The accessibility of wireless network access is beginning to rival the expectations of critical infrastructure services such as water and electricity. As with anything of this scale and importance, there are risks and evolutions from a cybersecurity perspective. This article will provide the history of wireless network access (Wi-Fi) and basic knowledge about Wi-Fi security protocols, common attacks, and recommendations to help bolster your wireless network security.

Wi-Fi was invented in 1997 and has become an expected staple in everyday life. Take your family camping with no coverage to test out this theory. Along with making wireless internet access readily available across the globe, the proliferation of mobile devices has made this technology both attractive and lucrative to threat actors. There are numerous ways a malicious actor can gain unauthorized access to wireless networks. Once connected, they can conduct Man-in-the-Middle attacks to compromise Personally Identifiable Information (PII), Voice over IP calls, and other sensitive data transmissions. Alternatively, if they can compromise the wireless network, they may have access to move laterally and conduct further attacks on the internal environment containing other devices.

What are some common security protocols?

There are currently four wireless security protocols available. Wired Equivalent Privacy (WEP), Wi-Fi Protected Access (WPA), Wi-Fi Protected Access 2 (WPA2), and Wi-Fi Protected Access 3 (WPA3).

1. WEP

First, please note that WEP means Wired Equivalent Privacy rather than Wireless Encryption Protocol as many believe.  WEP was the first security protocol for Wi-Fi networks and provides a very basic level of security. Although it was considered secure at one point, WEP is no longer the recommended protocol for modern day use.

2. WPA

Wi-Fi Protected Access was introduced as the need to replace WEP. Compared to WEP, WPA offers stronger encryption and addressed some of WEP’s many vulnerabilities. Temporal Key Integrity Protocol (TKIP) was WPA’s key feature, which offered more secure communication compared to WEP. Like WEP, WAP was eventually replaced by a more modernized protocol and should no longer be utilized.

3. WPA2

Wi-Fi Protected Access 2 provided even stronger security compared to WPA and is currently the most widely used security protocol. The biggest difference between WPA2 and WPA is that WPA2 uses Advanced Encryption Standard (AES) for encryption and provides improved security features. WPA2 also offers two different modes, Pre-Shared Key (PSK) and Enterprise. In PSK mode, one password is shared among all devices on the network and is used to encrypt all wireless communications. Due to its ease of setup, PSK mode is typically used in consumer home networks and commercially for public Internet access points. However, managing these keys can be cumbersome. In Enterprise mode, the authentication process is performed using a server-based protocol such as Remote Authentication Dial-In User Service (RADIUS). The usage of RADIUS allows the Enterprise mode to have more specific, or granular access controls for private networks, lending itself to be preferable in corporate environments by preventing the need to create and use new keys each time an employee departs.

4. WPA3

Wi-Fi Protected Access 3 is the most recent and the strongest wireless security protocol. In addition to addressing some vulnerabilities of WPA2, WPA3 introduced new security features, such as a stronger authentication handshake and enhanced encryption. It also offers two different modes, WPA3-Personal, and WP3-Enterprise, aiming to replace WPA2-PSK and WPA2-ENT respectively. Though technically the most secure, organizations will find it difficult to switch to WPA3 due to the cost of upgrading devices that support WPA3.

What’s the best security protocol to use?

When comparing these wireless security protocols, it is always a good idea to use the latest, newest protocol. However, since WPA3 is relatively new, very few technologies currently support it. To utilize this protocol, organizations will need to replace hardware as this isn’t a simple software upgrade. As of early 2023, WPA2 is still utilized by most organizations, and probably won’t be replaced for several years as companies continually upgrade their technology. For this reason, organizations should continue to utilize WPA2 across all wireless networks while planning their upgrade to WPA3 as feasible.

Using WPA2 is recommended, though organizations need to implement the appropriate security modes for their specific usage. WPA2 offers two modes: Enterprise and Pre-Shared Key (PSK). Businesses should consider enabling Enterprise mode on their corporate wireless networks, as it provides a more secure and scalable solution. PSK mode lends itself to personal home networks but also can find use in corporate environments as a public internet or Guest network. In modern corporate environments, both Enterprise and PSK modes can be used, as long as the networks are enabled. Similarly, WPA3 offers an Enterprise and Personal mode with use cases identical to WPA2’s modes. Each mode has it use, and organizations need to determine the use case for that network and implement the suitable mode.

Two Common Wireless Attacks

Method one: Capture PMK-ID (Targeting PSK)

This method involves capturing the Pairwise Master Key Identifier (PMKID), which allows an attacker to disclose the authentication hash of the PSK. Depending on the strength of the password used, the cleartext version may be recovered and the attacker would then be able to authenticate to the wireless AP to access the network. The capturing of a PMKID alone does not necessarily result in a full network compromise, but it does provide an attacker with the ability to enumerate the environment and access resources that would otherwise been inaccessible.

Method Two: Evil Twin (Targeting Enterprise Network)

For this attack the malicious actor creates a decoy, or rogue AP, with a similar name (SSID) or the same name as the legitimate network name. Legitimate users can then be tricked to connect and authenticate to the rogue AP. If victims connect to the rogue AP, the attacker can capture the user’s password for the WPA2-ENT network. The attacker would then have the ability to spread malware or launch other attacks to devices connected to the rogue network via Man-in-the-Middle attack.

What are some of the best security controls for wireless network testing?

Implementing effective security controls is essential in ensuring the protection of your wireless network. Following a few recommendations can help promote greater security of your organization.

  1. Utilize only WPA2 or WPA3 in your organization.
  2. Always use WPA2-ENT or WPA3-ENT for corporate networks.
  3. Due to the complexity of key management, WPA2-PSK and WPA3-Personal should only be used on personal networks, public Wi-Fi, or Guest networks.
  4. Restrict access to internal corporate resources from any public Wi-Fi or Guest networks.
  5. Perform proper segmentation testing of Guest networks to ensure intended isolation to production networks.

With the increasing volume of data being managed by companies today, along with the expectation of anywhere access, wireless security has become a crucial aspect of overall network security. Sometimes a small configuration error can lead to serious cyber incidents. To mitigate this risk, LBMC offers expert wireless assessment services, where our specialists simulate real-world malicious attacks on your network, using a range of techniques based on each security protocol. To obtain further information about our services, reach out to us or visit Security Consulting to learn more.

Content provided by LBMC professionals, Dee Zhao and Michael Becher.

External Resources: