Wi-Fi itself should not be feared as a technology susceptible to network attacks; it is a flawed implementation that should be feared. Because of the nature of the technology, Wi-Fi signals can be easily intercepted by any wireless device within range. Nevertheless, with the proper security precautions in place, these intercepted signals become useless to even the most determined attacker. By employing industry-standard security measures, Wi-Fi becomes an enterprise-grade high-performance solution suitable for almost any application.
In this article, we examine the the most pervasive threats to Wi-Fi networks and the best ways to mitigate them.
Importance of Wi-Fi security
According to the 2019 Thales Data Threat Report, 60% of companies surveyed globally reported having experienced a security breach. In the United States, the number was higher at 65%, with 36% reporting having been breached within the past year.
At the same time, the study found that organizations tend to spend very little on data security, with half of the companies surveyed saying they only allocate what amounts to a mere 0.6%-3% of their overall IT budget to data security.
Unfortunately, many organizations don’t realize the seriousness of the issue when it comes to wireless security. If company leadership realized that the average cost of a security breach is upwards of $3.6 million, more attention and budget would surely be devoted to keeping the network safe.
Typical Wi-Fi security threats
The most common and easily employable threats to Wi-Fi networks include:
Evil twin – Also known as a rogue Wi-Fi hotspot, this is a situation where an attacker sets up an illegitimate access point in the area where a company has installed its network. The attacker uses the same SSID as that used by the network, or a similar one that looks legitimate. This illegitimate access point will use an independent internet connection and connected users will believe they are on the valid network. Even if the user’s connection to the access point is encrypted, all information sent can then be intercepted, unencrypted, and read by the attacker, who fully controls the connection.
This attack is typically successful for users accessing the internet. Users attempting to access internal services of the enterprise network would be unable to do so, since the evil twin is not connected to the enterprise network, and would realize at the very least that there is a problem with the network.
Man in the middle – A MITM attack is similar to the evil twin but differs in its application. A “Man in the Middle” access point masquerades as a legitimate device to which users connect. This device, in turn, connects to the legitimate network, providing connected users with full access to both the internet and internal enterprise network services. As with the evil twin, all content sent over the network can be intercepted and read by the attacker. This can be especially devastating if users access sensitive enterprise services such as financial applications, user databases, and VoIP systems.
In both evil twin and MITM attacks, the illegitimate access point may be placed closer to potential users or may have a higher output power (beyond the legal limits) to cause clients to prefer it over the legitimate access points.
Packet sniffers – Contrary to what is conceptually displayed in network diagrams, Wi-Fi signals from end devices and access points radiate outward in all directions. Various types of antennas can distribute these signals through space in particular patterns, but in general, wireless signals are freely propagated through open space. This means that any Wi-Fi device (laptop, tablet, mobile phone) can intercept signals from users and access points all around it. With the appropriate software, these signals can be detected, and the packets they carry can be captured, saved, and analyzed. Such software is called a packet sniffer, and although it can be extremely useful for troubleshooting and examining network performance, it can also be used maliciously to attack a poorly deployed wireless network. Wireshark is an example of a packet sniffer, about which you can learn more in our article on using Wireshark to troubleshoot VoIP.
An attacker that is within range of these signals can capture and save these packets. What does that mean security-wise? If the appropriate security measures have not been built into the network, an attacker can accumulate packets and reconstruct emails, IP phone conversations, credit card numbers, and even a user’s web history. Essentially, anything that is sent over an unsecured network is fair game.
Channel interference – This type of attack falls into the category of Denial of Service (DoS), where users are denied access to the system or service being attacked. In the case of Wi-Fi, an access point can be placed within range of a network’s coverage that emits an illegally strong signal on the same channels as those used by the legitimate network. This causes interference that disrupts both the access points and user devices, causing users to lose connectivity to the network.
Unauthorized access to infrastructure network – In a corporate environment, a Wi-Fi network may be connected to the main wired network, allowing employees to access internal services, as well as providing guests with basic internet connectivity. In such cases, a compromised Wi-Fi network may mean a compromised corporate network. Even if some form of segregation between the wireless and wired networks is employed, techniques such as VLAN hopping and theft of credentials can be used to gain unauthorized access to confidential corporate information.
Mitigation techniques
There are industry-standard threat mitigation techniques that have been tested and validated over the years. Many of these can be used in combination or individually, and the choice of which to use depends on the purpose of the network and the required level of security.
Use an intelligent wireless controller – A wireless controller is a device that orchestrates the provisioning, functionality, and management of multiple access points. The access points throughout your campus will register to this controller, allowing the whole wireless network to be configured and managed centrally on the interface of the controller as a single entity. Not only does this improve efficiency for deployment, but it also helps mitigate against rogue and MITM access points and sources of channel interference. Some controllers have built-in intelligence that allows them to detect such threats and alert an administrator. Some have automatic mitigation features that can kick in whenever a suspicious event is recorded, and others will even help pinpoint the physical location of interfering devices on the floorplan of the coverage areas, allowing their quick discovery and deactivation.
Employ industry-standard WPA2 encryption/authentication – Wi-Fi Protected Access 2 (WPA2) is the second iteration of the WPA standard, which provides authentication (verifies that only permitted users can connect) and encryption (keeps communications confidential) to wireless clients. WPA2 functions in two modes: personal and enterprise. Personal mode is useful for a few access points with only a handful of users, where authentication is configured and takes place within the access point device itself. Enterprise mode causes access points to query an external authentication server, such as a RADIUS server, to validate users, which is more suitable for implementations with multiple access points and individual credentials for tens or hundreds of users or more.
The W-Fi alliance announced the introduction of WPA3 in January of 2018 as an even more robust option, and as of the end of 2018, some devices have already been certified for its use. It will still be several months, however, before it is available for widespread use.
Employ an AAA system to record user activity – When using WPA2 in enterprise mode, access points redirect the credentials entered by individual users to a centralized Authentication, Authorization, and Accounting (AAA) server such as a RADIUS server, to authenticate (enable access to only permitted users), authorize (offer users connectivity only to allowed services) and take an account (record activity during connectivity) of users. The employment of such a system enables you to regulate the restrictions on the network on a per-user basis, and to record any prohibited activity that may be occurring in order to mitigate it and prevent it in the future.
Authentication portal – A wireless network can have an additional level of security beyond the initial authentication and encryption mechanisms. Once connected, users can be mandatorily directed to an initial login web page, denying them access to any network services without the input of appropriate credentials.
Use a personal VPN – In the event that the network to which you connect is not under your administration, it is difficult to enforce the level of security that you may require. In such a case, using a personal VPN can be beneficial in protecting your privacy over an unsecured network.
Properly segregate guest networks – As with all networks, the proper segregation of both the wired and wireless network must be employed, ensuring separate VLANs for guest user and employee traffic. In addition, the appropriate access lists, firewall rules, and intrusion detection systems should be in place.
Conclusion
In today’s threat-ridden world, wireless security is a crucial part of the implementation of any Wi-Fi network. Knowing the principles described here and employing them in the appropriate situations is vital to providing both your users and your guests with a protected network environment.
You may also like:
Wi-Fi network security: Do you have a blind spot?
Network Design Strategies for Optimal Wi-Fi Performance.