Helium Mobile Hotspot Wi-Fi vs Public Wi-Fi
The Helium Mobile Hotspot is capable of deploying two distinct networks. These networks support different use cases, and we will detail some of the key differences in terms of security.
Helium Mobile Hotspot Wi-Fi
This wireless network supports the core function of the HMH, which is to provide coverage to authorized subscribers.
The network is deployed in WPA3 mode, which is the industry standard for Wi-Fi protocols. WPA3 introduces expanded support for modern cryptographic algorithms to protect network traffic.
Authentication to the Helium Mobile Wi-Fi network occurs using Passpoint 2.0, where each authorized device must present a certificate. No password is used for authentication, which means no password to brute-force!
In addition, all traffic is linked to specific devices and subscribers. Like every other mobile provider, we are obligated to provide this data to authorities when subpoenaed.
Helium Mobile Wi-Fi
An optional feature of the Helium Mobile Hotspot is to provide Wi-Fi access to your community, which supports a core value of Helium Mobile - A People Powered Network. The public Wi-Fi is an isolated network from the Helium Mobile Network and the host network.
The public Wi-Fi is an open network, much like a coffee shop or Airport Wi-Fi network. Clients must agree to the terms of service through a captive portal. This limits the liability of the host network if an illegal activity occurs on the Helium Mobile Wi-Fi network.
Although it’s an open network we have deployed measures to protect builders and clients. It should be no surprise that the key differences in protocol, authentication, and authorization are due to their different use-cases.
The table below helps highlight the similarities and differences.
| Helium Mobile Wi-Fi | Helium Mobile Public Wi-Fi |
Protocol | WPA3 | None |
Mode | AP | AP |
Authentication | Passpoint | Captive Portal |
Authorization | RADIUS | Accept Terms of Service |
Client Isolation | ✅ | ✅ |
Reject WAN Traffic | ✅ | ✅ |
Host LAN Block | ✅ | ✅ |
Passpoint 2.0 and RADIUS
Helium Mobile subscribers can authenticate to a Helium Mobile Hotspot using Passpoint 2.0, through a profile on their mobile device. The profile will contain a certificate, which enables both authentication and authorization. Only subscribers in good standing are authorized to connect to a Hotspot.
Access Point (AP) Mode
Wireless access points can operate in multiple modes. The Helium Mobile Hotspot is joined to your network in AP Mode.AP Mode creates an independent network from your host network, as opposed to other modes that bridge the two networks together.
This mode enables segmentation of the host network and the Helium Mobile Hotspot. Helium Mobile Hotspots come with their own networking services, like DHCP and DNS.
Client Isolation
Another benefit of our wireless deployment is that we can enforce client isolation, which is not feasible for most wireless networks. For example, a laptop and a printer are clients of a network and need to communicate, but in the HMH deployment, we can isolate clients entirely. The only communication allowed is between the user’s device and the internet. Users’ devices cannot communicate with one another, preventing traditional network attacks.
Reject WAN Traffic
Any data traffic coming from outside the Helium Mobile Wireless AP is blocked, and not routed to internal hosts. This reduces the attack surface and makes Helium Mobile Hotspots a harder target. We can do this as our network is intended solely for subscribers' outbound requests, and no internal clients or services need to be externally exposed.
Host LAN Block
Another security feature of Helium Mobile Hotspots that applies to both Mobile and Wi-Fi networks is the Host LAN Blocking feature. This feature blocks any traffic from a Helium Network user from accessing devices in the host network. This allows you to deploy the Helium Mobile Hotspot via any ethernet connection without worrying about exposing your host network to devices connecting to the Helium Wi-Fi networks.