Ok, so I kind of jump the gun on this series and went straight into both red team (attacking) and blue team (defenses) without even mentioning why we need wireless security in the first place. Sure, for most of us the need to protect our wireless communications is a given, but have you ever thought of the actual reasons why we do this in the first place?
When you boil it down, we have 3 main objectives for implementing wireless security. The first is for data confidentiality. This means that we want to protect wireless communications from digital eavesdropping. There are all kinds of methods for the attacker to insert themselves as the man in the middle, thus allowing them to intercept and copy the wireless traffic. The use of open hotspots (or unsecured wireless networks) makes it extremely easy for the attacker because since there is no encryption being used between the client and access point, they do not have to be the man in the middle. With the use of my CowPi or any other device with a wireless NIC that supports management mode, the traffic can be copied passively. I’ll continue the discussion on why open hotspots are terrible in another post.
The next reason why we implement wireless security is for access control. We want to control who is allowed on our network and prevent any unauthorized access to it. There are many ways to restrict network access. These methods can fall into 3 unofficial categories: The Good, The Bad, and The Ugly. Implementing WPA2 Enterprise (802.1x) with EAP-TLS would be considered as “The Good” it leverages a PKI (Public Key Infrastructure) not just authenticates the user, but the connecting device as well. For “The Bad” we have WPA2 Personal or PSK (Pre-Shared Key). Using a PSK means that all users have the same key to access the network. When a user leaves an organization, whether on their own terms or not, they still have the key. Now anyone using PSK should be changing that key when someone leaves, but let’s face it, we don’t do that. Don’t forget that a poorly configured PSK is not very difficult to crack (See my post HERE). No for “The Bad” we have 2 contenders, they are MAC address filtering and using WEP for encryption. MAC filtering makes the ugly list because it’s trivial to spoof an address. WEP is in there since with automated tools like Wifite, any script kiddie can crack the keys in under 1 minute.
Lastly, we also implement wireless security to preserve data integrity, that is we want to prevent the tampering of data while in transmission and ensure that the communication is between trusted parties. For the vast majority of attacks that affect the integrity of data, access control or confidentiality would have already been breached. However, there are attacks (like those on TKIP ) that can affect the integrity of the communications without requiring network access or data interception.