Migrate From WPA2-PSK Before Your Company Network Gets Hacked

Posted On 9 Jan, 2023

Introduction

Your company is like a house and its network is like the locks on the doors of your house. 

The WPA2-PSK network security protocol is just like the regular locks you use at home to keep burglars out.

Migrate From WPA2-PSK Before Your Network Gets Hacked

However, just like robbers can find ways to pick or break regular locks, hackers can also find ways to bypass WPA2-PSK and gain access to your network. 

This means that hackers can steal sensitive information from your company’s network and either hold it ransom or release it into the public domain. This can be devastating for you as it can lead to financial losses and damage to your brand reputation.

To protect itself from this kind of attack, you need to upgrade to a more secure network security protocol.

This post discusses the perils with still using WPA2-PSK authentication protocols in your company.

Table of Content

 

Are You Still Using WPA2-PSK To Secure Your Company Network?

WPA2-PSK (Wi-Fi Protected Access 2 – Pre-Shared Key) is a security protocol that is used to protect wireless networks. 

WPA2-PSK was introduced as part of the 802.11-2007 security amendment. The 802.11-2007 standard brought in significant improvement to wireless security and is referred to as Robust Security Network(RSN).

Prior to 802.11-2007, wireless security was close to non-existent. WPA2-PSK was meant for use in home or small office environments. It uses a pre-shared key to authenticate with the wireless network. 

WPA2-Enterprise, which is more secure, uses 802.1X/EAP for authentication and authorization. At a minimum, WPA2-Enterprise requires a RADIUS server.

Oftentimes, small and medium businesses who do not have the expertise or budget to set up a RADIUS server end up using WPA2-PSK as a secure method for protecting wireless access. However, as the company grows, it becomes harder to migrate from WPA2-PSK to WPA2-Enterprise. 

Eventually, an IT audit by an external agency or, heaven forbid, a security incident will force the company to use a more secure authentication method. 

In some cases large enterprise customers also use WPA2-PSK. This is due to the need to support devices that are critical to business which do not support any of the WPA2 Enterprise authentication mechanisms.

 

3 Big Reasons For Junking WPA2-PSK In 2023

WPA2-PSK is still secure enough for homes and small businesses when used with a very long pre-shared key.

However, WPA2-PSK is not secure enough for businesses handling sensitive data. WPA2-PSK also has several shortcomings that make it difficult to maintain a secure environment.

  • A shared password is never secure
    WPA2-PSK uses a pre-shared key for authentication. This inherently makes it less secure. Employees can share the password with people they think are trustworthy, but could be a potential hacker. When an employee leaves the company, the pre-shared key needs to be changed to maintain the same level of security. This means every device that is using the pre-shared key needs to be updated which makes it a management nightmare. The bigger the business, the more painful the process.

    Some wireless vendors provide what is known as a per-user PSK. This gives each user a unique pre-shared key managed by the network administrator. While this does solve the administrative overhead of changing the PSK when an employee leaves, the wireless network is still open to weakness in the WPA2-PSK protocol itself.

  • Brute-Force Attack
    WPA2-PSK is susceptible to brute-force dictionary attack unless the network administrator is using a very long pre-shared key. Social engineering is another way WPA2-PSK can be compromised.
     
  • KRACK Vulnerability Case Study: One well-known example of a WPA2-PSK vulnerability is the KRACK (Key Reinstallation AttaCK) attack, which was discovered as long back as in 2017.

    It affected most devices that used WPA2-PSK. The vulnerability allowed an attacker to potentially intercept and read the data being transmitted over a WPA2-PSK network.

    The attack exploited a vulnerability in the WPA2-PSK protocol that allowed an attacker to potentially intercept and read the data being transmitted over a WPA2-PSK network. When a client joins a WPA2-PSK network, it uses a 4-way handshake to establish and agree on an encryption key. This is the key that is actually used to encrypt all the data. The pre-shared key is used only to authenticate with the network.

    The attack worked by tricking the victim’s device into reinstalling an already-in-use key, which allowed the attacker to decrypt the data being transmitted over the network. To carry out the attack, the attacker would need to be within range of the victim’s device and the victim’s device would need to be connected to a WPA2-PSK network. The attacker could then use a variety of techniques to execute the attack, such as injecting malicious packets into the network or manipulating the wireless signal to trick the victim’s device into reinstalling the key.

So why are we talking about this now, in late 2022?

In just the past 6 months at Consltek Inc, we ran into at least 3 customers who were still using PSK to secure their network. These were not the regular mom and pop shops with less than 5 people working there.

 

3 Cases Offer Some Interesting Security Insights

These were customers with 100 to 500 employees in multiple locations.

Migrate From WPA2-PSK Before Your Network Gets Hacked

  1. Customer A: Approximately 200 employees with multiple physical office locations. We still use PSK, but only the IT team knows what the password is. We pre-provision all devices with the wireless profile and ship it.
     
  2. Customer B: With 120 employees who manage PII data of customers with a very high turn around of employees, who are oftentimes disgruntled. 
     
  3. Customer C: With 300 employees and multiple locations. Luckily they got audited and were asked to change the PSK and we successfully migrated them to EAP-TLS based authentication.

There are hundreds or thousands of customers of significant size still using WPA2-PSK and think that their network is secure or just keeping their fingers crossed. 

One of the biggest security issues for wireless is the lack of physical security. A hacker could be sitting in your parking lot and trying to break into your wireless network.

 

Hard Evidence Against WPA2-PSK

If you still don’t believe, PSK is not safe, just Google for “ how to break wpa2 psk security” and you can observe from the results how easy it is to crack WPA2 PSK.

Migrate From WPA2-PSK Before Your Network Gets Hacked

You can try this at your home fairly easily without spending any money as most tools are available free of cost online. 

Migrate From WPA2-PSK Before Your Network Gets Hacked

WARNING: Just make sure that you are only breaking into your own network otherwise you can be breaking the law and can face serious consequences.

 

Other risks in using WPA2-PSK in 2023?

You don’t need to have a security incident before WPA2-PSK can impact your business. You can lose serious revenue due to various other requirements.

image4_1.png?nc=1673248264

  • Business Impact: Vendor Security Requirement
    More and more businesses require their vendors to be security compliant. If you are conducting businesses with reputable companies, you will be required to have a minimum security posture.

    More and more companies are sending out security questionnaires asking vendors how they manage their security. WPA2-PSK will never be considered a good security practice and can result in you not able to conduct business with such firms.

  • Business Impact: Cybersecurity Insurance
    Cybersecurity Insurance providers are forcing customers to meet strict security requirements before they renew or extend their policy. More and more businesses require their vendors to have cybersecurity insurance.

    With weak wireless security, your chances of getting a cybersecurity insurance premium can be significantly expensive or worse, you may not be able to get the insurance.

  • Business Impact: Security Audit and Certification
    If your business requires to get a NIST or other security certification, or is currently going through a security audit, the chances are that you will not pass the audit while using WPA2-PSK as your wireless authentication mechanism.

Conclusion

As you have observed in this article, WPA2-PSK is a dangerous protocol to use today because of the security breach it is potentially capable of.

Hacks for it abound on the internet. The tools to hack this type of authentication are available freely.

By proactively upgrading to a stronger network security protocol, you can protect itself from potential hacks and keep your valuable information and reputation safe.

In the next article, we will go over WPA2-Enterprise and the EAP/802.1X framework which are more secure.

EAP-PEAP or EAP-TLS?

This is a follow-up to the previous article.

There, we discussed why it is not a good idea to continue using PSK in your business.

When you started your company, it was probably common practice to use WPA2-PSK for your wireless password. Your company grew and you hired more employees. But you still kept using the WPA2-PSK as your wireless authentication mechanism.

In the previous blog why WPA2-PSK is not a good authentication mechanism for wireless.

If you want to tighten wireless security you need to move away for WPA2-PSK. 802.11-2007 standard gives you two options; EAP-PEAP MSCHAPv2 or EAP-TLS.

This blog helps you understand the differences between EAP-PEAP MSCHAPv2 and EAP-TLS.

How secure are these, and the challenges associated with transitioning away from WPA2-PSK.

EAP-PEAP is not secure anymore

EAP-PEAP MSCHAPv2 was introduced as part of the 802.11-2007 security amendment. EAP-PEAP MSCHAPv2 has been (and continues to be) the prominent authentication mechanism.

Over the years, several flaws in the EAP-PEAP MSCHAPV2 protocol have been identified. This makes cracking EAP-PEAP MSCHAPV2 easy. Look up “cracking EAP-PEAP MSCHAPV2” on YouTube. There are numerous videos on how to do it in a short period of time using available tools for free. Even if you use a very long password, you can crack it for less than $20 using online services.

Migrate From WPA2-PSK Before Your Network Gets Hacked

EAP-TLS, uses digital certificates for identity. There is no easy way to break a certificate-based authentication mechanism.

Certificates cannot be shared, but passwords can

Migrate From WPA2-PSK Before Your Network Gets Hacked

A user can share a password with another user to gain access to the wireless network. This can give the user access to the entire company infrastructure. Sharing a password may not be done with evil intent. The fact that it can be shared is a serious flaw in your security protocol.

A certificate issued to a user/device cannot be shared, giving it a different level of protection.

A certificate and its private key can be installed in such a way that the user is unable to export or share it. Unlike a password, a user does not need to know anything about the certificate. A provisioning tool can install it for the user.

No Device Restriction

Users can log in from any device using a username and password. The device could be a compromised one. Furthermore, a user sitting in the parking lot can log into your network or even attempt to break into it.

Only devices that have been provisioned with the certificate can connect to the network when EAP-TLS is used. Any device that has not been provisioned cannot connect to the network. Only devices with valid certificates can connect to the network using certificate-based authentication.

EAP-PEAP is simple to set up

EAP-PEAP is less difficult to implement than EAP-TLS. This is why so many customers continue to use EAP-PEAP for authentication.

EAP-PEAP is easy to put in place. It is very simple to enable EAP-PEAP as your wireless authentication mechanism.

A PKI infrastructure is required to implement EAP-TLS. For most customers, it is a massive undertaking.

A PKI infrastructure must also be properly maintained. Failure of CDP/OSCP components can result in widespread network outages.

Today several vendors offer cloud-based PKI infrastructure. This eliminates the complexity of implementation and maintenance of PKI infrastructure. Some of them are now offering it at an affordable cost and making provisioning much easier.

It is more difficult to distribute certificates than it is to distribute usernames and passwords

Migrate From WPA2-PSK Before Your Network Gets Hacked

It is simple for an IT administrator to distribute a username and password. Installing a certificate in each device take more effort. It can be difficult to manage many device types and BYOD scenarios. When you add remote workers to the mix, you’re ready to give up on EAP-TLS.

Today, some of the cloud-based PKI solution providers have solutions that will make the transition to EAP-TLS much easier. Everyone will be forced to use EAP-TLS. It is only a matter of time.

EAP-TLS is not supported by all devices

The use of EAP-TLS has grown in recent years. You may still encounter legacy devices that do not support EAP-TLS. Old printers, FAX machines, and cameras as some examples. There workarounds to keep these devices connected to the network without compromising security. Network segmentation is one example. Legacy devices should not be viewed as a major barrier to EAP-TLS adoption.

Summary

From a security standpoint, it is critical to migrate away from WPA2-PSK. EAP-PEAP MSCHAPv2 may appear to be an appealing option. But EAP-PEAP MSCHAPv2 is not secure for today’s world. EAP-TLS may appears to be a bit daunting for a mid-sized business. But EAP-TLS is the right authentication mechanism for wireless. With the right technology partner, you can migrate to EAP-TLS with minimal effort.

If you would like to get a free 30 minute consultation on your migration needs, don’t hesitate to reach out to us.

 

    Schedule A Meeting

    Article by:

    Rajesh Haridas

    Rajesh Haridas is the founder and CEO of Consltek. He brings in 20+ years of experience working in the technology industry.

    Category:
    Security
    Boost IT Growth In Healthcare
    View All Blogs
    Download Free eBook
    Read Case Study
    Call Consltek

    Set up a no-obligation consulting session

    Book A Meeting

    Managed Security

    Enterprise grade security for mid-size businesses.

    Managed Infrastructure

    Infrastructure enabling you or holding you back?

    Managed Compliance

    Let Consltek help you with your compliance needs.