|
Busting (or Trusting) Wi-Fi Security Myths
By Eric Geier (NoWiresSecurity Founder
& CEO) - originally published on
eSecurityPlanet
When you’re reading up on Wi-Fi
security, you’ll find many different interpretations and opinions.
One might say disabling SSID broadcasting will hide your network,
while others might say it just draws hackers into an easy job. Some
might think WPA encryption is cracked, while others say it’s secure.
Here we look at each myth and tell you whether it's verified--or
busted.
Myth: WEP encryption can be cracked in minutes.
Verdict: Trusted. WEP encryption can
be cracked in minutes.
After nearly a decade now, it’s no secret. The Wired Equivalent
Privacy (WEP) encryption standard, developed by the IEEE, can be
cracked. In some cases, it can even be cracked in minutes. So, count
this myth as True.
Attacks on WEP result in the hacker recovering the encryption key.
Then he or she can freely connect to the network, access network
shares and resources, and decode all packets. Needless to say, WEP
doesn’t secure your network from hackers. It only protects you from
the average Wi-Fi user.
To help come up with a secure encryption method, the Wi-Fi Alliance
developed the Wi-Fi Protected Access (WPA) standard. Additionally,
the IEEE formed another security standard, called 802.11i, which
actually has been implemented as WPA2 by the Wi-Fi Alliance. (We’ll
discuss more on these two WPA versions and their fate below.)
To address this problem, make sure you don’t use WEP. As we’ll
discuss, try to use WPA2. You shouldn’t have a problem with Wi-Fi
products manufactured in 2003 or after. Older products might even
support WPA/WPA2 after a simple firmware update. If all else fails,
purchase newer equipment or replace them with a wired connection to
the network.
Myth: WPA/WPA2-PSK encryption is also crackable.
Verdict: Trusted. Although it can
still be secure with longer complex passphrases.
The Pre-Shared Keys (PSK) or passphrases used with WPA and WPA2
encryption can be cracked with off-line brute-force dictionary-based
attacks. This means once a hacker captures the right packets of
information from your Wi-Fi network, they can run it against a
dictionary of words. Then if the passphrase you’re using is in the
dictionary, your encryption is cracked.
These dictionary attacks all depend upon the size and type of the
dictionary used by the hacker. The bigger the dictionary, the better
the chance he or she has of cracking your passphrase. Though bigger
dictionaries can take longer to crack the passphrase, there are
cracking services (such as WPA Cracker) that hackers can use to save
time.
To make sure you aren’t susceptible to dictionary-based attacks, use
longer, more complex, passphrases. Don’t use real words; get
creative and make it look like gibberish, like this example:
\#,ypCAFBpylSt&gSc4qrL8Tp3nUd,2Xz-LeAWuLAi+cQ\9tUBYAXgeCiHhAEii
Remember, all businesses and organizations should use the Enterprise
mode of WPA or WPA2 encryption, which uses 802.1X authentication
instead of PSK.
There are other types of attacks developing on the first version of
WPA (using TKIP-RC4 encryption), for both the Personal and
Enterprise modes. To ensure long-term security, you should be using
WPA2 (with AES-CCMP encryption). Most vendors have included support
for this standard in their Wi-Fi gear since mid-2004. Even older
equipment may be upgradeable via firmware updates.
Keep in mind, some wireless routers and access points allow you to
select a WPA/WPA2 mixed mode where it accepts both standards. Even
trickier, some let you select the underlying encryption method. You
should use WPA2 only, and only with the AES-CCMP encryption method.
Myth: Disabling SSID broadcast, using static IPs, and enabling
MAC address filtering protects you from hackers.
Verdict: Busted. Disabling SSID
broadcast, using static IPs, and enabling MAC address filtering does
not protect you from hackers.
When scouring the Net, you’ll find many sites recommending that you
disable SSID broadcast, use static IPs, and enable MAC address
filtering to protect yourself from hackers do these things to help
secure your wireless network. Though these techniques protect you
from the average Wi-Fi user, they won’t stump a hacker. Therefore,
we’ll call this one out as False.
Disabling SSID broadcasting doesn’t make your network name
completely hidden. Disabling DHCP and using static IPs just means
hackers will have to take a minute to assign themselves one. Lastly,
MAC addresses can be easily spoofed, thus making filtering only a
small fence that a hacker can leap over.
The only technique that really secures your Wi-Fi is to use
encryption, preferably WPA2.
Myth: Personal mode of WPA/WPA2 is okay for small businesses or
organizations.
Verdict: Busted. Personal mode of
WPA/WPA2 is not okay for small businesses or organizations.
As you may know, there are two very different modes you can use with
WPA and WPA2:
The Personal mode is easier to setup
on smaller networks and is great for home environments. However,
despite popular belief, it should not be used by businesses or
organizations, even small ones. Busted—this myth is False.
Most say that the Personal mode is okay for small businesses (or any
small network) because running the more secure Enterprise mode
requires an external RADIUS server for the 802.1X authentication.
However, these days there are lower cost servers (such as Elektron)
targeted for smaller deployments and outsourced services (such as
AuthenticateMyWiFi) that host the server for you.
Though running the Enterprise mode requires more money and effort,
it better protects your network from misuse by employees and
thieves. It gives you more control over who and what connects to the
network.
For instance, users can log in to the Wi-Fi network with usernames
and passwords you assign rather than input and store the actual
encryption keys on their computers, which can be recovered by them
or by thieves. When someone leaves the organization or loses their
laptop, you can revoke their account or change their password. If
you were using the Personal mode, you’d have to change the WPA/WPA2
passphrase on all APs, computers, and devices.
Myth: Enterprise mode of WPA/WPA2 is vulnerable to attacks
Verdict: Trusted. Enterprise mode of
WPA/WPA2 is vulnerable to attacks.
It’s no question that the Enterprise mode of WPA and WPA2 provides
better security than the Personal mode. However, this myth is True.
The Enterprise mode is also vulnerable to attacks by hackers.
One particular man-in-the-middle attack is where a hacker would pose
as a legitimate AP with a special RADIUS server, trying to divulge
the user’s login credentials. However, you can protect yourself by
validating the server. When configuring the PEAP or certificate
settings in Windows on clients, there are three key settings:
-
Check the Validate server
certificate option and select the Trusted Root Certificate
Authority from the list.
-
Check the Connect to these servers
option, and input the domain name or IP address of the RADIUS
server.
-
Check Do not prompt user to
authorize new servers or trusted certificate authorities.
|
