Open (No Authentication)

An Open network does exactly nothing to protect the air. There is no authentication, so any device in range simply associates and joins, and there is no encryption, so every frame above the radio layer travels as cleartext. The original 802.11 standard called this Open System authentication, which is a misnomer: the "authentication" is a two-frame formality that always succeeds and proves nothing about either party.

The consequence is that the wireless medium becomes a shared, public bus. Anyone with a receiver tuned to the channel hears the same bytes the access point and clients exchange. The only thing standing between an eavesdropper and your data is whatever the application layer added on its own, which in practice means TLS for the sites that use it and nothing at all for the sites that do not. Open is everywhere because it is frictionless, and it is dangerous for exactly the same reason.

The protocol-specific control for Open is the Captive Portal Sandbox toggle, which the Topology section reveals only when the protocol is Open: enable it to intercept connecting clients with a splash page whose submissions land in Captured Data. Which portal to pick and how submission validation works are covered in Captive Portals and Credential Sets.

For the full New-Network walkthrough (naming the SSID, band and channel, Client Isolation, and the rest of the Topology panel), see Networks.

Passive eavesdropping

With no encryption, capture is the whole attack. Put an adapter in monitor mode and record everything on the channel, then read it back offline:

airmon-ng start wlan0 6
tcpdump -i wlan0mon -w open.pcap
wireshark open.pcap

Judgment: trivially effective against any cleartext protocol; HTTPS and other TLS traffic stays opaque, so the win is unencrypted HTTP, DNS, and plaintext app protocols.

Evil twin / rogue AP

Because clients never authenticate the network, a second AP broadcasting the same SSID is indistinguishable from the real one, and stations will roam to whichever signal is stronger. Stand up a clone and clients drift onto it:

hostapd rogue.conf   # same ssid=, open, no wpa
dnsmasq -C dns.conf  # DHCP + DNS for joined clients

Judgment: the foundational open-network attack; a louder radio or a well-timed deauth of the legitimate AP hands you the clients.

Captive-portal credential capture

A rogue or sandbox AP that demands a "login to continue" page harvests whatever the user types. In Tala WTE this is the Captive Portal Sandbox; in the field it is a forged portal served by a rogue AP:

# bettercap can pair an open AP with a captive portal
bettercap -iface wlan0mon -eval "set wifi.ap.ssid Free_WiFi; wifi.recon on"

Judgment: highly effective against users conditioned to expect a hotspot login; pairs naturally with the evil twin.

ARP poisoning / MITM

On the shared L2 segment, an attacker forges ARP replies to bind the gateway IP to their own MAC, sitting between victim and router. Disable isolation in the lab to reproduce it:

sysctl -w net.ipv4.ip_forward=1
arpspoof -i wlan0 -t 10.0.0.42 10.0.0.1
mitmproxy --mode transparent

Judgment: reliable when Client Isolation is off; a properly isolated hotspot blocks the L2 path entirely.

DNS spoofing

Once on-path, the attacker answers DNS queries before the real resolver, redirecting any name to a host they control. Without DNSSEC the client cannot tell the forgery from the truth:

dnsspoof -i wlan0 -f hosts.txt

Judgment: potent for steering victims to phishing or update servers; defeated only by DNSSEC validation or DNS-over-HTTPS, neither of which the open network itself provides.

Open networks are still everywhere: hotels, airports, cafes, gyms, retail stores, transit, and conference floors almost universally run an open SSID fronted by a captive portal. The portal creates a false sense of security; it gates internet access but adds zero confidentiality, so the moment a client is past the splash page its traffic is as exposed as ever. You will routinely see devices auto-joining remembered open SSIDs, beaconing their saved network names, and falling for same-name clones without a single warning. The bright spot is that pervasive HTTPS, HSTS, and increasingly DNS-over-HTTPS have shrunk the cleartext attack surface, so the highest-value targets are now legacy plaintext protocols and the credential-harvesting portal itself rather than casual web browsing.

The real fix for an open network is to stop being open: deploy OWE (Opportunistic Wireless Encryption), the Enhanced Open certification defined in RFC 8110. OWE performs an unauthenticated Diffie-Hellman exchange so each client gets a unique session key, giving passive eavesdroppers nothing while keeping the join as frictionless as Open. It does not stop an active evil twin on its own, so pair it with Protected Management Frames to blunt deauthentication. Where confidentiality matters, move to an authenticated mode entirely: see WPA2-Personal for a shared-key network and WPA3-Personal for SAE.

On the client side, the durable defenses live above the link layer: treat every open network as hostile, rely on TLS everywhere, use a VPN for end-to-end encryption over the untrusted segment, validate DNS with DNSSEC or DNS-over-HTTPS, and disable auto-join for open SSIDs so a device never silently roams onto a clone.

• IEEE 802.11-2020, the consolidated IEEE Standard for Wireless LANs (defines Open System authentication and the MAC/PHY): https://standards.ieee.org/ieee/802.11/7028/
• IETF RFC 8110, Opportunistic Wireless Encryption (Enhanced Open / OWE): https://www.rfc-editor.org/rfc/rfc8110.html
• IETF RFC 4033, DNS Security Introduction and Requirements (DNSSEC): https://www.rfc-editor.org/rfc/rfc4033.html
• CVE-2020-26145, plaintext broadcast fragments accepted as full frames (a FragAttacks design flaw affecting open and encrypted networks alike): https://nvd.nist.gov/vuln/detail/CVE-2020-26145
• CVE-2020-24588, the unauthenticated A-MSDU aggregation flag allowing forged frame injection (a FragAttacks design flaw affecting open and encrypted networks alike): https://nvd.nist.gov/vuln/detail/CVE-2020-24588