Are Wi-Fi CERTIFIED products protected by security?

Securing Wi-Fi connections is an important crucial networking, and Wi-Fi Alliance® has isbeen on the forefront of evolving Wi-Fi security.

Passpoint mandates the use of Protected Management Frames for all connections and it leverages the EEE 802.11u specification – a version of 802.1x. It’s restricted to access points and devices capable of WPA2 and WPA3 authentication, specifically the EAP authentication protocol,. That’s which is the current industry standard for network security.

Passpoint technologies are key to support mobile data offload and are key enablers for both mobile operators and internet service provider services.

Hospitality chains may own many brands but a single consolidated rewards program. Without Passpoint, either the rewards program SSID needs to be added at every hotel or users’ phones must be configured with several SSIDs. Passpoint can function with a single profile that identifies the rewards program instead of a hotel SSID. When a user visits an associated property, their device will automatically identify the access point and connect.

Other legacy protocols are earlier generations of Wi-Fi security, which have been updated or replaced over time due to the changing security landscape needs. The original security standard was Wired Equivalent Privacy (WEP). It was replaced by the original Wi-Fi Protected Access (WPA) in 2003 as an interim solution to the limited protection offered by WEP. The WPA program added support for Temporal Key Integrity Protocol (TKIP) encryption, an older form of security technology with some vulnerability to cryptographic attacks. WPA was replaced in 2004 with more advanced protocols of WPA2.

Though the threat of a security compromise is small, users should not purchase new equipment which supports only WPA with TKIP. Only devices supporting WPA3 security should be purchased and used.

Wi-Fi Agile Multiband: Fast Basic Service Set (BSS) Transition, also known as Fast Transition, is based on IEEE 802.11r. Fast Transition enables devices to reauthenticate quickly with WPA2 security when roaming within the same Wi-Fi network, improving experience with latency sensitive applications such as voice over Wi-Fi.

Wi-Fi Optimized Connectivity: Fast Initial Link Setup (FILS) Authentication is a mechanism defined in IEEE 802.11ai to enable fast authentication to APs.

Devices that are certified for Wi-Fi Vantage represent the most recent and interoperable Wi-Fi technologies for managed networks. Users will experience fewer connection interruptions during calls or video streaming, even while traversing through a transportation hub like a large airport. These devices, when used in a Wi-Fi Vantage enabled network, bring a more seamless and consistent connection and therefore a better mobile experience.

Miracast is unique to other wireless display solutions in that a direct peer-to-peer connection between two devices may be formed to share content residing on the source device, without the need for a Wi-Fi network. If streaming content from the internet, a network connection is required.

Managed networks are Wi-Fi networks, such as those operated in airports, stadiums, schools, office buildings, retail and hotel locations and other venues, that are “managed” by network administrators to optimize their coverage, performance, and network access. These networks are frequently open to the public or offer access to subscribers.

Future generations of Wi-Fi Vantage will add enhancements in network access, frequency band and channel management, and reduced connection times, resulting in improved roaming and management of Wi-Fi networks.

Passpoint enabled mobile devices can choose networks based on a list of preferred (direct or partner) providers, specific services and/or the best performance characteristics. For service providers offering a managed experience, seamless authentication is a valuable element, and Passpoint networks also support deployments where a click-through screen is essential for acceptance of terms and conditions or branding.

Audio-only devices are not part of the Miracast certification program.

Miracast provides industry-standard protection of premium content through support of High-bandwidth Digital Content Protection (HDCP). HDCP is a wireless adaptation of the same trusted content protection mechanisms widely used for cabled interfaces, providing diversity in premium content options. This feature is designed to protect the digital rights of content owners and to encourage their efforts to make their content available.

Miracast supports many commonly used audio/video format.  For a complete list, download the Miracast Technical Overview.

Wi-Fi Direct allows devices to connect directly to each other, without the need for a Wi-Fi access point (AP). It simply requires the push of a button or the entry of a PIN. Wi-Fi Direct allows source and display devices to discover one another and provides the underlying device-to-device connectivity for Miracast. Miracast builds upon Wi-Fi Direct with mechanisms to negotiate video capabilities, setup content protection (if needed), stream content, and maintain the video session.

Miracast certification includes testing for audio/video (A/V) latency, quality, and synchronization offset. Testing ensures that devices operate across vendors, provide simplified discovery and setup, meet the minimum display resolution requirement, and implement content protection (when implemented). Miracast devices are also tested for implementation of WPA2™ security. Wi-Fi Alliance members may view details on certification testing in the Wi-Fi CERTIFIED Miracast Test Plan.

Both the display and the source devices must be Miracast certified. Miracast may be used on devices without embedded Wi-Fi capability by using a Miracast-certified adapter that supports an interface such as High-Definition Multimedia Interface (HDMI) or Universal Serial Bus (USB).

Miracast certification is available for video-capable devices such as TVs, handsets, tablets, laptops, set-top boxes, cameras, and projectors.

Miracast is the brand for the certification program operated by Wi-Fi Alliance. Devices that pass this certification testing can be referred to as “Wi-Fi CERTIFIED Miracast™ devices” or “Miracast^® devices”. Miracast certification is based on the Wi-Fi Alliance Miracast Specification. This is the underlying specification developed by Wi-Fi Alliance members, and is copyrighted and owned by Wi-Fi Alliance. Wi-Fi Display is the original name for the Miracast technology.

Two Wi-Fi CERTIFIED TDLS devices will automatically form a direct connection after linking to the Wi-Fi network.  No user interaction is required.

Passpoint devices use industry-agreed uniform mechanisms for discovering and creating secured connections to hotspots. This allows a subscriber to experience seamless Wi-Fi connectivity to a hotspot anywhere in the world a user’s provider has roaming agreements. Passpoint is specified as a requirement for the Wireless Broadband Alliance’s industry work on Wi-Fi roaming.

Passpoint makes use of elements of IEEE 802.1X, 802.11u, 802.11i, and WPA3™-Enterprise security, as well as some Wi-Fi Alliance defined mechanisms.

Members of Wi-Fi Alliance created the program. The group which developed Passpoint includes service providers, mobile operators, fixed line operators, and makers of mobile devices and infrastructure equipment.

Passpoint provides a better Wi-Fi user experience while mobile. Users with certified Passpoint devices can enjoy the benefits of streamlined network selection and secure connectivity at Passpoint enabled hotspots. Passpoint-enabled devices operate based on user preference.

Most of the existing silicon is Passpoint capable. The hardware and software platform of a given device determines whether it can be upgraded in the field. Equipment that has previously undergone certification testing can be updated and resubmitted for Passpoint certification.

Legacy mobile devices can connect to Passpoint access points configured for open system authentication, although they will not enjoy Passpoint features for network selection, automatic authentication, or expanded security. A user connecting to an open network with a legacy mobile device will manually find the available networks and then select and connect to the preferred network.

The access points used in hotspot and enterprise networks are often configured to support multiple SSIDs (networks) on the same equipment; a configuration that offers a Passpoint-certified network and a separate open network allows Passpoint mobile devices to enjoy the full benefits while supporting legacy clients.

Passpoint is a key enabler for many applications. The scope of Passpoint testing is to ensure that the mechanisms for seamless discovery and creation of a secured link are implemented correctly. It is application-agnostic.

Infrastructure equipment such as access points, and mobile and portable devices such as smartphones, tablets, and notebooks have been certified. Passpoint is available on both SIM and non-SIM Wi-Fi devices.

To benefit from Voice-Enterprise functionality, both the AP and client device need to be Wi-Fi CERTIFIED Voice-Enterprise. Any Wi-Fi CERTIFIED client devices in a Voice-Enterprise network that do not support Voice-Enterprise are interoperable with other Wi-Fi CERTIFIED devices, but do not take advantage of advanced features of voice quality and bandwidth management features of Voice-Enterprise.

The Voice-Enterprise certification program tests the performance of the Wi-Fi implementations in voice over Wi-Fi application, in a simulated network environment, with four (802.11b) or ten (802.11a/g/n) concurrent voice calls, a high speed video stream, and sustained data traffic loads, designed to represent a fully loaded network. To achieve certification, devices must meet the following thresholds:

• Packet loss of less than 1%
• No more than three consecutive lost packets
• Latency of less than 50 milliseconds
• Maximum jitter of less than 50 milliseconds

To benefit from WMM-Admission Control functionality, both the AP and client device need to be Wi-Fi CERTIFIED WMM-Admission Control. Any Wi-Fi CERTIFIED client devices in a WMM-Admission Control network that do not support WMM-Admission Control will operate as usual in WMM mode, but won’t use the access categories for which admission control is mandated by the AP.

WMM-Admission Control certification is required for the Voice-Enterprise certification program.

On a Wi-Fi network with a dense Wi-Fi deployment designed to support heavy traffic loads, such as an enterprise campus, hospital or educational campus, WMM-Admission Control helps ensure that the network can support good quality voice calls before admitting the voice call traffic stream, and assigns it priority over other traffic, such as downloads, email, and other best effort traffic.

WMM-Admission Control used IEEE 802.11 management frames for the signaling between the AP and the client device.  The AP evaluates the request frame from the client device against the network load and channel conditions.  If the AP can accommodate the request, it accepts the request and grants the client the medium time for the traffic stream.  If the request is rejected, the client device is not allowed to initiate the requested traffic stream, and may decide to either delay the traffic stream, associate with a different AP, or establish a best-effort traffic stream outside the operation of WMM-Admission Control.

Protected Management Frames (PMF) provide protection for unicast and multicast management action frames. Unicast management action frames are protected from both eavesdropping and forging, and multicast management action frames are protected from forging. They augment privacy protections already in place for data frames with mechanisms to improve the resiliency of mission-critical networks. PMF is required for all new certified devices.

Compatibility and quality are achieved through testing of Wi-Fi products. Consumers should always look for the Wi-Fi CERTIFIED logo to ensure the best user experience possible.

Wi-Fi Multimedia, represented by the acronym WMM, is related to Wi-Fi CERTIFIED WMM^® programs. These optional certifications provide multimedia enhancements for Wi-Fi networks that improve the user experience for audio, video, and voice applications.

Wi-Fi Alliance defined WMM as a profile of the IEEE 802.11e Quality of Service (QoS) extensions for 802.11 networks and started a certification program for WMM to satisfy the most urgent needs of the industry for a QoS solution for Wi-Fi networks. WMM provides prioritized media access and is based on the Enhanced Distributed Channel Access (EDCA) method.

Wi-Fi Alliance estimates that WMM-Power Save can provide from 15 to 40% improvement in battery life depending on the application characteristics.

In the context of Wi-Fi technology, security means two things. First, controlling who can connect to and configure your network and equipment. Second, it means securing the data travelling wirelessly across your Wi-Fi network from unauthorized view.

Wi-Fi security is just one aspect of security for networks. A protected Wi-Fi network is a great start, but you should also consider measures to protect your computer (virus software, firewall, etc.) and your communications across the internet virtual private network (VPN), etc.

Without Quality of Service (QoS), all applications running on different devices have equal opportunity to transmit data frames. That works well for data traffic from applications such as web browsers, file transfers, or email, but it is inadequate for multimedia applications. Voice over Internet Protocol (VoIP), video streaming, and interactive gaming are highly sensitive to latency increases and throughput reductions, and require QoS. WMM defines four access categories (voice, video, best effort, and background) that are used to prioritize traffic to provide enhanced multimedia support.

The power conservation achieved depends on the particular application in use, as well as how effectively the application uses WMM-Power Save. The Wi-Fi Alliance has produced a white paper which offers guidance to application developers.

Configure Wi-Fi client devices (laptops, handsets, and other Wi-Fi enabled products) to enable security protections.

Configure for approved connections: Many devices are set by default to sense and automatically connect to any available wireless signal. Wi-Fi Alliance recommends that you configure your device to not automatically connect to an open network without your approval.

Disable sharing: Wi-Fi enabled devices may automatically enable themselves to sharing / connecting with other devices when attaching to a wireless network. File and printer sharing may be common in business and home networks, but this should be avoided in a public network such as a hotel, restaurant, or airport hotspot.

Users may also wish to use complementary security measures to improve the security of their activity over the internet including virtual private networks (VPNs), firewalls, etc.

WMM shortens the time between transmitting packets for higher priority traffic.

If implemented correctly, WMM-Power Save will activate automatically when a Wi-Fi CERTIFIED™ for WMM-Power Save client device is communicating with a Wi-Fi CERTIFIED™ for WMM-Power Save access point. There is no action needed from a user.

The Converged Wireless Group RF Profile Test is a test plan that was jointly developed by CTIA® and Wi-Fi Alliance® to provide detailed radio frequency performance profile in a mixed-network (Wi-Fi and Cellular) environment. Manufacturers of converged handsets and Wi-Fi networking infrastructure devices (access points) can participate in this test program to provide carriers with independent evaluations of their equipment, and carriers can use the test reports to compare handsets from different manufacturers. Completion of CWG testing does not result in a Wi-Fi certification.

WMM-Power Save uses mechanisms from the IEEE 802.11e standard.

This industry-supported program provides detailed information about the RF performance of the Wi-Fi radio in a converged handset, as well as how the cellular and Wi-Fi radios impact one another. It provides a uniform evaluation approach that enables a standard way to contrast and compare converged devices.

WMM-Power Save is a more finely tuned power save mechanism which draws on a variety of tools to manage power consumption. In legacy power save, the driver decided when to transmit data, while in WMM-Power Save, the application makes the determination about when to transfer data. This enables customization of the power mechanism to the particular application (e.g., Voice over Wi-Fi, video gaming, etc.). WMM-Power Save is backwards-compatible with legacy power save.

The comprehensive over-the-air testing program provides detailed measurements on key parameters, described in layperson terms below. The measurements are taken in a 360-degree environment in order to create “real-world” conditions:

• Measurements to provide information about the reach of a Wi-Fi radio signal sent by a converged phone or AP, called transmit power (TRP, or Total Radiated Power)
• Measurements to provide information about how well the Wi-Fi radio can detect an incoming signal in a converged phone or AP, called receive sensitivity (TIS, or Total Isotropic Sensitivity)

In addition, the program includes:

• Measurement of the signals ahead of the Wi-Fi antenna, called conducted power and sensitivity
• Measurement of the reduction in sensitivity (desensitization) of a Wi-Fi receiver caused by the presence of an active cellular transmitter, and to ensure that the performance of the Wi-Fi receiver is within acceptable limits
• Measurements of the desensitization of a cellular receiver caused by the presence of an active Wi-Fi transmitter, and to ensure that the performance of the cellular receiver is within acceptable limits

To complete the testing a device must also be Wi-Fi CERTIFIED™ for core Wi-Fi interoperability and WPA2™ security, and CTIA certified for cellular performance.

WMM-Power Save increases the efficiency and flexibility of data transmission. Specifically, the client device can doze between packets to save power, while the access point buffers downlink frames. The application chooses the time to wake up and receive data packets to maximize power conservation without sacrificing Quality of Service.

There are two primary approaches to network setup within Wi-Fi Protected Setup: push-button and PIN entry. PIN entry is mandatory in all Wi-Fi Protected Setup devices, while push-button is optional and may also be found in some devices.

Push-button configuration (PBC): in some Wi-Fi Protected Setup networks, the user may connect multiple devices to the network and enable data encryption by pushing a button. The access point/wireless router will have a physical button, and other devices may have a physical or software-based button. Users should be aware that during the two-minute setup period which follows the push of the button, unintended devices could join the network if they are in range.

PIN entry: in all Wi-Fi Protected Setup networks, a unique PIN (Personal Identification Number) will be required for each device to join the network. A fixed PIN label or sticker may be placed on a device, or a dynamic PIN can be generated and shown on the device's display (e.g., a TV screen or monitor). The PIN is used to make sure the intended device is added to the network being set up and will help to avoid accidental or malicious attempts to add unintended devices to the network.

A registrar device (which could be an Access Point/wireless router, PC television, or other device) will detect when a new Wi-Fi device is in range, and prompt the user to enter the PIN, if he or she wishes to add the new device to the network. In this mode, Wi-Fi Protected Setup network encrypts data and authenticates each device on the network. The PIN entry method is supported in all devices.