Wi-Fi is one of those things that has become so ubiquitous that it can be extremely easy to just forget to turn it off on your mobile device before you leave a building. Unfortunately a Wi-Fi network can be super easy to compromise if configured incorrectly and thus any traffic users send across it can be suspect.
In our organizations and homes, we want to be as sure as possible that we don’t get malicious users connecting and attempting to sniff legitimate traffic or worse. Today we’re going to be going over the history of Wi-Fi security, along with some additional options that can potentially be used to strengthen our protection and authentication levels.
Security standards — no security?
If you’ve ever been to a coffee shop, a hotel or similar public space with a big sign that read ‘Open Wi-Fi’, that sign really should be saying ‘Do Not under Any Circumstances Connect to This Network‘. Open Wi-Fi means zero passwords required- you just locate the network on your device, hit connect and you’re on.
While it very likely isn’t the intention of that place to cause issues, the fact that it is wide open for any user for any purpose means that it either already is compromised or will be shortly. This means that any device that connects to it is now suspect, and any apps that automatically connect and refresh such as email clients, apps with sensitive information and more, have to now have their passwords changed immediately.
Malicious users may not even necessarily need to compromise the network itself. All they would need to do is create their own network with the same SSID so that it’s a 50/50 shot that users connecting up pick the official hotspot, or the malicious network. Just because it bears repeating, and this must be relayed to all users regularly-
DO NOT CONNECT TO THESE NETWORKS UNDER ANY CIRCUMSTANCE.
DO NOT USE. Repeat. DO. NOT. USE.
Wired Equivalency Privacy (WEP) was the first available Wi-Fi security available, approved for use in 1999 for 802.11a, b and g standard devices. Unfortunately because of cryptographic export restrictions put in place at the time, the security level of WEP wasn’t even where it should have been when it was brand new.
By 2001 however, researchers were already showing that it was possible to exploit WEP security, and by 2005 the FBI showcased that WEP could be compromised in approximately 3 minutes with publicly available knowledge and tools. This standard can almost be considered worse than useless because it gives the illusion of security while actually being none at all and should be avoided just as much as No Security whatsoever.
Wi-Fi Protected Access (WPA) has gone through several iterations over its existence, with the current version of WPA2 being the most widespread standard. WPA3 has been steadily gaining use since its certification in 2018, and has a number of enhancements over WPA2. These include features such as theoretical protection over open Wi-Fi networks, brute-force authentication protection, and radically enhanced encryption for ultra-high security networks. While there have been shown to be exploits available for both since their inception, they have been able to be mitigated quickly.
WPA2 and WPA3 also come in multiple flavors with WPA2/WPA3 Personal and WPA2/WPA3 Enterprise. The biggest difference between Personal and Enterprise, apart from the increase in Encryption strength, has to do with authentication style. While the standard method for most home users is a single password shared among all users known as a Pre-Shared Key (PSK), Enterprise allows for far more individualized access.
When used in conjunction with 802.1X authentication options such as a Remote Authentication Dial-In User Service (RADIUS) server, this can allow users to authenticate in to the wireless network with the same credentials and rules that are already in place in the organization’s regular network.
Specific protocols and options
Wi-Fi Security has had a lot of possible add-on options over the years that have worked to varying degrees. The Temporal Key Integrity Protocol (TKIP) for example, was approved as a temporary measure for replacing WEP on existing hardware and was eventually rolled into both WPA and WPA2. However there were multiple weaknesses shown in TKIP and it was depreciated in 2009. The Extensible Authentication Protocol (EAP) on the other hand has been the basis for a considerable number of variants over the years, including being encapsulated through the use of a RADIUS server as mentioned previously, and is currently still in use.
There have also been additional options over the years that while not security standards in and of themselves, they have provided additional tools for locking down networks to varying degrees of success. Turning off broadcasting the Service Set Identifier (SSID) for example, could theoretically provide some level of security through obscurity. Unfortunately it also has the potential to draw curiosity by itself since that would make this particular network more interesting to someone able to see that it is there. MAC Filtering however is a significant increase in security as it can either allow only a pre-set list of devices, or ban any number of devices. While it is still possible to falsify a MAC address, it adds several more steps to breaking into a network.
We also have the option of separating out our Wireless networks into multiple segments, such as an internal network and a guest network. For the guest, there are multiple ways to set up a password that only works for a single day that then would break any future authentication attempts. This would allow our organizations to have more advanced security options for our regular users, while at the same time allowing for a simple distribution method of access for people that really don’t need it for more than a few hours.
Wi-Fi Security is needed, that much is certain. With the continued increases in speed, reliability and range, Wireless communications are here to stay, and will continue to evolve for a very long time. As a result, we need to be vigilant when it comes to keeping our devices up to date and making sure that our authentication remains as strong as possible.
Whether this means making sure that people don’t just put the single password up on a sticky note next to the front door, or making sure that we keep firmware on our access points current, it is a job that will not be going away anytime soon.