Soliton - Blog

Scary Wi-Fi: the danger of WPA2-Personal (because no: it’s not safe)

Written by Hans-Peter Ponten | May 2, 2019 12:45:00 PM

Quite some SMEs manage their Wi-Fi as if they’re at home. The connection is unprotected, easy-to-guess passwords are written down on post-its and are shared with everyone asking for access. But while security breaches on a private Wi-Fi connection are annoying, they can cause companies real pain. This is why we can’t help ourselves but wonder: if there’s so much to protect, why do companies manage their Wi-Fi as if they deal with two laptops, a tablet and some homework documents? In this article, we’ll tell you about the risks of company Wi-Fi and how to optimally secure it without it becoming a bottleneck for you and your co-workers.

Out of cable, Wi-Fi and VPN, Wi-Fi is -by far- the hardest to secure

Wi-Fi security is all about awareness

We get a lot of requests from IT managers to help them solve security problems. However, we rarely get requests to improve security on their Wi-Fi specifically. It seems that IT Managers are not always aware of the risks that come with a company Wi-Fi network. Because of all three network access methods (cable, Wi-Fi and VPN), Wi-Fi is -by far- the hardest to secure. Cable connections, after all, require the attacker to be physically present at the office, while VPN-servers often come with built-in tools to secure the authentication. Wi-Fi signals, however, travel way beyond your company walls and therefore reach people that aren’t involved in your company. This makes them harder to control, even if you’ve secured them with a password.

 

The problem lies in WPA2-Personal

Many businesses work with a Wi-Fi type called WPA2-Personal, which works with the well-known pre-shared Wi-Fi code. But the truth is that WPA2-Personal was never meant for company networks. It’s a very basic way of connecting some devices to the internet, which is fine for the average household with a couple of phones, computers and tablets. A company, however, deals with many different devices and many different users, all needing access to valuable resources. Yes, there’s the pre-shared code. But this code is shared with all users and all devices on the network and therefore almost impossible to keep secret.

 

What’s the problem?

You may wonder what’s wrong with outsiders entering your company network, apart from the fact that they’re piggybacking off your Wi-Fi connection. Well, if an outsider figures out the Wi-Fi password (which is, as said, often very easy to do), he can literally decrypt all network traffic of every other Wi-Fi user. This doesn’t necessarily mean that the attacker can understand everything that is broadcast, as traffic could be encrypted by the user. But in most company networks, there are enough systems that aren’t able to encrypt data or do this in a very bad way. As a result, it’s very easy to capture a lot of what’s in the air, which can not only lead to leakage of information but also creates attack vectors. In the worst case, outsiders gain full control over your entire network, with all that this implies.

 

But that’s not all

In some cases, outsiders don’t even have to guess or steal the Wi-Fi code. It’s possible for them to put an attack computer in monitoring mode and just listen to what’s in the air. There are a lot of tools available that help an attacker learn the pre-shared key from the encrypted data if the key is too short or too simple. And, as we mentioned before, knowledge of the pre-shared key often leads to problems. We won’t get into the details of all possible attacks, but don't be fooled: almost anybody with some basic knowledge on IT security could perform them (I bet even a fifteen-year-old could do it). Yes, it’s wise to carefully choose your pre-shared keys to make your Wi-Fi network less vulnerable for attacks, but no: it won’t change the fact that WPA2-Personal can’t live up to company security standards.

 

So, what are SMEs to do?

So far for the scare campaign. In short, WPA2-Personal is OK when used at home or in a small office, where all devices are trusted, and the users of the network do not change too often. But not in an enterprise setting. Here, the scope is too big to handle for IT managers, and the codes cannot be kept secret any more. Also, changing the codes is next to impossible due to the many users and devices around. A part of the solution lies in switching to WPA2 Enterprise, which is much more suited for company Wi-Fi. We’ll tell you how this works in our next blog blog. Read it here!

Want a sneak peek at access control done right? Download our free white paper below!