Wi-Fi Security is Broken

By Ryan Adzima, Blog Contributor
Share Post

Wi-Fi security is broken. It has been since the beginning we just didn't know it. But we're starting to see the light with some new ClearPass features.

If you've ever deployed a PEAP/MSCHAPv2 network with a mixture of operating systems and both Active Directory managed as well as personal devices with no onboarding solution, you know exactly what I'm talking about. And no, EAP-TLS is not that answer, it's a stop gap measure that trades confused users for confused admins and adds several layers of complexity to the process; not everyone has the resources (compute or financial) or desire to run a PKI or staff knowledge to deploy an elegant onboarding solution to provide a seamless experience across all operating systems and versions.

In recent years the industry (not just wireless) has shifted from the "lock it down, users be damned" security focused mindset to the much friendlier, productivity and usability first approach. That's not to say that security isn't a concern, just that many useful products and technically successful projects have suffered the wrath of user perception. Nowadays, we actually care about the user experience. If we didn't, onboarding and self-services systems like ClearPass wouldn't be so successful. Until now, all they did was mask the problem though.

When you're talking about Wi-Fi and security, it comes down to two simple goals: validate who is on my network and don't let anyone see their data. Identity and encryption. Let's start with identity. Sure you could add in some more details - what we know as "context" today - but that's only a recent capability.

Who Are You?

If you're verifying the identity of people getting on your network through username/password or certificate based AAA you've clearly got those users stored somewhere. Why is it just accepted that we need to install layer upon layer of middleware when all we're really looking for is a yes or a no to a simple question? Did they prove who they are and are should I let them on?

First off, the whole username/password system needs an overhaul. Of course it's not likely to go away but token based verification or passphrases are starting to trickle into the wild and it's not only providing much higher levels of security through higher entropy, it's much easier for the users too. Many of these have been adopted in other areas of our lives; websites are using OAuth, organizations are deploying SAML, token based security is everywhere. Why can't we extend these to the wireless network?

What Are You Doing?

Wireless is an open medium, freely broadcast for anyone that wants to listen. This is inherently insecure and opens users up to a wide array of attacks simply by having their packets sniffed out of the air. Obviously enabling a pre-shard key or enterprise security network is a way to mitigate the risk, but that brings it all back to ease of deployment and use. But even still, when the easiest way for a client to connect to a network is to disable certificate validation against the RADIUS server or simply click "Install Certificate" without a second thought it might make it more difficult, but not impossible to compromise anyone's wireless traffic through a man-in-the-middle attack.

Why not move to a system more like we see in the web world? HTTPS uses TLS to encrypt traffic in transit by matching the server identity with a certificate that has been signed and issued by a reliable source. The client negotiates with the server to create a secure connection and from there, viola! To the end user the process is transparent and easy enough to identify when there is an issue (Chrome splash page, no lock in the browser bar, etc). The work on the administrative side is easy enough too; request certificate, grab a coffee, install certificate, it works… Even better is that when the certificate expires all hell doesn't break loose, a new one is installed and everything continues to function just as before.

What Can I Do?

When it comes to the first question, "Who Are You?" ClearPass has had some new features added recently to help with this indirectly. ClearPass Exchange allows 3rd party applications to be installed and enhance the capabilities of the whole system. A prime example of bettering not only network security, but also the onboarding experience is Kasada. They're integrating with ClearPass to add multi-factor authentication using non-traditional "tokens" such as pictures or fingerprint scanners on phones. It's a few steps ahead of the rest of the available systems and definitely movement towards a better way to do wireless.

Unfortunately on the second question, there's a lot of work to be done. Clearly I'm not qualified to be writing a new protocol and adoption of any new technology takes years, but with IoT and mass proliferation of Wi-Fi I think we need to start talking about a new way of ensuring the users and their data is safe.