September 8, 2017
Wi-Fi is a technology for wireless local area networking using radio wave transmission and based on the IEEE 802.11 standard. Wi-Fi is used widely in private homes as a convenient and inexpensive method of networking. Many businesses and public places provide Wi-Fi as an amenity for both employees and customers. Wi-Fi networks can be set up in Peer-to-Peer mode or Access Point (AP) mode, and authentication modes include:
- Open System Authentication – allows any wireless client to obtain access (no key required)
- Shared Key Authentication – wireless clients with a shared secret key can obtain access
- Centralized Authentication – wireless clients are required to authenticate to a centralized authentication server to obtain access
With the widespread adoption of Wi-Fi, we often fail to recognize the fundamental security weakness of a wireless network. Since the transmission is over radio waves, it is difficult to prevent a rogue user from having access to the wireless signals that are within range. Some techniques touted to improve WiFi security (such as preventing SSID broadcasting, MAC address filtering) are quite ineffective – a hacker with knowledge of wireless sniffing tools (such as Kismet, NetStumbler and others) can easily sniff the SSID and MAC addresses from the packets circulating on the network and gain access to the wireless network. Encryption is the most effective mechanism available to protect communication over Wi-Fi. Security protocols and encryption mechanisms on the IEEE 802.11 standard have evolved over the years and include the following:
- The Wired Equivalent Privacy (WEP) was the original encryption standard for IEEE 802.11. However, it encrypts messages using RC4 encryption with pre-shared keys that are rarely updated. Thus, WEP is very easy to crack and was formally deprecated in 2004.
- The Wi-Fi Protected Access (WPA) protocol passes the data through a Message Integrity Check (MIC) using a 128-bit Temporal Key Integrity Protocol (TKIP) and the client’s MAC address. WPA also uses the Extensible Authentication Protocol (EAP) to establish an authenticated session and a message encryption key that is changed every 10K packets.
- The second generation of the WPA (WPA2) is based on the final IEEE 802.11i amendment. It supports stronger authentication mechanisms using a RADIUS server and AES encryption and is eligible for FIPS 140-2 compliance.
As mentioned above, WEP is very easy to crack. WPA and WPA2 are less exploitable than WEP; however, an attacker can still crack WPA/WPA2 by capturing WPA/WPA2 authentication handshake packets and performing an offline attack. WPA with user-chosen Pre-Shared Keys (PSK) can be cracked using dictionary attacks or through offline brute-force attacks. Using a long enough random password (e.g. 14 random letters) or passphrase makes pre-shared key WPA difficult to crack. WPA/WPA2 networks with active wireless clients are susceptible to “de-authentication attacks” where the attacker forces the client to disconnect from and reconnect to the AP and captures the authentication packets using a tool such as Airplay. The Pairwise Master Key (PMK) included in the authentication handshake may be brute-forced using tools such as AirCrack. WPA2 with strong authentication and AES encryption is nearly impossible to crack.
The IEEE 802.11 has evolved from an extension of the wired LAN into the wireless channel to a mature protocol that supports enterprise authentication, strong encryption and quality of service. However, the type of authentication used (user-chosen PSK versus 2-factor mechanisms) and the type of encryption used determine the strength of the wireless network and its vulnerability to hacking attacks.
Contributed by Dr. Sarbari Gupta