Grafvision - Fotolia

Tip

Why WPA2-PSK can be a security risk even with an uncracked key

WPA2-PSK is a popular way to bolster wireless security, but it's not perfect. Expert Joseph Granneman explains WPA2 and other aspects of the complicated history of Wi-Fi security.

Wi-Fi networks are fascinating paradoxes. They can be more secure than a traditional wired connection because they use a combination of authentication and encryption. It is possible to use authentication and encryption on a traditional wired network, but most organizations rely on physical security alone. The low risk of unauthorized access to the wired network ports doesn't warrant the complexity of the additional security measures.

Wi-Fi is available to anyone with a compatible radio in range of the transmitter, so it must utilize strong authentication and encryption mechanisms by default. This is the Wi-Fi paradox.

The history of wireless security

Wi-Fi security has evolved significantly from the early days of Wired Equivalent Privacy (WEP). If your organization is still using WEP, stop reading this article now and go fix your wireless.

Wi-Fi Protected Access (WPA) was rushed out to replace the issues in WEP, but used Temporal Key Integrity Protocol (TKIP) encryption, which had its own set of issues. It was still much improved over WEP, but it was just a stopgap solution made to run on existing hardware until WPA2 could be adopted.

WPA2 replaced TKIP with a much stronger AES encryption protocol that makes cracking it a formidable task. Brute forcing an eight-character WPA2 key on three NVIDIA 980 GPUs would take almost 96 days, for example. An eight-character NT LAN Manager hash would take around two minutes and thirty seconds on the same system.

WPA2 effectively fixed the encryption issues that plagued earlier attempts at producing secure wireless protocols. The weakness in WPA2 now involves how well the authentication was implemented.

WPA2 supports multiple authentication mechanisms, including the popular pre-shared key (WPA2-PSK) that most people are using on their home wireless routers. WPA2 tried to address bad implementation practices by requiring a minimum of an eight-character password. It didn't stop people from using simple dictionary words as their passwords. This is why you can see hundreds of videos about cracking WPA2-PSK on YouTube. They do not brute force the passwords because it would take too long. They run an old-fashioned dictionary attack against the weak passwords.

WPA2-PSK

WPA2-PSK can be configured to use a password of up to 63 characters, which should be secure enough for any organization to adopt. However, it turns out that is not the case. The reason has to do with the management of WPA2-PSKs.

An employee that leaves the organization may know the pre-shared key and have kept a copy. A user can find the pre-shared key stored in Windows just by going into the wireless configuration. This could also allow a hacker that has compromised the user's machine through a phishing attack to retrieve the key. A lost or stolen laptop could also expose the pre-shared key. All of these potential scenarios could be managed through changing the pre-shared key. The problem is that almost no one follows this practice because it is too time-consuming to reconfigure all of the necessary devices.

Smaller organizations may be able to manage the process of changing WPA2-PSKs, but larger organizations will face significant hurdles.

The answer is for them to adopt WPA2 Extensible Authentication Protocol over Transport Layer Security, or EAP-TLS. It still uses the same AES style encryption, but adds username and password authentication into the mix. It also uses a separate client and server certificate to validate the user and the wireless access point. Users that leave the organization will not be able to access the wireless network if their account has been disabled. There are no keys sitting in Windows for them to reveal, and hackers will have a hard time getting around the client and server certificates. A lost or stolen laptop can be disabled quickly because the account password can be changed and the certificates can be revoked.

The downside to WPA2 EAP-TLS is the complexity involved in its initial design and configuration. It can be resource-intensive to set up and manage the required public key infrastructure. I have seen some configurations where the server certificate expired and the IT staff reconfigured their workstations to ignore the invalid certificate instead of renewing it. This type of misconfiguration could open the network to fake access point attacks where hackers can grab user credentials by impersonating the organization's wireless Service Set Identifier.

Wi-Fi networks are indeed security paradoxes. They offer strong encryption along with several options for secure authentication, but they can still be compromised by exploiting common security hygiene mistakes made in every other technology platform. Password strength is a critical factor in securing these networks. However, a complex password may not be as effective when it is used by too many individuals on too many devices.

Wi-Fi security has the capability to outpace traditional wired security if these systems are proactively managed and monitored.

Next Steps

Learn the difference between WEP, WPA and WPA2

Find out the best way to provide Wi-Fi guest network security

Discover how to integrate security into a Wi-Fi deployment

Dig Deeper on Network security

Networking
CIO
Enterprise Desktop
Cloud Computing
ComputerWeekly.com
Close