Security Vulnerabilities of Enterprise (802.1X) Wi-Fi Security
Wireless networks set up with the enterprise mode of Wi-Fi Protected Access (WPA or WPA2) security are still susceptible to attacks. It’s far superior to using the personal or pre-shared key (PSK) mode, but there are still vulnerabilities.
Enterprise vs Personal Security
The personal mode, technically called pre-shared key (PSK) of WPA/WPA2 security is easier to set up than the enterprise mode. No extra hardware is required. You simply create a passphrase (password) on your wireless routers and/or access points and then enter it on W-Fi computers and devices in order to connect.
Having a single global password for all Wi-Fi connections becomes a problem when a computer becomes lost or stolen. The thief will have the saved password and could potentially come back to your location and connect to the Wi-Fi and then access your files and resources. The same issue applies to employees that leave the company. They’ll have the Wi-Fi password saved in their Wi-Fi devices or could easily retrieve it from computers at the location before leaving.
The enterprise mode of WPA/WPA2 security is much more complex to set up and involves purchasing or setting up a RADIUS authentication server. This server is required for the 802.1X authentication. But it enables you to set unique usernames and passwords for Wi-Fi users. That way you can easily revoke or change the access credentials when a computer becomes lost or stolen or when employees leave the company.
Brute Force Cracking of User Passwords
The enterprise mode is still susceptible to attacks. One way a Wi-Fi hacker could potentially connect to your enterprise-secured wireless network is by cracking the user passwords via brute force dictionary attacks. Though not as simple as cracking WPA/WPA2 PSKs, it’s still possible with the right tools. They’d have to set up a fake network, an access point matching the SSID and security settings of the real network in hopes of getting unsuspecting users of the real network to connect in order to capture their login credentials. The attacker could wait for clients to connect or try to force it by sending de-authentication packets and/or using amplifiers and antennas to boost the fake signal.
The attacker would also have to set up a fake RADIUS server to capture these user login credentials. They could use the popular open source FreeRADIUS server with the FreeRadius-WPE patch. This patch modifies some of the settings so the server will accept and always respond with a successful authentication (no matter the password) for all the different EAP types and then logs the authentication requests. Within the logs, an attacker can usually see the username the client is using to connect to the real network. They wouldn’t see the user’s password but would have the challenge and response that they could run through a dictionary-based cracker to reveal the password.
Not all clients of the real network will connect to the fake network even if trying to be forced by the attacker. As I’ll discuss later, there are certain settings administrators can—but typically don’t—enable on the client to help prevent it from connecting to fake networks like these.
For the password crack, the attacker could use a command-line utility like asleap. It simply requires them to copy the challenge and response logged by FreeRADIUS and pastes them into the command-line. Depending upon the complexity of the user’s password and if it contain words or phrases from the attacker’s dictionary, it may come back and display the password.
Now with a username and matching password for the enterprise-protected network, the attacker could simply connect to the Wi-Fi. And then since those credentials are usually used for other resources, the attacker would probably have user-level access to other resources inside the network.
Mobile Devices Can Lessen the Security
The rise of Wi-Fi mobile devices can make an attacker’s job even easier. This is because some devices don’t allow you to set all the authentication and server validation settings. This makes it easy for your employees to connect to your network, but for hackers as well.
For instance, devices that don’t ask for the EAP type (such as PEAP or TTLS) will automatically try all the supported EAP types until it finds the one supported by your RADIUS server. Thus a hacker setting up a fake network and RADIUS server (as mentioned earlier) will have greater success in getting that Wi-Fi device to connect to them. Even worse, most mobile Wi-Fi devices don’t allow you to set server validation settings like Windows does (which we’ll discuss later). The user might be prompted to accept a new security certificate when connecting to a fake network like this but won’t likely understand it and connect anyways.
Protecting Your Network Against Vulnerabilities
Here are a couple ways to help protect your enterprise wireless network from hacking:
Use strong user passwords: As mentioned, the user passwords used to log onto the network are susceptible to dictionary-based cracking. Thus make sure user passwords are complex with numbers and letters (lower and upper case) without using words or phrases you might find in a dictionary. Though it’s not desirable by most, it’s also best to use passwords at least 17 characters long to help prevent cracking.
Use strong shared secrets: The shared secrets specified in the RADIUS server and configured on each wireless AP also have vulnerabilities. Create and use complex shared secrets as well. Since users don’t have to know or remember these, create long shared secrets. Most RADIUS servers and access points support up to 32 characters.
Create unique shared secrets: Make sure you specify a unique shared secret for each wireless router and/or access point, which helps prevent cracking of them by hackers. It’s possible to set the same one for all but using different ones for each makes cracking them more difficult.
Secure client settings: To help prevent Wi-Fi computers and devices from connecting to fake enterprise networks like we discussed, set all the available server settings on the clients. For instance, here are the important ones to set in Windows when configuring the EAP properties:
- Check the Validate server certificate option and select the Trusted Root Certificate Authority from the list.
- Check the Connect to these servers option and input the domain name or IP address of the RADIUS server.
- Check Do not prompt user to authorize new servers or trusted certificate authorities.
The first two may automatically be set when connecting the first time, but you’ll likely have to manually enable the last one or use Group Policy to push the changes to domain computers.
As you’ve discovered, it’s important for businesses and organizations with more than a couple Wi-Fi users to utilize the enterprise mode of Wi-Fi security, which allows you to add/revoke/change the login credentials of Wi-Fi users from a central authentication server. But keep in mind there are still security vulnerabilities.
Remember to create strong shared secrets for each router or AP and strong passwords for users. Always set any server validation settings on the client to prevent users from falling victim to the fake network approach we discussed. Additionally, consider implementing an intrusion detection and protection system (IDS/IPS) to detect and alert you of rogue APs and fake networks nearby.