In this day and age, employees are accessing their corporate resources wherever they can get a strong wireless signal, whether it be a public hotspot, an airport, or a friend’s apartment. Methods of authentication based on a pre-shared key (PSK) are most often found in these types of environments because they are simple to implement and only involve remembering a single password.
However, most people are unaware of how dangerous PSK networks can be. We often hear from network managers who feel WPA2-PSK network security is sufficient because they are able to move their sensitive data to the cloud. A survey found that 74% of IT decision makers (whose organizations have been breached in the past) say it involved privileged access credential abuse.
What many fail to realize is that just because your data is in the cloud does not mean it is inaccessible by outside actors. Just because credentials are sent through the cloud does not mean they aren’t susceptible to over-the-air credential theft. Check out how a SecureW2 client upgraded their network infrastructure to securely authenticate from the cloud.
If you’re ready to upgrade from WPA2-PSK, try a free demo of our WPA2-Enterprise 802.1x cloud platform. If you still need some convincing, read on.
WPA2-PSK Configuration Guide
A primary reason WPA2-PSK is so commonly used is the straightforward and fast process for setting it up. Organizations with a limited budget and IT resources can quickly configure this network following these simple steps.
- Access your networks Access Point configuration page by entering it’s IP address
- Check your AP manual for the exact number, but the default numbers are 192.168.1.1 or 192.168.0.1
- Enter your admin Username and Password to access Settings
- Select the Wireless Settings
- In the Security Options section, select WPA2-PSK as the encryption type
- Enter a password of ASCII characters that will be required to access the network
- Click Apply to save your settings
WPA-2PSK Vulnerabilities
When your WPA2-PSK is compromised, hackers can easily access your network’s Layer 2 (the OSI layer that is used to transfer data between adjacent nodes). Below are just some of the actions a hacker is capable of with Layer 2 access:
- Address Resolution Protocol (ARP) Attacks
- Content Addressable Memory (CAM) Table Overflows
- Spanning Tree Protocol (STP) Attacks
- Media Access Control (MAC) Spoofing
- Switch Spoofing
- Double Tagging
- Cisco Discovery Protocol (CDP) Reconnaissance
- Dynamic Host Configuration Protocol (DHCP) Spoofing
PSKs are incredibly easy to steal and someone can wreak havoc on a network if they obtain access. Distributing a single password for network access in a WPA2-Personal environment requires putting a lot of good faith on each user that they will keep the password confidential. A single credential is quickly shared with outsiders when a dedicated guest network isn’t available. The more a credential is shared and distributed to unapproved network users, the greater chance of it falling into nefarious hands.
Even organizations that utilize unique credentials for every user run into similar credential-based issues. While this does increase the difficulty for an outsider to obtain a password, it falls prey to many of the same issues and attacks.
Since the network relies on the user to uphold high security standards, it has many of the same risks as WPA2-Personal. Users can still share passwords with outsiders, risk losing their credential from writing it down, or fall victim to the inefficiencies of password expiration policies.
Dictionary attacks and over-the-air attacks can be performed and are made only slightly harder with multiple unique credentials in use. If a malicious intruder obtains the PSK and captures the key handshake when a device joins the network, that individual can decrypt ALL of that particular device’s traffic.
WPA2-PSK Is Terrible For End-User Experience
Work can come to a halt if just Slack or Google Docs is down. When the Internet is down? You can kiss productivity goodbye. When someone steals a PSK, they can take down a network for days, or even weeks. According to the 2019 Verizon Data Breach Investigations Report, 29% of 2019 network breaches involved the use of stolen credentials. If someone is intent on attacking your company, using a credential is an efficient avenue to gain access. Is the ease of WPA2-PSK worth losing countless days employees can access the internet in the office?
That’s just half the battle. Resolving the issue of a lost or stolen credential requires resetting it. In a WPA2-Personal network, this means every network user must reset and reconnect all their devices. This places a heavy burden on any organization’s IT department and can be a nightmare for the network administrator. Reconfiguration of all connected devices must take place quickly in order to avoid any disruption in wireless access.
A lack of visibility into who is accessing your corporate network is another shortcoming of PSK wireless security. Being unable to guarantee the identity of your users or the type of devices in your environment makes your network almost impossible to manage, and attempting to provide oversight into authorized users can be a disaster.
Overall, credential-based authentication is an inferior form of network security. What’s a stronger alternative?
Better Alternatives to WPA2-PSK
Setting the stage on why PSK is used is important when introducing the latest and greatest standard in use today; 802.1x authentication with WPA2-Enterprise encryption. Instead of using credentials, 802.1x allows for authentication through certificates (think Active Directory or LDAP). Although it can be argued that implementing 802.1x is difficult due to the requirement of a RADIUS server and more stringent configuration requirements, most organizations already have the back-end infrastructure in place (a Microsoft domain for example), which makes setting up 802.1x a breeze.
Secure Your 802.1x Network With EAP-TLS Authentication
Certificate-based authentication relies on EAP-TLS with server certificate validation, which makes it near impervious to over-the-air attacks. The encrypted EAP tunnel blocks any unauthorized access to information being sent for authentication, and server certificate validation ensures identifying information is only ever sent to the correct RADIUS.
A barrier to entry for many organizations is the stigma that certificates are complicated for both the user and organization to properly configure. Allowing users to manually configure for certificates is a mistake considering the process involves several complicated steps that require high-level IT knowledge to understand.
SecureW2’s JoinNow onboarding solution simplifies the process for all involved. For the organization’s IT department, the solution is a plug-n-play system that can be configured within hours to distribute certificates. Once the onboarding software has been distributed to users, the organization will see a marked decrease in connection-related support tickets.
On the end-user side, the process to get a device configured for certificates is simplified immeasurably. The process is reduced to a few straightforward steps designed for any network user to complete accurately. Once the user is equipped with a certificate, their device will automatically and securely authenticate whenever they are in range of the network and will stay connected for the life of the certificate.
Bottom line: 802.1x authentication with WPA2-Enterprise encryption is the BEST way to keep your wireless network safe. Don’t take our word for it – try it yourself with our free demo!
