Recently I have been involved in a couple of initiatives that addressed Wi-Fi security as one of their main topics. One of them is the upcoming SANS April OUCH issue, focused on "Staying Secure Online when Traveling". The main constraint associated to user awareness programs is the length limitation on the information shared with users, requiring very clear, simple, and direct messages. Secure Wi-Fi access awareness is a key component of overall user security nowadays, as most users (if not all) connect daily to one or multiple Wi-Fi networks from their laptops, smartphones, tables, and other mobile (personal and professional) devices. Fortunately, the ISC audience shares a very technical profile, so it becomes the proper forum to go into the technical and security-related details of how Wi-Fi networks are used today worldwide by users, identify areas of improvement, suggest current and future solutions, and take actions. Although most ISC readers widely accept that WEP is insecure, aware of well known vulnerabilities since year 2001 and knowing it is possible to get the WEP key in less than a minute (or less) since April 2007, still today lots of vendors and service providers deliver their Wi-Fi equipment (Wi-FI access points) configured by default widely open or with WEP (case 0). Besides that, the fact that WEP makes use of a secret key creates a false sense of security on end users, assuming that if there is a secret key involved... it must be secure. There are three types of Wi-Fi scenarios users commonly connect to:
A forth very common case all over the world, although we are not going to pay a lot of attention to, is the illegitimate usage of a third party or neighbor unprotected Wi-Fi network without authorization. The "free" access can turn against the unauthorized user, as the owner of the network, as well as other users, can monitor and manipulate the user activities. The saving costs of using a piggybacked connection won't compensate the associated security risks. There are very simple and common sense options to mitigate some of the different weaknesses and scenarios previously mentioned (identified by case #), while some others are mitigated using additional security layers that not always offer proper protections. Let's analyze pros and cons of the most common scenarios and security practices used today when connecting to all kinds of Wi-Fi networks:
If you are a vendor, can you improve your default Wi-Fi equipment configuration? If you are a service provider, can you provide more secure configurations for home end users, small and medium businesses, and enterprises Wi-Fi equipment? If you are a corporate administrator or security pro, can you improve the security of both your employee and guest Wi-Fi networks, plus the configuration of the corporate Wi-Fi clients? If you are offering any kind of temporary or permanent Wi-Fi access (such as Wi-Fi hotspots) in venues, conferences, hotels, airports, cafés, restaurants, libraries, etc, can you improve the security of these networks? As a user, can you minimize the risk you take when connecting to Wi-Fi networks, avoid insecure environments, and spread the word and create awareness on other users, colleagues, friends, family members, neighbors, management, etc? It is year 2011, we have the technologies for secure Wi-Fi deployments available, but we are clearly not making use of them in all common usage scenarios. Time to improve (and comment using the section below)! ---- |
Raul Siles 152 Posts Apr 10th 2011 |
Thread locked Subscribe |
Apr 10th 2011 1 decade ago |
The cover article for the March ISSA Journal was on Wireless Hotspot (In)Security, link here: http://riosec.com/wireless-hotspot-insecurity
In this article I talk about securing hotspot (guest) wireless networks at a data-link layer, using EAP-TLS without client authentication. This works very similar to HTTPS. More details are available here: http://riosec.com/open-secure-wireless I am trying to get this in front of the Wi-Fi Alliance for consideration. It would not likely require any new protocols or changes to existing protocols, just changes to how existing protocols are implemented in wireless supplicants. Readers can help by forwarding this to their wireless vendors or contacts on the WFA, and asking for secure wireless hotspots. Thanks, Christopher www.riosec.com |
Anonymous |
Quote |
Apr 10th 2011 1 decade ago |
Even if a hotspot has a secure wireless interface, security may still be compromised -- perhaps the wireless router shares an internet connection with other devices on a wired LAN on-site, or maybe it sends traffic over a VPN to its operator who itself is compromised, or maybe a vulnerability in the wireless router itself could be exploited.
And a public hotspot operator could still be involved in shady practices such as usage tracking (eg. Phorm), or sharing your location (by revealing to advertisers where the hotspot is located, who could combine that data with persistent cookies on your device), etc. So personally I'd pay little attention to the 'security' supposedly offered by a wireless hotspot, try to secure my device against attacks coming in over that interface, and prefer to make only SSL (eg. SSL Everywhere add-on for Firefox), SSH, tunnels or VPNs for anything else. This may become easier with IPv6, particularly Mobile IPv6 and IPSec. |
Steven C. 171 Posts |
Quote |
Apr 10th 2011 1 decade ago |
@Christopher Thanks for sharing your work. After a quick look the solution seems to be similar to my proposed WPA2-Enterprise hotspots, but simpler if registering or keep track of individual users is not a requirement. I will send you feedback once I read it all in detail.
|
Raul Siles 152 Posts |
Quote |
Apr 10th 2011 1 decade ago |
@Steven You brought up a point I'm used and like to highlight in this kind of discussions (although I tried to avoid it here just to focus on Wi-Fi), as lots of people put too much trust on their wired Internet connection.
This is the reason why I explicitly mentioned "not only for Wi-Fi but for general Internet usage" and "to avoid local network attacks". Wi-Fi insecurity mainly focuses on local network attacks, because even when you trust 100% your corporate network, your home network (cable or xDSL), or any other edge network, including the suggested mobile networks (+3G), once the connection enters the service provider world, and hence, the Internet, the risks and threats are always the same. End to end protection is the only real countermeasure, and we must assume we are connected to an insecure network. |
Raul Siles 152 Posts |
Quote |
Apr 10th 2011 1 decade ago |
IIUC, even having a single username & password for WPA Enterprise shared among all users prevents peers snooping others' traffic, as the session keys are computed securely within the EAP session, unlike in the shared WPA-Personal case.
|
Raul Siles 1 Posts |
Quote |
Apr 11th 2011 1 decade ago |
Sign Up for Free or Log In to start participating in the conversation!