Protecting Against Wi-Fi Eavesdropping
By default, Wi-Fi is not secure. On private networks, yes you can enable encryption to prevent unauthorized people from connecting and reading the traffic as it travels through the airwaves, but depending upon the security mode you use, connected users may still be able to eavesdrop on each other’s traffic. And although public networks may use web-based authentication (captive portals), most don’t use actual encryption. Thus anyone nearby can eavesdrop on the hotspot traffic, even if not a paying customer.
Here I’ll discuss this Wi-Fi eavesdropping issue and share some tips on how to protect the users on your private network and how to protect yourself when using public Wi-Fi hotspots.
What Eavesdropping Can Reveal
To better understand Wi-Fi eavesdropping, you should know what one might be able to do with the Wi-Fi traffic they capture from the airwaves. They could capture your passwords and content for services or sites you sign into that aren’t using SSL encryption, most commonly your POP3/IMAP email and FTP connections. They could also hijack your logins to unencrypted sites like Facebook and Twitter. And on private networks, they may also be able to capture file transfers.
Fortunately, people eavesdropping on your Wi-Fi traffic can’t easily capture your login credentials or hijack your sessions to services and sites using SSL encryption, like your banking sites. But they are still susceptible to the other known SSL vulnerabilities, which is a whole another subject.
Protecting Yourself on Public Networks
Since most Wi-Fi hotspots don’t use encryption, providing no protection of your traffic at all, eavesdropping is likely more of a concern there than it is on private networks. In other words, take hotspot security seriously. Obviously, there’s not a Wi-Fi hacker at every hotspot, but the tools now these days are so easy to use that pretty much anyone can use them. And it takes no more than a smartphone to capture your passwords or to hijack your accounts.
The best way to keep your traffic secure while on Wi-Fi hotspots is to connect to a Virtual Private Network (VPN), maybe to your work’s network, a server you set up at your home, or a hosted service designed specifically for hotspot security, such as Private WiFi or Hotspot Shield. When connected to a VPN, all your Internet traffic is sent from your computer/device through an encrypted tunnel to the VPN provider’s network. Thus it’s encrypted and secured from any local Wi-Fi eavesdroppers at the hotspot.
If you can’t (or don’t prefer to) use a VPN, you should at least make sure any services or sites you use while on the hotspot are secured with SSL encryption. When SSL is used, web browsers will have an https address, instead of http, and will display a pad lock or some other indicator. For email client programs, such as Outlook or Thunderbird, you need to make sure SSL is being used for the POP3 or IMAP and SMTP server connections. However, many email providers don’t support encryption. If yours doesn’t, you may want to look into other solutions, such as Neomailbox, Hushmail, or 4Secure-mail.
Regards of being on a public hotspot, you should always make sure any website you log onto that deals with sensitive information or any service you use (such as email and FTP) are protected with SSL encryption. This will ensure the information passing to and from your computer and the site or service are secure.
Protecting Your Private Network
Though Wi-Fi eavesdropping is more of an issue when on untrusted networks, it can still be a concern on your private network. Your users should be “trusted”, but you could still have rogue employees, or even intruders, sniffing the wired network and/or wireless network. Though using the Pre-Shared Key (PSK) mode of WPA2 security (also called the Personal mode) for your wireless network encrypts the data and requires people to enter a password to connect, it still allows anyone on the network to read any one else’s traffic.
The Enterprise mode of WPA2 security (also called the 802.1X or EAP mode), however, prevents users from reading each other’s traffic. This is because each user is given unique login credentials (username/password and/or a digital certificate) to connect to the wireless network instead of using a global password like with the Personal mode. When users log in via the Enterprise mode, their automatically assigned unique encryption keys that regularly change.
The Enterprise mode of WPA2 security, however, requires an authentication server, commonly called a Remote Authentication Dial In User Service (RADIUS). But if you're running a Windows Server, you could use the Internet Authentication Service (IAS) component of Windows Server 2003 R2 and earlier or the Network Policy Server (NPS) component of Windows Server 2008 and later.
If your current servers don’t provide RADIUS functionality, there are still many free and low-cost servers out there, such as FreeRADIUS, TekRADIUS, ClearBox, and Elektron. Some access points (like the HP ProCurve 530 or the ZyXEL NWA-3500, NWA3166 or NWA3160-N) even have embedded RADIUS servers, great for smaller networks. And if you don’t want to run your own server at all, there are hosted services, like AuthenticateMyWiFi.
As we’ve discussed, Wi-Fi eavesdropping can be a real issue on public Wi-Fi hotspots. The best way to protect yourself is by connecting to a VPN, or at least ensuring at sites or services you log into are using SSL encryption. Then for your private network, security shouldn’t stop at the barriers. You should also be concerned about the internal security and ensure users can’t snoop on each other’s Wi-Fi traffic. And to prevent snooping on the wired side, consider implementing Internet Protocol Security (IPsec) to authenticate and encrypt Ethernet traffic as well.