Wireless Security varies across organizations when it comes to secure deployments due to the size of the organization, budget constraints, or lack of subject matter experts. While the weakest of configurations are seldom seen (e.g., Wired Equivalent Privacy (WEP) from 1999 to 2004), default configurations leave much to be desired, and can be improved without much overhead, especially if the software to support the more secure configuration has already been deployed.
Wireless Security: Default Configurations
Out of the box configurations are common at organizations, and with today’s standards they’re mostly secure. Today’s default algorithm is Wi-Fi Protected Access 2 (WPA2) which is also known as WPA2-Personal, and is the successor to two weaker standards (WPA and WEP). Within WPA2 there are two encryption modes (AES and TKIP) where one is more secure than the other. By default, most configurations out of the box come with the more secure mode (AES). The reason TKIP is even offered is due to older legacy devices that may not be able to support the more secure encryption mode.
The primary issue with WPA2-AES apart from the encryption mode is that an attacker, if suitably positioned, can cause a client to deauthenticate from the wireless network. Once deauthenticated, the attacker would capture the reconnection. Within the captured data, the encrypted preshared key would be obtained. The attacker would attempt to recover the preshared key value (also known as the password used to connect to the wireless network) through a bruteforce attack which would attempt to guess what the password is at an extremely fast speed. If the password length is short, the bruteforce attack could be successful in a short amount of time.
Having a long password or passphrase and using WPA2-AES can be sufficient for smaller to medium sized organizations. However, there are other free solutions that some wireless access points have preinstalled and only require some configuring to enable.
WPA2-Enterprise was introduced to add additional security to WPA2 to allow for user auditing and eliminates the risk of shared passwords while using enhanced security methods. Deploying enterprise requires a Radius server, which some access points (Meraki, Ubiquiti) have running by default.
Radius allows for authentication, authorization, and accounting (AAA) for organizations who use it. Wi-Fi using Radius authentication will require credentials for each user where the credentials could also be tied into existing systems such as Active Directory for ease of use.
Rogue Access Points
Part of the specification that makes up modern wireless technologies is the 802.11 protocol which allows stations to roam freely. Now, in order for wireless clients to not lose connectivity, they may be able to roam between access points that share the same ESSID. It is possible to abuse the 802.11 roaming process by creating a rogue access point with the same ESSID; if a better signal is provided than the origin access point, wireless clients will roam to the rogue access point.
This is possible in two ways: enticement and coercion. If a superior signal is provided than the original corporate access point, clients on that network will roam to the rogue access point. One example known to the public where state actors have used are the four Russian intelligence agents that tried to break into the corporate networks of the Organization for the Prohibition of Chemical Weapons (OPCW) which is headquarter in the Hague.
Another option is coercion which can be done by blocking access by sending deauthentication packets. This will inevitably force wireless clients on a given organization’s wireless access point roam our rogue access point.
In the past 20 years, the 802.11 standard did not have encryption, starting from WPA3, Opportunistic Wireless Encryption (OWE) works by having wireless clients connect to a OWE network where the key exchange happens, and all established communication is served encrypted.
While OWE addresses encryption in data transmission, in addition to the adoption of HTTPS and HTST security headers have made passive sniffing attacks become very limited. With this adoption, it makes unauthenticated wireless communication much safer to use.
What can you do to enhance your Wireless security?
For starters, use a guest network for visitors that is isolated from the corporate network. If an attacker gains access to the guest network, there will be no additional risk to your corporate network. The guest network can have a preshared key, assuming the functionality for WPA2-Enterprise is not available. If a preshared key is your only route, we recommend having 16-character or higher password. If WPA2-Enterprise is available, we recommend using Radius with Active Directory for easy integration for adding and removing users from the network.
To protect your own organization against evil twin or rogue access points, be sure to implement network access controls and wireless intrusion detection or prevention systems. Wireless instruction detection or prevention systems can perform active discovery by scanning the networks to detect denial of service and ESSID spoofing attacks.
How We Can Help
All it takes is a one rogue access point to crack open an enterprise’s network. At Packetlabs, we specialize in red teaming and hold the most challenging certifications in the industry. Reach out to us about wireless security testing to ensure your organization’s protected against wireless attacks.