Wireless security risks are not something we talk much about anymore, but they do have an impact on the overall...
safety and resilience of your network. I occasionally see overly paranoid IT and security professionals who recommend against using Wi-Fi altogether.
These are the same people who often proclaim the sky is falling due to some niche security vulnerabilities that don't matter to most businesses. Anyway, I'm not a big believer in avoiding something when there are opportunities for compensating controls.
The most common wireless security risks
With that in mind, do you fully understand the wireless security risks associated with your business? In my work performing independent vulnerability and penetration tests, I see a number of wireless-related flaws that create unnecessary business risks:
- Wireless access points (APs) and routers that fall outside the organization's patch management standards introduce vulnerabilities that can be exploited by both connected users and outside attackers -- i.e., the KRACK attack for which many systems are still vulnerable.
- Wireless networks not monitored for attacks and other malicious use could help uncover bigger wireless security risks such as malware infections and data exfiltration.
- Lack of visibility into the wireless network's signal spectrum can create a lack of control and can unnecessarily expose wireless signals outside of buildings. Knowing the wireless spectrum can also help alert IT and security personnel of new wireless devices -- hosts and APs -- seen in the vicinity.
- Use of outdated wireless security protocols such as WPA and WEP makes for easy exploitation.
- Wi-Fi Protected Setup enabled on consumer-grade wireless routers without intruder lockout allows an attacker to crack the WPS PIN and capture the WPA encryption key.
- Network access control that does not include Wi-Fi in its scope can lead to a false sense of security and allow unauthenticated and improperly secured devices into internal parts of the network.
- Web content filtering missing within the guest and, sometimes, production wireless networks can create issues with acceptable-usage policies that corporate HR mandates and can increase the risk of malware infections.
- Guest wireless that allows access into internal production network subnets is brought about by a lack of reasonable network segmentation between the wired and wireless networks.
- Indirectly, critical business systems like external-facing servers and web applications pose wireless security risks when running weak encryption ciphers and protocols, such as Rivest Cipher 4 and Triple Data Encryption Standard, Transport Layer Security 1.0, and Secure Sockets Layer 2.0.
- Wireless networks that are out of scope with existing security policies and response plans leave indefensible gaps in the event of an incident or breach.
- WPA2 -- the most common security protocol currently running on wireless networks -- is vulnerable to dictionary crack attacks. (However, I have found that most businesses that use reasonably long and complex passphrases or keys can minimize this risk.)
Some of these vulnerabilities are more critical in nature than others. It just depends on the context. Regardless, if there are known wireless security risks and there's something that you can do to reduce them (often for free), then why not eliminate them? Formal wireless security vulnerability and penetration testing is one option, but sometimes this task isn't performed at all. But you cannot secure what you don't acknowledge.
How can WPA3 prevent wireless security weaknesses?
The forthcoming WPA3 wireless security standard can help mitigate current Wi-Fi weaknesses through features such as the following:
- a new key exchange protocol that will effectively eliminate dictionary attacks;
- perfect forward secrecy to help prevent hackers from cracking previously captured traffic;
- Wi-Fi Easy Connect, which simplifies and secures the wireless connectivity process that used to be handled by Wi-Fi Protected Setup; and
- opportunistic wireless encryption that protects unauthenticated or open service set identifier connections.
The best thing is to acknowledge your wireless ecosystem has security holes in it. This is even more likely when you have users connecting to random wireless hotspots at home, while traveling and so on. Even if you eliminate all the above vulnerabilities and implement WPA3, your business can be exposed to someone mimicking a legitimate AP -- the "evil twin" vulnerability, which has been around since the inception of Wi-Fi. Not only can an evil twin attack exploit network systems and information, but when it does happen you'll likely never know about it. The evil twin vulnerability can be mitigated using a wireless intrusion prevention system offered by many of the big networking vendors. Still, these systems won't protect your mobile users when they are out and about.
It's not guaranteed to reduce wireless security risks, but some user training can go a long way. Talk to your users about what can happen -- and what has happened -- when connecting to vulnerable or exploitive wireless environments. Encourage them to use VPN connections. Advise them to only connect to trusted wireless networks, to the greatest extent that you can. Tell them to never disable their endpoint security controls, especially their firewalls and antimalware software.
There's no amount of inherent Wi-Fi security in WPA3 or subsequent wireless security protocols that offsets poor wireless implementation and oversight. If you're smart in your approach to wireless and mobile security, you can keep your business assets under control while affording your users the computing freedom they're looking for. Ignore the known wireless vulnerabilities and you have yourself unmitigated risks that will be difficult to defend when something goes wrong. Wireless security risks are somewhat old-school, but the security spotlight is still on you and your team to mind the gaps and to see things through.