WPA2 Personal is dead. If you want "protection" while you access the net, you should just do it the old fashioned way... (just kidding)
Copyright 2015 Imperial Network Solutions, LLC
I’ve blogged in the past on Wi-Fi Sense in Windows 10 http://www.emperorwifi.com/2015/06/wi-fi-sense-how-microsoft-has.html. Now, you can get the same functionality on
Google Android devices with a Chinese app called Wi-Fi Master Key: http://www.enterprisetimes.co.uk/2015/10/29/who-needs-wifi-passwords/
Wi-Fi Master Key
works ostensibly the same way as Wi-Fi Sense.
With both systems, the SSID and passphrase are stored centrally and then
the passphrase is shared directly with your device. The focus by these services is on security for the user, not
security for the network. Both systems
claim security because the user never sees the WPA2 passphrase. This is little comfort to network
administrators, because these users get authenticated to the network whether
they explicitly know the passphrase or not.
The user is also “isolated” from
the network. In Wi-Fi Sense. this is
really only one-way: the connected
network is considered “public” in Windows, and firewall rules are set up to not
allow anyone else from the network to access the PC. However, the connected PC can still access
anything and everything else on the network.
Wi-Fi Master Key claims similar isolation functionality, which appears
to use a similar firewall mechanism because the app only can control its own
device device, not the network.
In Wi-Fi Sense,
the default settings are to share the network with all of your Facebook and
Skype friends, though you have to explicitly agree via popup. With Wi-Fi Master Key, it appears that
sharing also needs to be done explicitly, though it is probably fairly easy to
do so. There are not even lip service
given to controlling who the information is shared with – apparently once a
network is available in Wi-Fi Master Key, it is available to anyone else running
the app. Once the network is shared, it is shared and difficult
to
remove again.
Such apps are touted
for the following types of networks:
- Public
Hotspots: Such networks are usually open
(i.e. no encryption key) or have a WPA2 Passphrase that is publicly available
and thus not a secret (see my blog on this subject: http://www.emperorwifi.com/2015/05/how-operators-can-make-hotspots-and.html)
- Private Homes: Wi-Fi Sense is really touted for someone visiting the home of a friend or family member but too lazy to ask for the Wi-Fi passphrase. These days, most consumer Wi-Fi routers come with a “guest network” feature so you can establish a secondary SSID for visitors that is isolated from your main network, though this assumes the consumer will be able to figure out and properly implement this feature, and not leave there device broadcasting “linksys” on Channel 6.
Large
enterprises generally implement WPA2 Enterprise, which uses a back-end database
implementing RADIUS to control what devices are on the network, and each user
and/or device has its own unique set of credentials (either installed
certificates or username/password information).
Large enterprises also tend to have mobile device management (MDM) systems
to either control what devices are on the network, or at least control what
applications are allowed with particular settings or banned. As a
result, large corporate and government networks are immune from these types of
Wi-Fi password sharing applications.
The challenge
with WPA2 Enterprise, however, is that it takes a lot of IT resources to setup
and maintain the database. While large
corporations have the knowledge, resources, and funds to do this, most
small/medium businesses (SMBs) do not. SMBs generally do not have the IT resources
(knowledge or funds) to set up WPA2 Enterprise and MDM systems, so rely upon
WPA2 Personal (i.e. passphrase) for Wi-Fi security of their business. Most SMBs also have fairly liberal
bring-your-own-device (BYOD) policies, and it only takes one user with one
device sharing the Wi-Fi credentials to compromise the security of the network. To complicate matters further, most consumer
and IoT network devices may not even support WPA2 Enterprise.
So what are
SMBs to do? There are limited options:
- VLANs: Segment your
business network from your guest network, and only allow BYOD on your guest
network (http://www.emperorwifi.com/2015/05/vlans-why-you-always-want-to-use-them.html). This may require some network hardware as
well as configuration upgrades, and may not even be practical for some
businesses. This also won’t completely
protect you if you need some of those BYOD devices on your corporate network
for your daily operations.
- PPSK: Implement a Wi-Fi solution with personal pre-shared key (PPSK). Unfortunately, there are only a few enterprise AP vendors (i.e. Cisco, Aerohive, Ruckus) that offer this functionality, and while I’m sure they all want to sell in the SMB space, their pricing and complexity are generally prohibitive for the SMB market. Devin Akin has a good blog on PPSK and its relevance to IoT (http://divdyn.net/iot-fly/).
The reality is that both VLANs and PPSK will ultimately be required. AP vendors who focus on the SMB market generally support VLANs today and will ultimately offer integrated PPSK solutions. Such solutions may be slow to appear, however, so I wouldn't be surprised to see one or more plucky startup firms try to fill this security void. Watch this space.
Given the
trends of more Wi-Fi Passphrase sharing applications, we need to accept that passphrase
sharing is part of the new world order, and that WPA2 Personal is no longer
sufficient for the needs of SMBs or even
for consumers who want to keep their network resources private.
No comments:
Post a Comment