Brad Call, Systems Specialist at Internal IT and Wi-Fi security expert discusses the security issues around user access to Wi-Fi and the security protocols every IT team should be using.
In October, Greg Mooney first met Brad Call at his Spiceworld 2017 session in Austin, Texas. Brad's session was a blueprint on the Wi-Fi security, so Greg was immediately interested in getting Brad onto the Defrag This podcastt. You can check out Brad's blog post series about his session and dive deeper into the nuances of Wi-Fi security on the Internal IT website.
The Biggest Challenges in Wi-Fi Security
One of the biggest challenges we face as IT professionals is getting our users to take wi-fi security as seriously as we do. Of course, for mobile devices, data is a safer choice than an open wi-fi connection or a random hotspot. But, even though data plans are getting bigger and cheaper, a lot of people still prefer to use wifi instead.
Part of the problem with this is that wifi is inherently insecure. And one of the biggest stumbling blocks to explaining that to our users is how technical the security protocols that are in place to mitigate the risks can seem to those unfamiliar with them.
Education and training is the best hope we have of moderating wi-fi insecurities.
With that in mind, let’s unwrap some of the history and features of the three major wi-fi security protocols to see how we got here.
Wired Equivalent Privacy (WEP) is the oldest of the major wi-fi security protocols. It was released in the late 1990s.
It was better than nothing, but WEP came with an inherent flaw: RC4.
RC4 is a stream cipher that is great for its simplicity and speed, but it requires key generators to be kept in sync at both ends of the data delivery. Because packet loss is expected, using this cipher required some kind of fix.
The “fix” in this case was including a master key surrounded by random data with every packet. That’s not great for security.
WEP has since been replaced by the two security protocols below, but it is still an available option. There’s not really a good reason for this, as it’s been broken for two decades.
But, it’s important for users to know that this is an option so they also know not to use it.
In 2003, Wireless Protected Access 1 (WPA1) was released. It wasn’t really a “replacement” for WEP because the real replacement was in the works.
However, it was a stop gap to mitigate some of the issues with WEP mentioned above. It still used RC4, but now there was a better fix. By using the Temporal Key Integrity Protocol (TKIP) a dynamic key was generated and included in each packet instead of using a master key with every packet.
One of the main benefits of WPA1—aside from being slightly more secure than WEP—was that it didn’t require costly hardware updates to be implemented. Although most access points did need to be replaced to support it, legacy hardware could support WPA1 with a simple firmware upgrade.
Even when WPA1 was released, the Wireless Alliance was already working on a more permanent fix for the security issue.
In 2004, the Wireless Broadband Alliance released that replacement in the form of WPA2.
This required new hardware on both the client and access point side, but it was more secure than its predecessors as it no longer used the flawed RC4 cipher.
Instead, it utilizes Advanced Encryption Standards (AES), which also allowed for a replacement for TKIP called Counter Mode Cipher Block Chaining Message Authentication Code Protocol (CCMP), which is an AES-based encryption mode.
There is still an authentication key, but it’s much more secure than either WEP or WPA1. Today, WPA2 is standard, and it’s still the best option we have.
That doesn’t mean it’s perfect, but what your users really need to take away is that WPA2 is what they need to use to keep wi-fi risks as low as possible.
Obviously after a decade of using the same technology it’s time for something new.
No word yet on what that may be, though. In the meantime, we just have to focus on continued education for our users to keep the risk posed by wi-fi insecurity as low as possible.
This post is based on an interview with Brad Call, wi-fi expert and consultant for Internal IT.
You can find this interview and many more, by subscribing to Defrag This.