Protection for when network users access applications off-site

WPA2-PSK is Not Good Enough

News Education

WPA2-PSK is Not Good Enough

In this day and age, employees are accessing their corporate resources wherever they can get a strong wireless signal, whether it be a public hotspot, an airport, or a friend’s apartment. Methods of authentication based on a pre-shared key (PSK) are most often found in these types of environments because they are simple to implement and only involve remembering a single password.

However, most people are unaware of how dangerous PSK networks can be. We often hear from network managers who feel WPA2-PSK network security is sufficient because they are able to move their sensitive data to the cloud. What many fail to realize is that just because your data is in the cloud does not mean in is inaccessible by outside actors.

Below highlights all the ways WPA2-PSK is vulnerable.

WPA2-PSK Vulnerabilities

When your WPA2-PSK is compromised, hackers can easily access your network’s Layer 2 (the OSI layer that is used to transfers data between adjacent nodes). Below are just some of the actions a hacker is capable of with Layer 2 access:

  • Address Resolution Protocol (ARP) Attacks
  • Content Addressable Memory (CAM) Table Overflows
  • Spanning Tree Protocol (STP) Attacks
  • Media Access Control (MAC) Spoofing
  • Switch Spoofing
  • Double Tagging
  • Cisco Discovery Protocol (CDP) Reconnaissance
  • Dynamic Host Configuration Protocol (DHCP) Spoofing

PSKs are incredibly easy to steal and someone can wreak havoc on a network if they obtain access. Distributing a single password for network access in a WPA2-Personal environment requires putting a lot of good faith on each user that they will keep the password confidential. A single credential is quickly shared with outsiders when a dedicated guest network isn’t available. The more a credential is shared and distributed to unapproved network users, the greater chance of it falling into nefarious hands.

Even organizations that utilize unique credentials for every user run into similar credential-based issues. While this does increase the difficulty for an outsider to obtain a password, it falls prey to many of the same issues and attacks.

Since the network relies on the user to uphold high security standards, it has many of the same risks as WPA2-Personal. Users can still share passwords with outsiders, risk losing their credential from writing it down, or fall victim to the inefficiencies of password expiration policies.

Dictionary attacks and over-the-air attacks can be performed and are made only slightly harder with multiple unique credentials in use. If a malicious intruder obtains the PSK and captures the key handshake when a device joins the network, that individual can decrypt ALL of that particular device’s traffic.

art visualization of credential theft

WPA2-PSK Is Terrible For End User Experience

Work can come to a halt if just Slack or Google Docs is down. When the Internet is down? You can kiss productivity goodbye. When someone steals a PSK, they can take down a network for days, or even weeks. According to the 2019 Verizon Data Breach Investigations Report, 29% of 2019 network breaches involved the use of stolen credentials. If someone is intent on attacking your company, using a credential is an efficient avenue to gain access. Is the ease of WPA2-PSK worth losing countless days employees can access internet in the office?

That’s just half the battle. Resolving the issue of a lost or stolen credential requires resetting it. In a WPA2-Personal network, this means every network user must reset and reconnect all their devices. This places a heavy burden on any organization’s IT department and can be a nightmare for the network administrator. Reconfiguration of all connected devices must take place quickly in order to avoid any disruption in wireless access.

A lack of visibility into who is accessing your corporate network is another shortcoming of PSK wireless security. Being unable to guarantee the identity of your users or the type of devices in your environment makes your network almost impossible to manage, and attempting to provide oversight into authorized users can be a disaster.

Overall, credential-based authentication is an inferior form of network security. What’s a stronger alternative?

Better Alternatives to WPA2-PSK

Setting the stage on why PSK is used is important when introducing the latest and greatest standard in use today; 802.1X authentication with WPA2-Enterprise encryption. Instead of using credentials, 802.1x allows for authentication through certificates (think Active Directory or LDAP). Although it can be argued that implementing 802.1x is difficult due to the requirement of a RADIUS server and more stringent configuration requirements, most organizations already have the back-end infrastructure in place (a Microsoft domain for example), that makes setting up 802.1x a breeze.

Certificate-based authentication relies on EAP-TLS with server certificate validation, which makes it near impervious to over-the-air attacks. The encrypted EAP tunnel blocks any unauthorized access to information being sent for authentication, and server certificate validation ensures identifying information is only ever sent to the correct RADIUS.

A barrier to entry for many organizations is the stigma that certificates are complicated for both the user and organization to properly configure. Allowing users to manually configure for certificates is a mistake considering the process involves several complicated steps that require high level IT knowledge to understand.

SecureW2’s JoinNow onboarding solution simplifies the process for all involved. For the organization’s IT department, the solution is a plug-n-play system that can be configured within hours to distribute certificates. Once the onboarding software has been distributed to users, the organization will see a marked decrease in connection-related support tickets.

On the end user side, the process to get a device configured for certificates is simplified immeasurably. The process is reduced to a few straightforward steps designed for any network user to complete accurately. Once the user is equipped with a certificate, their device will automatically and securely authenticate whenever they are in range of the network and will stay connected for the life of the certificate.

Bottom line: 802.1x authentication with WPA2-Enterprise encryption is the BEST way to keep your wireless network safe. Don’t delay – SecureW2 offers affordable options for organizations of all shapes and sizes. Click here to inquire about pricing.