Your company is like a house and its network is like the locks on the doors of your house.
The WPA2-PSK network security protocol is just like the regular locks you use at home to keep burglars out.
However, just like robbers can find ways to pick or break regular locks, hackers can also find ways to bypass WPA2-PSK and gain access to your network.
This means that hackers can steal sensitive information from your company's network and either hold it ransom or release it into the public domain. This can be devastating for you as it can lead to financial losses and damage to your brand reputation.
To protect itself from this kind of attack, you need to upgrade to a more secure network security protocol.
This post discusses the perils with still using WPA2-PSK authentication protocols in your company.
Table of Content
- Are You Still Using WPA2-PSK To Secure Your Company Network?
- 3 Big Reasons For Junking WPA2-PSK In 2023
- 3 Cases Offer Some Interesting Security Insights
- Hard Evidence Against WPA2-PSK
- Other risks in using WPA2-PSK in 2023?
- EAP-PEAP or EAP-TLS?
- Certificates cannot be shared, but passwords can
- No Device Restriction
- EAP-PEAP is simple to set up
- It is more difficult to distribute certificates than it is to distribute usernames and passwords
- EAP-TLS is not supported by all devices
Are You Still Using WPA2-PSK To Secure Your Company Network?
WPA2-PSK (Wi-Fi Protected Access 2 - Pre-Shared Key) is a security protocol that is used to protect wireless networks.
WPA2-PSK was introduced as part of the 802.11-2007 security amendment. The 802.11-2007 standard brought in significant improvement to wireless security and is referred to as Robust Security Network(RSN).
Prior to 802.11-2007, wireless security was close to non-existent. WPA2-PSK was meant for use in home or small office environments. It uses a pre-shared key to authenticate with the wireless network.
WPA2-Enterprise, which is more secure, uses 802.1X/EAP for authentication and authorization. At a minimum, WPA2-Enterprise requires a RADIUS server.
Oftentimes, small and medium businesses who do not have the expertise or budget to set up a RADIUS server end up using WPA2-PSK as a secure method for protecting wireless access. However, as the company grows, it becomes harder to migrate from WPA2-PSK to WPA2-Enterprise.
Eventually, an IT audit by an external agency or, heaven forbid, a security incident will force the company to use a more secure authentication method.
In some cases large enterprise customers also use WPA2-PSK. This is due to the need to support devices that are critical to business which do not support any of the WPA2 Enterprise authentication mechanisms.
3 Big Reasons For Junking WPA2-PSK In 2023
WPA2-PSK is still secure enough for homes and small businesses when used with a very long pre-shared key.
However, WPA2-PSK is not secure enough for businesses handling sensitive data. WPA2-PSK also has several shortcomings that make it difficult to maintain a secure environment.
- A shared password is never secure
WPA2-PSK uses a pre-shared key for authentication. This inherently makes it less secure. Employees can share the password with people they think are trustworthy, but could be a potential hacker. When an employee leaves the company, the pre-shared key needs to be changed to maintain the same level of security. This means every device that is using the pre-shared key needs to be updated which makes it a management nightmare. The bigger the business, the more painful the process.
Some wireless vendors provide what is known as a per-user PSK. This gives each user a unique pre-shared key managed by the network administrator. While this does solve the administrative overhead of changing the PSK when an employee leaves, the wireless network is still open to weakness in the WPA2-PSK protocol itself.
- Brute-Force Attack
WPA2-PSK is susceptible to brute-force dictionary attack unless the network administrator is using a very long pre-shared key. Social engineering is another way WPA2-PSK can be compromised.
- KRACK Vulnerability Case Study: One well-known example of a WPA2-PSK vulnerability is the KRACK (Key Reinstallation AttaCK) attack, which was discovered as long back as in 2017.
It affected most devices that used WPA2-PSK. The vulnerability allowed an attacker to potentially intercept and read the data being transmitted over a WPA2-PSK network.
The attack exploited a vulnerability in the WPA2-PSK protocol that allowed an attacker to potentially intercept and read the data being transmitted over a WPA2-PSK network. When a client joins a WPA2-PSK network, it uses a 4-way handshake to establish and agree on an encryption key. This is the key that is actually used to encrypt all the data. The pre-shared key is used only to authenticate with the network.
The attack worked by tricking the victim's device into reinstalling an already-in-use key, which allowed the attacker to decrypt the data being transmitted over the network. To carry out the attack, the attacker would need to be within range of the victim's device and the victim's device would need to be connected to a WPA2-PSK network. The attacker could then use a variety of techniques to execute the attack, such as injecting malicious packets into the network or manipulating the wireless signal to trick the victim's device into reinstalling the key.
So why are we talking about this now, in late 2022?
In just the past 6 months at Consltek Inc, we ran into at least 3 customers who were still using PSK to secure their network. These were not the regular mom and pop shops with less than 5 people working there.
3 Cases Offer Some Interesting Security Insights
These were customers with 100 to 500 employees in multiple locations.
- Customer A: Approximately 200 employees with multiple physical office locations. We still use PSK, but only the IT team knows what the password is. We pre-provision all devices with the wireless profile and ship it.
- Customer B: With 120 employees who manage PII data of customers with a very high turn around of employees, who are oftentimes disgruntled.
- Customer C: With 300 employees and multiple locations. Luckily they got audited and were asked to change the PSK and we successfully migrated them to EAP-TLS based authentication.
There are hundreds or thousands of customers of significant size still using WPA2-PSK and think that their network is secure or just keeping their fingers crossed.
One of the biggest security issues for wireless is the lack of physical security. A hacker could be sitting in your parking lot and trying to break into your wireless network.
Hard Evidence Against WPA2-PSK
If you still don’t believe, PSK is not safe, just Google for “ how to break wpa2 psk security” and you can observe from the results how easy it is to crack WPA2 PSK.
You can try this at your home fairly easily without spending any money as most tools are available free of cost online.
WARNING: Just make sure that you are only breaking into your own network otherwise you can be breaking the law and can face serious consequences.
Other risks in using WPA2-PSK in 2023?
You don’t need to have a security incident before WPA2-PSK can impact your business. You can lose serious revenue due to various other requirements.
- Business Impact: Vendor Security Requirement
More and more businesses require their vendors to be security compliant. If you are conducting businesses with reputable companies, you will be required to have a minimum security posture.
More and more companies are sending out security questionnaires asking vendors how they manage their security. WPA2-PSK will never be considered a good security practice and can result in you not able to conduct business with such firms.
- Business Impact: Cybersecurity Insurance
Cybersecurity Insurance providers are forcing customers to meet strict security requirements before they renew or extend their policy. More and more businesses require their vendors to have cybersecurity insurance.
With weak wireless security, your chances of getting a cybersecurity insurance premium can be significantly expensive or worse, you may not be able to get the insurance.
- Business Impact: Security Audit and Certification
If your business requires to get a NIST or other security certification, or is currently going through a security audit, the chances are that you will not pass the audit while using WPA2-PSK as your wireless authentication mechanism.
As you have observed in this article, WPA2-PSK is a dangerous protocol to use today because of the security breach it is potentially capable of.
Hacks for it abound on the internet. The tools to hack this type of authentication are available freely.
By proactively upgrading to a stronger network security protocol, you can protect itself from potential hacks and keep your valuable information and reputation safe.
In the next article, we will go over WPA2-Enterprise and the EAP/802.1X framework which are more secure.
EAP-PEAP or EAP-TLS?
This is a follow-up to the previous article.
There, we discussed why it is not a good idea to continue using PSK in your business.
When you started your company, it was probably common practice to use WPA2-PSK for your wireless password. Your company grew and you hired more employees. But you still kept using the WPA2-PSK as your wireless authentication mechanism.
In the previous blog why WPA2-PSK is not a good authentication mechanism for wireless.
If you want to tighten wireless security you need to move away for WPA2-PSK. 802.11-2007 standard gives you two options; EAP-PEAP MSCHAPv2 or EAP-TLS.
This blog helps you understand the differences between EAP-PEAP MSCHAPv2 and EAP-TLS.
How secure are these, and the challenges associated with transitioning away from WPA2-PSK.
EAP-PEAP is not secure anymore
EAP-PEAP MSCHAPv2 was introduced as part of the 802.11-2007 security amendment. EAP-PEAP MSCHAPv2 has been (and continues to be) the prominent authentication mechanism.
Over the years, several flaws in the EAP-PEAP MSCHAPV2 protocol have been identified. This makes cracking EAP-PEAP MSCHAPV2 easy. Look up "cracking EAP-PEAP MSCHAPV2" on YouTube. There are numerous videos on how to do it in a short period of time using available tools for free. Even if you use a very long password, you can crack it for less than $20 using online services.
EAP-TLS, uses digital certificates for identity. There is no easy way to break a certificate-based authentication mechanism.
Certificates cannot be shared, but passwords can
A user can share a password with another user to gain access to the wireless network. This can give the user access to the entire company infrastructure. Sharing a password may not be done with evil intent. The fact that it can be shared is a serious flaw in your security protocol.
A certificate issued to a user/device cannot be shared, giving it a different level of protection.
A certificate and its private key can be installed in such a way that the user is unable to export or share it. Unlike a password, a user does not need to know anything about the certificate. A provisioning tool can install it for the user.
No Device Restriction
Users can log in from any device using a username and password. The device could be a compromised one. Furthermore, a user sitting in the parking lot can log into your network or even attempt to break into it.
Only devices that have been provisioned with the certificate can connect to the network when EAP-TLS is used. Any device that has not been provisioned cannot connect to the network. Only devices with valid certificates can connect to the network using certificate-based authentication.
EAP-PEAP is simple to set up
EAP-PEAP is less difficult to implement than EAP-TLS. This is why so many customers continue to use EAP-PEAP for authentication.
EAP-PEAP is easy to put in place. It is very simple to enable EAP-PEAP as your wireless authentication mechanism.
A PKI infrastructure is required to implement EAP-TLS. For most customers, it is a massive undertaking.
A PKI infrastructure must also be properly maintained. Failure of CDP/OSCP components can result in widespread network outages.
Today several vendors offer cloud-based PKI infrastructure. This eliminates the complexity of implementation and maintenance of PKI infrastructure. Some of them are now offering it at an affordable cost and making provisioning much easier.
It is more difficult to distribute certificates than it is to distribute usernames and passwords
It is simple for an IT administrator to distribute a username and password. Installing a certificate in each device take more effort. It can be difficult to manage many device types and BYOD scenarios. When you add remote workers to the mix, you're ready to give up on EAP-TLS.
Today, some of the cloud-based PKI solution providers have solutions that will make the transition to EAP-TLS much easier. Everyone will be forced to use EAP-TLS. It is only a matter of time.
EAP-TLS is not supported by all devices
The use of EAP-TLS has grown in recent years. You may still encounter legacy devices that do not support EAP-TLS. Old printers, FAX machines, and cameras as some examples. There workarounds to keep these devices connected to the network without compromising security. Network segmentation is one example. Legacy devices should not be viewed as a major barrier to EAP-TLS adoption.
From a security standpoint, it is critical to migrate away from WPA2-PSK. EAP-PEAP MSCHAPv2 may appear to be an appealing option. But EAP-PEAP MSCHAPv2 is not secure for today's world. EAP-TLS may appears to be a bit daunting for a mid-sized business. But EAP-TLS is the right authentication mechanism for wireless. With the right technology partner, you can migrate to EAP-TLS with minimal effort.
If you would like to get a free 30 minute consultation on your migration needs, don't hesitate to reach out to us.
Keep Stress Out. Let Sleep In.
Consltek’s Managed IT Services provides migraine-free managed IT solutions to businesses with 100+ staff in the US.
Secure your hardware and software - think penetration testing, threat hunting, and prevention of cyber attacks.
Get a team of experienced specialists to manage time-sucking IT snafus in advance.
Tackle business continuity, infrastructure issues, help desk problems, cloud management and pressing IT incidents with ease and flair.
As a growth focussed company, you get to enjoy 24 x 7 x 365 IT management.
You, and your IT Team, stay away from managing pesky IT issues. You also get to focus on your business growth, sleep soundly, and look like a champion with Consltek Inc.
Did you find this blog useful?
Please subscribe to our monthly newsletter. Designed to boost your IT growth, keep your sanity alive, and your thoughts focussed.
Do you have thoughts that you’d like to share with us? Then do comment below.
Please share this blog with your friends who would benefit from it.