The inception of Wi-Fi technology ushered in a new sub-era in this stage of world history known as the Information Age. As if the proliferation of the Internet wasn’t earth shattering enough, Wi-Fi technology has resulted in an explosion of connectivity for millions of Americans who are ravenous for up-to-the-minute information at their fingertips.
However, as in any communication medium, certain shortcomings exist that all too often leave the innocent bystander known as the end user susceptible to certain security vulnerabilities. Before you do anything drastic, like, say, use an Ethernet connection (I know. This is crazy talk.), check out the key vulnerabilities that currently exist within the IEEE 802.11 standard. (Get some background info on 802.11 standards in 802.What? Making Sense of the 802.11 Family.)
Default configurations could probably be a topic for discussion in any computer security conversation, conference or white paper. Routers, switches, operating systems and even cellphones have out-of-the-box configurations that, if left unchanged, can be exploited by individuals who stay abreast of such things.
In the context of Wi-Fi, default configurations are especially dangerous when left as-is simply because the medium (open air) used is available to everyone within a certain geographic radius. In essence, you don't want to be the house with the unlocked doors and open windows in the middle of a bad neighborhood.
So what are some of these default configurations? Well, this really depends on the product and the vendor, but keeping everything within the context of Wi-Fi, the most prominent producer of wireless access points is Cisco. For enterprise environments, the Cisco Aironet wireless access point is commonly used, while Cisco’s Linksys line of products is commonly used for residential deployments. According to Cisco’s website, all Cisco wireless access points that use their IOS software have a default username of Cisco and a default password of Cisco. Now, disregarding the wisdom involved with publishing this little fact online, imagine the ramifications, especially for an organization. An enterprising young hacker would no doubt be eternally grateful that he need not waste precious time with a password cracker - he can dive right into sniffing an organization's wireless traffic.
The lesson? Modify the default usernames and passwords. Is this it? Actually no. While default usernames and passwords are perhaps the most glaring - not to mention dangerous - default configuration, there are others that are still worth modifying. For example, according to a study by the SANS Institute, commonly used Cisco wireless access points such as Linksys (a Cisco-owned subsidiary) and Cisco have default Service Set Identifiers (SSIDs) entitled Linksys and tsunami respectively.
Now, knowledge of a network’s SSID does not in and of itself represent a security vulnerability, but why concede any information at all to possible hackers? There's no reason to do so, so obscure as much about your organization’s network as possible, and force hackers to do a little more work.
Rogue Access Points
A rogue access point is a wireless access point that is illicitly placed within, or on the edges of, a Wi-Fi network. Within the enterprise, rogue access points are commonly referred to as insider threats, and they have typically been encountered among employees who wish to have Wi-Fi access within organizations that do not have Wi-Fi available. This is done by connecting a wireless access point to an Ethernet connection within the network, thereby providing an unauthorized avenue into network resources. This is often accomplished within networks that do not have a well-thought-out port security policy in place.
Another implementation of a rogue access point involves nefarious individuals who attempt to disrupt or intercept an organization's existing Wi-Fi network. In a typical attack, hackers position themselves within range of an organization’s Wi-Fi network with a wireless access point of their own. This rogue access point begins to accept beacons from the organization’s legitimate wireless access points. Then it begins to transmit identical beacons via broadcast messaging.
Unbeknownst to the various end users within the organization, their wireless devices (laptops, iPhones, etc.) begin to transmit their legitimate traffic toward the rogue access point. This can be combated with good Wi-Fi security practices, but this goes back to the default configurations topic above. That said, even without a robust Wi-Fi security policy in place, a rogue access point may not be able to intercept traffic, but it could still consume large amounts of network resources and cause a significant amount of network congestion.
Encryption Looney Tunes
In early 2007, researchers were able to crack the Wired Equivalent Privacy (WEP) in less than one minute. In 2008, the Wi-Fi Protected Access (WPA) protocol was partially cracked by researchers in Germany. WPA was widely considered the answer to the rather profound weaknesses within WEP, but now the commonly accepted gold standard within Wi-Fi encryption is the second generation of WPA; namely WPA2.
The WPA2 protocol uses the Advanced Encryption Standard (AES), and is widely considered to be the long-term solution to Wi-Fi encryption. But is it really? Is it possible that maybe, just maybe, some Ph.D. candidate at some world-renowned technical university is on the cusp of breaking the formidable WPA2 protocol? I would argue that this is not only possible but also likely. After all, the encryption game is the consummate illustration of the Coyote and the Roadrunner; just when the Coyote seems to have victory within his grasp, defeat crushes him in the form of an Acme anvil.
Keeping Ahead of Hackers
So, keeping all of these principles in mind, ensure that you are mindful of what type of traffic you allow to traverse your Wi-Fi network, and be even more mindful of who is accessing your network. As always, diligence is the key to securing your network as no encryption standard, hardware device, or intrusion detection system can truly substitute for a wary security administrator.