• Articles
    • Editorial Articles
    • Research Articles
    • WatchGuard Articles
  • The 443 Podcast
  • Threat Landscape
  • About
    • About Us
    • Contact Us
    • Contribute to Secplicity

Secplicity - Security Simplified

Powered by WatchGuard Technologies

I am not worried about my Wi-Fi!

November 16, 2020 By Martin Lethbridge

If you have read our recent Internet Security Report you will see there is a rise in probe requests over public Wi-Fi. Penetration testing tools are getting more sophisticated, it’s becoming easier for cyber criminals to eavesdrop and steal personal information from people over Wi-Fi.

If we look at the original Mark I pineapple from Hak5 when it was first released, it was primarily driven by command line Linux and no plug and play. With the advancement in technology, the latest Mark VII is much easier to use. Does this mean we are now going to see a rise in Wi-Fi hacking? The simple answer is, yes! It’s not just the Wi-Fi Pineapple that hackers use, there is other new toys that are much smaller that will disrupt any Wi-Fi signal where it is turned on.

Let’s look at pwnagotchi for example. It’s a small unit whose sole job is to capture Wi-Fi handshakes so that they can be decrypted later for SSID passwords. So, as a security expert, what can you do to protect yourself and your customers?

First, we need to be looking at how we secure our Wi-Fi and tune it so that it is only used by the correct people (no more the Jeremy Clarkson Wi-Fi FULL POWER!!!).  We should actually ask ourselves why do we need Wi-Fi? Who will actually use it? Businesses went from allowing Wi-Fi only to be used by visitors and guests to now allowing all the employees to connect to it even when the building is securely set up with a wired network.

With new Wi-Fi standards coming out (Wi-Fi 6 and Wi-Fi 6E), we need to look at ways to improve Wi-Fi security. There is a hope that with Wi-Fi 6 and WPA3 this will actually solve many of the issues that we have currently with WPA2; however, it still does not provide protection from the six known Wi-Fi threat categories.

To help reduce Wi-Fi vulnerabilities, we’re asking all of you to join the Trusted Wireless Environment movement and advocate for a global security standard for Wi-Fi.

There is a small problem with WPA3, it has already been compromised with the Dragonblood vulnerability. The vulnerability was discovered before the final WPA3 spec was released to the market and we understand that the root cause of the vulnerability is related to downgrading the security of the connection to WPA2 and taking advantage of known vulnerabilities. You might think that this won’t be a problem because we all expect network administrators will not only upgrade all the access points, but they will also upgrade all the client devices connecting to Wi-Fi so they can run a pure Wi-Fi 6 network with WPA3 only. In order to achieve this upgrade, it’s not only the clients and access points that will need upgrading, but the rest of the network infrastructure will also need to be upgraded to support multi-gigabit Ethernet connectivity.

So, is WPA3 really the miracle to protect us? I believe that there isn’t a single layer of security that can protect us from everything but designing the Wi-Fi network with WPA3 in mind to boost security is common sense. The biggest problems with Wi-Fi is when network administrators have everything set to the default settings and have radio power turned on to the max. This means network administrators are transmitting their SSID further than they really need to. Do you really need to have that Wi-Fi network transmitting in the car park? I would say most of the time, the answer is no. Also do you need to be broadcasting the Wi-Fi network on all APs 24×7? Again, in most businesses the answer is no, so schedule the Wi-Fi network to be enabled only when you need to have it on. As for guest Wi-Fi, when was the last time the password was changed? How many of you have gone to a customer site where the guest password is available for everyone to see and connect to, and when you go back a year later your laptop auto-connects! Now you may think you are being good by not telling everyone about the guest password to that network, but once I walk out that door I only have to run a small command on my laptop to see the magic password of ‘ThisIsTheGuestNetwork!”. Now the best way to avoid this situation is by using a voucher limited to four hours of use. But whatever system you go for, make sure you segregate the guest and corporate traffic with VLANs, to block exposure of corporate resources or even direct guest traffic out through a different Internet line.

Even with all the above advice (and there is plenty more), there is no way to deny that Wi-Fi probing attacks are becoming more sophisticated and ubiquitous as the technology gets easier to use and more users move to wireless technologies. I always think of Wi-Fi probing as the dirty hack of the family. It is the hack that we all know is going on, but no one wants to talk about, because we all love Wi-Fi but don’t want to admit that there is a problem with it. If more of the general public knew how vulnerable Wi-Fi can be, there would be an uproar. So, until we have an ‘Edward Snowden’ moment it will be our dirty secret.

Share This:

Related

Filed Under: Editorial Articles, Featured Tagged With: 6 known wi-fi threat categories, 6 wi-fi threat categories, dragonblood, hak5, probing, secure wifi, wi-fi hacking, wi-fi security, wifi 6, wifi hacking, wifi pineapple

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

The 443 Podcast

A weekly podcast featuring the leading white-hat hackers and security researchers. Listen Now
the 443 podcast

Threat Landscape

Filter and view Firebox Feed data by type of attack, region, country, and date range. View Now
threat landscape

Top Posts

  • Cybersecurity News: Free Cybersecurity Training, TrickBot Group Exposed, Major GoDaddy Breach, and Russia to Legalize cybercrime?!
  • US National Cybersecurity Strategy
  • Here Come The Regulations
  • Cybersecurity’s Toll on Mental Health

Email Newsletter

Sign up to get the latest security news and threat analysis delivered straight to your inbox

By signing up you agree to our Privacy Policy.


The views and opinions expressed on this website are those of the authors and do not necessarily reflect the policy or position of WatchGuard Technologies.

Stay in Touch

Recent Posts

  • The NSA’s Guidance on Securing Authentication
  • Cybersecurity News: LastPass Incident Revealed, White House Issues Cybersecurity Strategy, FBI Purchases Leaked USHOR PII Data, and a Slew of Other Breaches
  • An Update on Section 230
  • Here Come The Regulations
  • US National Cybersecurity Strategy
View All

Search

Archives

Copyright © 2023 WatchGuard Technologies · Cookie Policy · Privacy Policy · Terms of Use