Wi-Fi security: The past to the present
Wi-Fi is becoming the preferred access method in the modern enterprise network. This transition has been ongoing for quite some time. As the next generation workforce comes online, they have an insatiable appetite for mobility and expect pervasive and highly scalable Wi-Fi.
This increased demand and the resulting increase in deployment has made Wi-Fi a more appealing target to malicious attackers and has brought Wi-Fi security back to the forefront of conversation. Many enterprise networks have been using a mixture of Wi-Fi security mechanisms, some effective but others much less so as there were no better alternatives.
To understand the problem we are facing in enterprise Wi-Fi security, we must first understand the history of the evolution of Wi-Fi security. As George Santayana so famously said in 1905 his book The Life of Reason, “Those who cannot remember the past are condemned to repeat it.” You might be thinking, “Why is that quote relevant as it pertains to Wi-Fi security today?” Simply put, every Wi-Fi security standard over the last 21 years has eventually been cracked.
To better understand the evolution of Wi-Fi Security standards we want to take a look at them from a linear timeline perspective.
Wi-Fi Security Standards Timeline
As you can see, there have been significant periods where the standards have not changed. Wired Equivalent Privacy (WEP) was the standard for more than six years until it was eventually broken and comprehensive cracking tools were made available in the public domain. This forced a re-examination of wireless security standards, and Wi-Fi Protected Access (WPA) was introduced in 2003. The Wi-Fi Alliance intended WPA as an intermediate measure to address the fact that WEP had been cracked and to provide some measure of security until the proposed IEEE 802.11i standard could be ratified and widespread industry adoption began.
In 2004, IEEE 802.11i was ratified, and Wireless Protected Access II (WPA2) was born. Adoption of WPA2 – Enterprise, and WPA2- Personal/Pre-Shared Key (PSK), has been widespread and pervasive. Most enterprise customers have relied on its stability and widespread adoption across every significant OEM to secure their Wi-Fi networks for the past 14 years.
Wi-Fi security: Discovery signals the beginning of the end
When a security protocol or standard is cracked by security researchers, malevolent organizations or even rogue nations, the outcome is inevitable: widespread creation and use of automated tools to compromise Wi-Fi security. Once these tools are in the wild Wi-Fi is at risk until a new standard is created and then implemented in the enterprise.
To understand how a security standard collapses under the weight of prolonged analysis/attack once a weakness has been identified, let us look at WEP as an example in the chart below:
WEP - The collapse as a secure standard.
The first documented attack against WEP was in 2001; subsequent attacks were orders of magnitude more efficient. New attack methods quickly followed, until the applications such as AirCrack -NG were released that automated breaking WEP encryption. These tools could utilize data samples as small as a packet to compromise security in less than 30 seconds and were usable by virtually anyone with moderate computer literacy. No longer was breaking Wi-Fi encryption relegated to the secretive world of hackers or the academic world of cryptoanalysis. Hacking Wi-Fi was now mainstream.
Wi-Fi security: Those pesky devices are weakening my security!
Wi-Fi security has often been about compromise due to variances of client capability, lack of understanding of Wi-Fi security or the sacrificing of security in favor of convenience and ease of use. Wi-Fi clients are not all equal regarding their capabilities, especially in the areas of authentication and encryption, and this is the problem that haunts the enterprise and weakens the overall security of the network today.
One way to mitigate some of the risk is to segment the network. Enterprises can isolate the less secure Wi-Fi clients, and their corresponding applications and servers, to tightly controlled security segments. This segmentation would prevent access from a less secure segment to more secure segments. Segmentation must be a part of the solution for the overall security of the Wi-Fi devices on the network to reduce risk and minimize the amount of data exposed. A further discussion around network segmentation can be found on our Enterprise Segmentation topic page.
Wireless Protected Access 2: Houston, we have a problem.
WPA2 has been the standard for enterprise Wi-Fi security for 14 years, but its reign may be coming to an end.
There are two known significant exploits against WPA2. The first was announced in 2017 when security researcher Mathy Vanhoef published a research paper and then demonstrated how the attack could be carried out. At the time, Vanhoef concluded that WPA2 could be patched to address the weakness; unfortunately once a standard is broken, even if it can be patched, it often is just the beginning as other researchers or hackers will start looking for other weaknesses.
This is precisely what has occurred, and while not surprising, it is unfortunately now even more accessible to break WPA2 due to the recent announcement by security researcher Jens “Atom” Steube of a new way to attack WPA2. This attack is targeted at wireless networks that use WPA2- Personal or WPA2-PSK implementations of WPA2. Read the author’s more technical detail on this attack.
The most recent discovery is perhaps the most disturbing. If history has taught us anything, it is that even more attack vectors will be discovered against WPA2 and that tools will be developed to make this process more accessible and more automated. Once this occurs, enterprise networks that rely on mission-critical Wi-Fi will face a frightening prospect. The existing attacks against WPA2 will necessitate patching, at a minimum, for the following devices:
- Wireless Controllers
- Access Points
- Wi-Fi Clients
This will be a significant challenge for most organizations. Wi-Fi has become the default method of transport onto the network and is now mission critical to operations in many organizations. The downtime needed to patch infrastructure devices such as wireless controllers and access points will impact the end-user community and business operations directly. While significant, the infrastructure updates may not be the biggest problem.
In most enterprises, Wi-Fi devices have exploded in numbers over the previous decade. The amount of time and resources needed to identify the types of devices, perform patch assessment, and deploy the patches is daunting.
The favorable outcome scenario is the simplest in that it presumes the following:
- Identification of the location, type and patch readiness of the mobile device is possible
- Patches are available from the OEM
- Deployment of said patches via automated systems is possible
- The patching process is successful
Unfortunately, there are adverse outcome scenarios that are going to continue to lower the overall security of the Wi-Fi network and have a notable impact on IT operations and security:
- Devices that cannot be located but are in operation
- Devices that cannot be patched because of device limitations
- Devices that cannot be patched because the OEM does not have a patch
- Devices that fail to patch via automation deployment
Any of the adverse scenarios above will be challenging, but I would speculate that the last one listed may be the worst regarding impact. In that scenario, the device may cease functioning via Wi-Fi and a technical resource would have to be dispatched to patch the device and return it to working order manually. In a large enterprise, if even a small percentage of automated patches fail, this could represent hundreds or more of devices, and their users, waiting on IT to dispatch a technician and correct the issue. For national or global scale organizations, this could severely impact operations.
This is the current state we face for WPA2 in the enterprise, and there is work to be done. IT should develop these device matrixes, processes, methodologies, staffing models and technical documents now because, as the story of WEP illustrates, this may not be the last time WPA2 will require updating. There is, however, a new standard that has been announced, and it could arrive before further vulnerabilities in WPA2 are discovered.
Wireless Protected Access 3 (WPA3): The next evolution
To address the issues facing WPA2 the WPA3 standard is being introduced. The Wi-Fi Alliance first announced WPA3 in a press release on June 25, 2018. There are several key enhancements included in the new standard. The three of the most impactful are listed below.
- WPA3-Personal brings better protections to individual users by providing more robust password-based authentication
- WPA3-Enterprise also offers an optional mode using 192-bit minimum-strength security protocols and cryptographic tools to protect sensitive data better
- Wi-Fi Enhanced Open networks provide unauthenticated data encryption to users, an improvement over traditional open networks with no protections at all
Wireless Protected Access 3 (WPA3): The challenge in the enterprise
WPA3 implementation for enterprise network operators could be a lengthy and perhaps costly proposition due to some of the issues that arose patching WPA2 and also because of increased requirements at the device level of WPA3.
The increased requirements for CPU power necessary to support the enhanced cryptographic ciphers used to encrypt the data may prevent some of the Wi-Fi adapters in our mobile devices from being able to move to the new standard via a software upgrade to the drivers. Trying to identify potentially thousands or tens of thousands of devices and starting an en masse upgrade program is daunting to most IT departments. Even a small percentage of automated upgrade failures could represent a significant number of end users who are unable to use Wi-Fi until an IT technician can address the failure with manual intervention.
The previous discussion was focused around end-user mobile devices that need an upgrade to WPA3. That is but one half of the challenge facing enterprise Wi-Fi operations today. The Wi-Fi infrastructure will also pose problems, especially at enterprise scale for networks that can span a city, county, state, nation or even the globe.
The enhanced requirements of WPA3 may force upgrades on the Wi-Fi infrastructures that are unplanned and unbudgeted. Additionally, the problem that end user mobile devices are facing may also be an issue for older Wireless Access Points (WAPs). If the architecture is controller based, the controllers for the Wireless LAN (WLAN) may force obsolescence and thus require upgrade. These devices are the foundation of Wi-Fi in the enterprise today and must be updated before the end-user devices to provide the foundational support for WPA3.
WWT is committed to helping our customers address the issue of WPA3 implementation in the enterprise. To this end we have a variety of resources to assist our customers with the challenge that WPA3 may represent.
Planning and Engineering Services: WWT offers Last Day of Service, End of Sale and End of Life mapping to WPA3 eligibility for network infrastructure. Our experts can provide Wireless Infrastructure Assessment, Planning, Engineering and Implementation Services.
Education: In our Advanced Technology Center, we can provide workshops, demonstrations, proofs of concept and sandbox environments for testing which solution best meets your enterprise’s needs.
WEP Attack Timeline
Wi-Fi Alliance WPA3