or DNS responses to redirect traffic.

Primary impact: Traffic interception, phishing, malware delivery.
Baseline expectation: Detect multiple DHCP servers, unexpected gateway or DNS assignments, and sudden lease-pattern changes.

Captive Portal Phishing

Captive portals are modified or replaced to mimic legitimate login pages or inject credential-harvesting prompts.

Primary impact: Credential theft and account compromise.
Baseline expectation: Monitor portal behavior changes and TLS anomalies without collecting credentials.

4. Reasonable Protection Baseline for Public Operators

4.1 Governance and Accountability

  • Assign an accountable owner for public Wi-Fi safety
  • Maintain an inventory of SSIDs, access points, controllers, and captive portals
  • Define response playbooks for high-severity Wi-Fi conditions
  • Conduct quarterly reviews of alerts, incidents, and remediation status

4.2 Technical Minimum Controls

  • Use modern Wi-Fi security where feasible (WPA3 or WPA2-Enterprise)
  • Strongly segment public Wi-Fi from internal and administrative networks
  • Restrict management interfaces with strong authentication
  • Harden captive portals using HTTPS and change control
  • Prevent or detect rogue DNS and DHCP behavior

5. Continuous Monitoring Requirements

Because many public Wi-Fi threats are transient, continuous monitoring is required to
reduce exposure time and support timely response.

  • SSID and BSSID metadata, channels, and security modes
  • Beacon, probe, and management-frame anomalies
  • Deauthentication and association churn events
  • DHCP server presence and gateway or DNS changes
  • Health and uptime of monitoring components

6. Privacy-Preserving Reporting Principles

Public Wi-Fi safety monitoring must respect citizen privacy. This baseline explicitly
prohibits collection of user content.

  • No inspection or storage of user payload data
  • No collection of credentials or browsing activity
  • Metadata-only monitoring where strictly necessary
  • Minimal retention and purpose-limited use of identifiers
  • Transparency about what is monitored and retained

7. Implementation Guidance

Operators should prioritize high-risk public venues such as libraries, transit hubs, and dense public spaces. Pilot deployments are recommended to establish baseline metrics and validate detection and response workflows.

This baseline should be reviewed and updated annually as threats, technologies, and standards evolve.

Document Information
Version: v1.0
Status: Public Draft
Publisher: SafePublicWiFi (QState Cyber Security)

Signup our newsletter to get update information, news, insight or promotions.

QState Cyber Security - Powering Protection, Earning Your Trust.

Twitter Facebook-f Linkedin-in Youtube Rss
Services
Support
Company
Copyright © 2023 SiberSec, All rights reserved. Powered by MoxCreative.