Another nail in the wireless security coffin

It’s been a tough couple of months for Wi-Fi security. Last month I blogged about a new Russian brute force password attack against WPA Pre-shared key mode (WPA-PSK, also known as personal mode). Last week German graduate students Erik Tews and Martin Beck upped the ante when they revealed a new attack against the Temporal Key Integrity Protocol (TKIP) encryption in the original flavor of WPA that weakens the security around certain types of traffic, especially short packets. Glenn Fleishman at Ars Technica has written a great overview that outlines how Tews and Beck leveraged weaknesses stemming from the original WEP design and the 802.11 QoS implementation to attack TKIP.

The team behind Aircrack-ng, a popular wireless hacking tool has already released code that utilizes this attack, and a handy tutorial is also available. It’s highly likely that networks are already falling to this attack.

Despite some misguided press, this new attack doesn’t negate WPA or TKIP encryption completely. What it does achieve is allow an attacker to decrypt, re-encrypt and inject short packets into vulnerable networks in only a few minutes using the Aircrack-ng tool. This in turn opens the door for DNS and ARP poisoning, which are common stepping stones used by an attacker breaking into a target wireless network.

Many 802.11 Wi-Fi access points support WPA2 which replaces TKIP with the more robust CCMP using AES encryption, and this provides an immediate fix for some networks.

The recommendation from my previous blog posting still stands: deploy WPA2 Enterprise now to protect your wireless network. WPA2 Enterprise removes the weaknesses of sharing WPA keys and also uses CCMP with AES encryption, so it’s the best of both possible worlds. Adding an extra layer of defense around network access for employees and guests is long overdue for most Wi-Fi networks.

With our recent 1.2 release for the Napera N24, we made this choice very easy for our customers. Using the Napera N24 to deploy WPA Enterprise doesn’t require knowledge of RADIUS, EAP, 802.1X or self signed certificates. Previously WPA Enterprise deployments included all of these components plus the need to deploy certificates to end user PC’s. The Napera N24 was designed with a RADIUS server and a valid certificate built in so the pain involved with deploying new servers and home grown certificates can be bypassed entirely.

Most businesses have voted for the productivity, cost and mobility advantages of wireless networks. The challenge for IT managers is to ensure the security of those networks remains uncompromised. Wireless security will continue to be a moving target, but business that still rely on WEP or older flavors of WPA are putting themselves at risk unnecessarily.