7 Wi-Fi vulnerabilities beyond weak passwords
By Eric Geier (Our Owner & Lead Wi-Fi Consultant)
Originally published on NetworkWorld
To keep private Wi-Fi networks secure, encryption is a must-have -- and using strong passwords or passphrases is necessary to prevent the encryption from being cracked. But don’t stop there! Many other settings, features and situations can make your Wi-Fi network as much or even more insecure as when you use a weak password. Make sure you’re not leaving your network vulnerable by doing any of the following.
1. Using a default SSID or password
Your Wi-Fi network’s name, called the service set identifier (SSID), can make your network less secure. If you leave the default SSID for your router or wireless access point (AP), such as linksys or dlink, it can increase the chances of someone successfully cracking the Wi-Fi password. This is because dictionary-based cracking depends upon the SSID, and a default or common SSID makes it a bit easier. So do not use any default SSID; instead, carefully choose your own.
Keep in mind that some wireless routers with a seemingly unique default SSID -- such as those that include the router’s model number, serial number or MAC address -- can be security risks as well. This is because they may have a default Wi-Fi password that’s associated with some other attribute that someone could detect by snooping on your communications.
For instance, my ISP’s gateway has a default SSID of TG1672G02, which is the model number of the gateway. Someone could research hacking methods for that particular model. Furthermore, the default Wi-Fi password is TG1672G1E1F02, which includes that same model number along with a portion of the gateway’s MAC address. Since that MAC address is also broadcast via the airwaves and can easily be detected by snoopers, a hacker would have everything needed to figure out my password. So in these cases, you should change both the default SSID and the default password.
Revealing the location of your Wi-Fi network in the SSID may also make your network more susceptible to attacks, most notably in densely populated areas like shared office buildings or office complexes. For instance, say a hacker is driving around looking for a wireless network to hack, and she sees 10 different SSIDs in a certain area. She’d likely choose from the SSIDs that reveal their source, so she knows who she’s hacking and can position herself to get closer to that particular Wi-Fi signal. Being closer to the Wi-Fi signal means a higher chance that she can successfully send and receive with that network.
Consider omitting any identifying details, such as a business name or address, in the SSID, especially if there are multiple networks nearby.
2. Not physically securing the APs and network hardware
You could implement the best Wi-Fi security protocols in the world, and they could still easily be bypassed if someone gets physical access to your wireless access points or other network components. For instance, if you have an AP sitting on a table in an unlocked room, someone could come in as a visitor and, with the touch of a button, quickly reset the AP to factory default settings, opening up unsecured access to the network. Or if there’s an open network port in the lobby or waiting area, someone could quickly plug in a rogue AP, giving himself unsecured or even secured wireless access to the network.
Ensure that the main network components, including the modem, router and switch, are secured in a locked room or closet, and that the rest of the network and components are physically secure and out of reach, especially in any public areas of the building. Furthermore, consider disabling any unused wall and switch ports.
3. Having a shared Wi-Fi network password
This is mostly an issue for networks using the personal or pre-shared key (PSK) mode of Wi-Fi Protected Access I or II (WPA or WPA2) security. In a PSK setup, everyone uses the same Wi-Fi password to connect to the wireless network, so there isn’t a good way to control individual user access.
For instance, if an employee leaves the company or if a wireless device configured with the Wi-Fi password is stolen, the ex-employee or device thief could easily access the network. Of course, you should change the Wi-Fi password after events like this, but that can be a real hassle for you and your users.
If you use the enterprise or 802.1X mode of WPA or WPA2 security -- and you should be using WPA2 -- each user can be assigned his own login credentials for the Wi-Fi. That way if an employee leaves the company or a device becomes lost or stolen, you can individually revoke or change his password.
4. Using WPS PIN authentication
A feature included in most wireless routers and some business APs, called Wi-Fi Protected Setup (WPS), is supposed to make securing networks easier, but it can actually pose some serious security risks. A vulnerability in the PIN authentication method of WPS makes it easy to crack the 8-digit PIN and retrieve the password when the personal mode of security is being used, thus allowing someone into the network.
This vulnerability is another reason why businesses should use the enterprise mode of WPA2 security, as the WPS feature doesn’t work with that mode. If that’s not possible, you should consider disabling WPS on your wireless routers or APs if possible. Since the WPS PIN vulnerability was discovered in late 2011, vendors have had time to update the WPS technology to help patch this security hole; however, it’s best to err on the side of caution.
5. Allowing users to connect to neighboring Wi-Fi networks
One lesser-known vulnerability is users accidentally connecting to neighboring Wi-Fi networks while in the office. The problem with this is that laptops and other wireless devices that employees connect to other networks are then vulnerable, and their data could potentially be accessed by users on that other network.
Employees or their wireless devices can also be tricked into connecting to other networks if someone sets up a rogue AP, evil-twin AP, or honeypot network to perform man-in-the-middle attacks. These types of attacks can be combated by having rogue AP detection on your network and employing server verification with the enterprise mode of WPA2, which I’ve discussed in a previous article.
Another situation to consider is employees knowingly connecting to neighboring networks, such as a nearby public hotspot or an open residential network. They might do this for better Wi-Fi signals and faster internet, or even for unrestricted internet access if your network has content filtering. You can try to prevent this by ensuring that your Wi-Fi signal and performance is always good, educating users on the risks of using other networks, and even blocking networks on Windows laptops and devices with netsh or group policy (see instructions).
6. Permitting user-to-user snooping
While it’s a given that you must encrypt your network from outsiders, you also need to consider threats from within. When using the personal mode of WPA or WPA2, anyone with the password can snoop on the wireless traffic of the other users. Traffic captured from a network analyzer (like Wireshark) in raw form is hard for most to understand, but there are password sniffers (like SniffPass) and session hijacking tools out there (like Firesheep or FaceNiff) that make “hacking” easy for anyone.
Password sniffers typically list usernames and passwords for any logins on the network passing the credentials via clear-text, such as unencrypted websites (HTTP), email servers (POP3/IMAP) and file transfers (FTP).
Session hijacking tools work differently. They scan the network for people logging into websites that don’t encrypt the entire login process and look for a certain cookie passed with the website to gain access to that user’s website session. So with a few clicks or taps, someone could access another user’s account without knowing the actual password.
Keep in mind, users on a network protected with the enterprise mode of Wi-Fi security can’t see other users’ traffic. So the enterprise mode would prevent users from performing password sniffing and session hijacking.
7. Allowing unauthorized access via misconfigured VLANs
Most wireless routers have a guest feature designed to provide visitors with access to only the internet and maybe select portions of the local network, protecting your private network and computers. On business-class routers, switches and APs, you can emulate this functionality by configuring virtual LANs and multiple SSIDs.
For either method, it’s wise to verify that the private network is truly secure while on the guest access: Just after installing a network and periodically afterward, connect to the guest network, browse the network and run some pings to ensure it’s all working as planned and you can’t access anything you shouldn’t.