Editor's Choice: This article has been selected by our editors as an exceptional contribution.

A layman's explanation and look into Wireless Security

btanExec Consultant
It is more than words to describe oneself and one's action speaks for itself.
Edited by: Andrew Leniart
Nothing is ever secure - things get "broken" but not always easily mended. This is the norm today. Despite security measure put in place, cyber attacks are still successful because security controls themselves can be vulnerable as well. Catch this Wi-Fi security weakness run through.

Recent news revealed a developer of a password cracking tool blogged on saying the secure wireless protocol Wi-Fi Protected Access (WPA) or Wi-Fi Protected Access II (WPA2) password can be obtained easily. The saving grace is that the developer found the weakness during the examination of the new and more secure WPA3. It can get fairly technical in the attack, and for the non-IT geek, and most may even just say "if it ain't broken, don't fix it". 

Case in point is that there is no patch to remediate this weakness. You can only mitigate. The risk is trivialized. Hopefully, through this article, will at best share in more layman terms how it can impact you and what you can do about it.

Basic understanding of Wi-Fi Authentication

Before we even take a look at the vulnerability, we need to at least know how Wi-Fi authentication works - what actually goes on behind the scenes to get you wirelessly connected. A typical home setup is your machine gets connected to a Wi-Fi Access Point which is wired to a modem gateway in order to get you onto the Internet. 

The password gets a check by the simple Access Point which serves as an authenticator cum authenticator server. This authentication scheme, in a broad sense, is actually termed as 802.1x authentication - typically using EAPOL (Extended Authentication Protocol over LAN). 

For any new connection, there is always the 4-way handshake (excluding the start and success packet) frame exchanges.

1. EAP Request Identity: When a user (802.1x supplicant) attempts to connect to the Enterprise AP (Authenticator). 

2. RADIUS Access-Request/Challenge: When RADIUS (Authentication server) verifies identity and send back challenge* 

3. EAP Response: When a user provides the credential, such as a username as well as a password or certificate** 

4. RADIUS Access-Request/ Accept: When RADIUS verifies the credentials and sends an accept or rejects the packet.

* Challenge includes authentication (EAP) method which can be PEAP (Protected Extensible Authentication Protocol), MD5 (Message Digest 5), TLS (Transport Layer Security), TTLS (Tunneled Transport Layer Security), or another similar method.

** These are the two typical categories of authentication 

  • WPA/WPA2-PSK (Pre-Shared Key) - authentication with a Preshared-Key which need no Authentication server.

  • WPA/WPA2-EAP (Extensible Authentication Protocol) - authentication with an EAP method which validates more secure credentials through the use of an Authentication server, such as certificates, tokens, username, and password.

There are more details but this should be enough to appreciate the weakness.

What is the vulnerability?

The weakness exists in the AP router that has its roaming setting enabled. Most modern routers support such seamless wireless roaming experience. It does it using a cached secret so that users do not go through the lengthy 4-way check upon re-connection as the user roams around a building or area. It is claimed to work against all 802.11i/p/q/r networks with roaming functions enabled.

Going deeper, there exists the RSN IE (Robust Security Network Information Element) in the packet which includes a Pairwise Master Key (PMK) identity number (PMKID). This is a key that can be easily cracked - why? The only secret is the PMK is derived from user password and SSID (a wireless identifier to connect or targeted). The rest are also known information which includes the MAC addresses. These can be easily retrievable or sniffed over the connection. This is demonstrated and shared on the following blog

Using a weak password makes it an easy feat for a cracking tool to retrieve the password.  It is also important to note that, as the SSID is also used to calculate the PMK, with the same password but a different SSID, we would end up with a different PMK.  

What is the whole attack about?

The attack is performed through a single EAPOL frame (earlier mentioned in the basic) which will have the RSN IE and hence the PMKID. Once a valid PMKID packet is captured, the latter can be converted to an attack tool format (in this case, tool is called hashcat) for offline cracking. This is a new way to recover the WPA2-PSK passphrases from vulnerable devices.

The goodness of the attack is that it does not require client interaction or a 4-way handshake which may trigger network security devices like a wireless intrusion detection device. 

Check out others' testing and tips in running the tool. 

What can I do then?

Now that we know the weakness (hopefully), the most straightforward solution is to have a strong password such as a passphrase. But there is no forever panacea. As technology advances in hardware such as the GPU, which Hashcat uses to speed up the cracking process, more hacker's cracking tools will also get faster to reveal the password. 

Single factor using a password (WPA/WPA2-PSK) is no longer a secure means for long term though it is simpler to implement for a wireless setup. Raise the bar (especially for Enterprise) by going for a more secure authentication method using certificate or token (WPA2-EAP (EAP), aka WPA Enterprise.

The other means which I see will be the way forward is to go for WPA3. Even the developer of the cracking tool noted that it’s “much harder to attack because of its modern key establishment protocol called ‘Simultaneous Authentication of Equals’ (SAE).” 

The short of it is that the custodian of Wi-Fi standards (Wi-Fi Alliance) says that SAE is resistant to offline dictionary attacks where an attacker tries to guess a Wi-Fi network's password by trying various passwords in a quick succession. It will block authentication requests after several failed attempts, hence limiting the impact of such brute-force attacks. Also, it uses forward secrecy which ensures attackers who discover a Wi-Fi network's password cannot decrypt old traffic captures sent inside that network by others.

If I heed the advice, am I safe now?

Yes, against this new attack. No, as the 4 way handshake is still flawed so moving to the stronger version is advised.  Importantly, you need to maintain a wireless security baseline posture, otherwise be susceptible to opportunistic attack. Here is a short checklist to kick start in your journey to secure the Wi-Fi networks with basic hygiene level.

  1. Don't make the SSID too obvious - This is always in the hunt list for the war driver (hacker going around looking for WiFi networks). No dead giveaway as to the identity of your organization

  2. Separate your private network from not trusted network - Define you "Guest" network, Extranet (including the Internet) and Intranet. Segment them and put in rules to restrict the traffic traversal segments. Be clear what sort of wireless traffic should be allowed through the choke points or tunnels via the firewall. Consider putting in the wireless intrusion detection device at this choke points.

  3. Strengthen the policy and access rules - In addition to firewalls and VPNs, the wireless network will be required to fit within your existing security infrastructure. Different policies can be applied to the wireless traffic. E.g. Define rules for "walled garden" guest access. Intranet servers, edge routers and bandwidth managers to be updated to filter on segment assigned to the wireless segment.

  4. Turn off all the "unnecessary" - Prohibit unnecessary sharing especially peer-to-peer networking. This reduces malware spreading while you still permit logged guest sessions. Take a stringent stance - Limit destinations, protocols, duration and bandwidth on the wireless access. Maintain a blacklist or banned list of guest access. Policy dictates steps to prevent such banned visitors from intruding.

  5. Allow only unique users access - Create user list but leverage on existing user/device credentials and authentication databases such those of your Enterprise identity store. No need to reinvent the wheel and still achieve a single truth of source.

  6. Maintain regular security reviews - Conduct security audit against the inventory and the patch compliance - making sure they are updated in patches to latest working version. Run vulnerability scanning and penetration testing to reveal gaps due to misconfiguration, poorly patched device, weak cipher (e.g. TKIP) configured etc and remediate promptly.   

Hope this article provides a better appreciation. It is an arms race so start securing your Wi-Fi connection/network now.

btanExec Consultant
It is more than words to describe oneself and one's action speaks for itself.

Comments (0)

Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.