|Router Security||WiFi Encryption||
Website by |
April 11, 2019: The Wi-Fi Alliance, which sets Wi-Fi standards, has a history of screwing up. The organization is an industry disgrace. And, it seems that with the WPA3 standard, they are maintaining their miserable reputation. When some qualified techies (Mathy Vanhoef and Eyal Ronen) finally got to evaluate WPA3, they found lots of design flaws. To be clear, these are not coding flaws, they are poor design. Depending on how you count there are at least five design mistakes.
Their website documenting the flaws is Dragonblood. See also
- - - - -
As of July 2018, it is too early to walk about WPA version 3 (WPA3) with any authority. No one has yet kicked the tires on the protocol and it is not clear when devices will even support it. Anything that supports WPA3 should also support WPA2, so there won't be a big bang conversion.
The biggest flaw with WPA2, is that bad guys can make off-line brute force guesses of the Wi-Fi password. Billions and billions of guesses every second. WPA3 should eliminate this flaw. That said, a sufficiently long WPA2 password (over 15?, 16? characters) also eliminates the problem.
The improvements are scheduled in two phases, the first is known as WPA2 enhancements and it is expected to be released before the end of 2018. The second phase is full blown WPA3. WPA3 compliant products are expected to start appearing before the end of 2018. The WPA2 enhancements mandate the use of Protected Management Frames (PMF), more stringent validation of vendor security implementations, and improved consistency in network security configuration.
IEEE 802.11w, the standard that describes PMF, was ratified in 2009 becomes mandatory. Without it, management frames are transmitted unencrypted and their integrity is not verified. PMF ensures integrity of network management traffic, provides protection against eavesdropping, replay and the forging of management action frames. This protects against DoS attacks that use forged deauthentication/disassociation frames to kick clients off a network and force them to authenticate again.
Many wireless vulnerabilities are the result of poor implementation or misconfiguration. WPA2 enhancements will require additional tests on Wi-Fi certified devices to ensure both the use of best practices and that the products yield expected behaviors. The WPA2 enhancement also defines a set of secure cipher suites to prevent an attacker from exploiting a configuration weakness.
Currently Wi-Fi networks can be completely open, no password needed, no encryption used. This will no longer be possible with WPA3 which introduces Opportunistic Wireless Encryption (OWE). OWE provides individualized data encryption to Wi-Fi clients using public open networks. No more eavesdropping. The encryption process is transparent to users. They see and join the Wi-Fi network as they would an Open network. BIG improvement. Technically, OWE uses an unauthenticated Diffie-Hellman key exchange during association, resulting in a Pairwise Master Key (PMK) used to derive the session keys.
Writing for Network World, Eric Geier notes that Wi-Fi Enhanced Open is not officially part of WPA3. Although it is expected be added along with WPA3, it is, nonetheless, optional. Also optional is support for the un-encrypted legacy open connections.
Geier also points out some downsides to the way WPA3 handles Open networks. For one, the Wi-Fi client device may not be able to tell the difference between a secure WPA3 Open network and an insecure WPA2 open network. We just have to wait and see how each operating system handles this. And, shared folders on Wi-Fi clients will be available to everyone on the WPA3 Open network. Finally, it does nothing to defend against evil twin networks.
Another huge improvement was mentioned above, resistance to brute force password guessing. The WPA2 Pre-Shared Key (PSK) mode is gone, replaced by the WPA3 Simultaneous Authentication of Equals (SAE). The big improvement here is that SAE does not transmit the hash of the password in the clear. WPA2-PSK allows bad guys to listen for the password hash and then, when they have it, make a billion guesses a second to convert the hash to the password. SAE limits the number of guesses an attacker can make. The end user experience does not change with SAE, people still enter a password, just as they do now with WPA2-PSK.
With WPA3 each user connection to the router is encrypted with a different key. This is big. Without it, as on WPA2, anyone who knew the Wi-Fi password could spy on other users of the same network. Also, WPA2 did not offer Perfect Forward Secrecy (PFS or just FS). If someone was out to get you they could record your Wi-Fi traffic as it was transmitted over the air (or it could have been recorded by the ISP). With WPA2, once someone learned the Pre-Shared Key, they could go back and decrypt all the old transmissions. With WPA3 this is not possible. Old transmissions remain secret even as time moves forward.
Finally, WPS is being replaced with DPP (Device Provisioning Protocol). As with WPS, DPP aims to be a simple way for devices without a screen or keyboard to join a Wi-Fi network. A DPP-enabled device will have a built-in public key, and a network administrator can bring it onto the network in several ways. One approach is scanning a QR code on the DPP-enabled device with a phone. I am skeptical; anything that tries to be user friendly is likely to not be secure. We'll see how this plays out. As some devices require WPS, it can not be killed off completely. Like WPS, DPP introduces new terminology, a configurator and an enrollee.
The configurator will be a smart phone or tablet that is already part of the network and can provision new devices. How it gets the ability to provision new devices is not clear. How it loses the ability once it is lost or stolen is also not clear. WPS had 4 or 5 different modes of operation and so too does DPP. Devices can be granted access to the network by scanning a QR code, negotiation of a trusted public key using a passphrase/code, NFC, or Bluetooth. Ugh.
Wi-Fi devices have utilized AES with 128 bit keys for data protection for some time. WPA3 will mandate 256-bit encryption and use of CNSA approved cipher suites.
When will WPA3 be available? Eric Geier says a few WPA3 devices should appear by the end of 2018. WPA3 is currently (Nov. 2018) optional and may not be mandatory for as long as two years. While some devices may be upgradeable via software, others will require new hardware.
History tells us that the first version of the protocol is likely to be buggy, either due to the spec itself or specific implementations. And, using WPA3 requires support both in the router/Access point and in the client device (computer, tablet, phone).
A good article: WPA3: How and why the Wi-Fi standard matters by Larry Seltzer, Aug. 2018.
And: Google knows nearly every Wi-Fi password in the world by me September 12, 2013.
At first, you might be thinking what more is there to say about WiFi encryption? The basic rules have not changed in a long time and can be boiled down to USE WPA2. But, there is more to it.
Introduction: WiFi supports three different schemes for over-the-air encryption: WEP, WPA and WPA2 (WPA version 2). All of the options encrypt data traveling between a WiFi device and the router or Access Point (AP) that is the source of the wireless network. Once data leaves the router, bound for the Internet at large, WEP, WPA and WPA2 are no longer involved.
As noted everywhere, WPA2 is the best option. However, WPA2 is not a simple On/Off checkbox, there are further options. These additional options are TKIP, AES or CCMP. Do not choose TKIP. Doing so, means you are, in effect, using the less-secure WPA encryption. AES and CCMP are two names for the same thing. Whichever your router uses, chose it.
And, some routers may not offer just WPA2. I have seen routers that only offered a combination of either WPA or WPA2. Stand-alone or exclusive WPA2 is more secure.
For more on the three types of encryption see Wi-Fi Security: Should You Use WPA2-AES, WPA2-TKIP, or Both? by Chris Hoffman (December 2014).
WPA2-AES (the same as WPA2-CCMP) can still offer poor security if the password is too short. Nothing can be done to prevent an attacker from capturing network traffic and using a brute force attack to decrypt it off-line, making billions of guesses a second.
Just how many billions of guesses per second? According to Paul Moore (Passwords: Using 3 Random Words Is A Really Bad Idea! October 2017) it varies based on the hashing algorithm. A computationally expensive algorithm, SHA512, slows things down to 8 billion a second. If a password is encrypted with SHA256, then we can expect 23 billion guesses/second, with SHA1 expect 70 billion/second. The fastest, and thus least secure, algorithm is MD5. Moore says MD5 is still very common and it can be brute-forced at the rate of 200 billion guesses/second.
The shortest password allowed with WPA2 is 8 characters long. A password of 14 or 15 characters should be long enough to defeat most brute force guessing. The German government recommends 20 characters as a minimum. WPA2 passwords can be up to 63 characters long. Of course, it is better to include both upper and lower case letters along with numbers. WPA2 passwords can also contain a host of special characters.
But wait, there's more.
A long password can still be guessed with a dictionary attack. Despite the name, this type of attack can include many passwords that are not words in the dictionary. Things like "Denver2013" or "I like MickeyMouse". Many websites have been breached over the years and bad guys can find massive databases of passwords that people have actually chosen. Thus, defending against a thorough dictionary attack means not using a password that any other human has used before. A tall order indeed, but not impossible.
For advice on choosing a globally unique password, see my November 2014 blog: Wi-Fi security vs. government spies.
To get a feel for how bad guys crack Wi-Fi passwords, see How I cracked my neighbors WiFi password without breaking a sweat by Dan Goodin (August 2012). One eight-character password was hard to guess because it was a lower-case letter, followed two numbers, followed by five more lower-case letters with no discernible pattern. That is, it didn't spell any word either forwards or backwards. Resisting the temptation to use a human-readable word made guessing much harder. I suspect having the numbers in the middle also made it harder, as most people don't do this. Still, even back in 2012, guessing every possible 8-character password was a do-able thing. Goodin suggests using four or five randomly selected words - "applesmithtrashcancarradar" for instance - to make a password that can be easily spoken yet prohibitively hard to crack. I would add a number and an upper case letter.
Some routers ship with default Wi-Fi passwords that look like they were randomly chosen. Do not trust this. Pick a new password. For more on this, see Scrutinizing WPA2 Password Generating Algorithms in Wireless Routers August 2015
In April 2018 the Boston Red Sox were caught using "baseball" as the Wi-Fi password in the visitors clubhouse at Fenway Park. I wrote about this on the Routers in the news page and commented on the strength of assorted new suggested passwords.
See a funny tweet by Dan Edwards about needing to buy a drink at a bar before learning the Wi-Fi assword.
kyPeQ3!khx (Too short and can't remember it)
Dandelion (Never use a word in the dictionary)
Denver2012 (It is likely that someone else has used this before)
DBF9fkhu28FF!ca4$cc5C1795ecc (can't remember it)
Yankee fan? 22New22York22Yankees22
Like red tulips? red123TULIPS123
Like Shakespeare? tobeornottobe-->THATisthe?
From New York City? new-yawk-RULES!!!!
Like XKCD comics? BatteryHorseStaple.etcetcetc
Like to remember a date/place? Denver///2012///
Like your iPhone? iOSiscoolerthanandroidhaha
Like math? 6====ahalfdozen
Like golf? Icandriveagolfball300inches
Like being a smartass? >>>>>>>>thisismypassWORD
What everyone knows as WPA2 encryption, is really WPA2 Pre-Shared Key (WPA2 PSK). In English, this means there is one password for each Wi-Fi network. A router using WPA2 PSK that creates three SSIDs will have one password for each SSID. While it is common to think that WPA2 PSK is the best Wi-Fi security available (at least before WPA3 is released) the reality is that WPA2 Enterprise is more secure than WPA2 PSK.
From the perspective of a device connecting to a Wi-Fi network, with WPA2 Enterprise, the device needs to provide both a userid and a password to logon. From the perspective of the person configuring the network, each user can be assigned their own userid/password. A single Wi-Fi network can have many passwords with WPA2 Enterprise. If an employee leaves the company, their Wi-Fi userid/password can be deleted with no impact on anyone else.
The big problem with WPA2 Enterprise is that it is too hard to install, configure and maintain, but it does not have to be that way (more below). Another problem is that many consumer routers do not support it. For example, it is not available on mesh routers from Eero, Google, Linksys (Velop) or Ubiquiti (AmpliFi). It is available from Synology and Peplink. Finally, because it is is mostly used by businesses, it may not be supported by IoT devices. I have an Internet radio that can not connect to a WPA2 Enterprise network. WPA2 Enterprise is supported on computers (even Chromebooks) and tablets.
I am no expert on WPA2 Enterprise, but I have dabbled in it.
When a router supports WPA2 Enterprise, that means it is able to call out to something else to validate the userid/password presented by a device. That something else is a RADIUS server. The RADIUS server maintains the list of userids and passwords and is the big sticking point to stepping up to WPA Enterprise. The RADIUS server may reside on the same LAN as the router, in the router itself or it may reside somewhere in the cloud. I have not used a cloud-resident RADIUS server.
On a LAN, consumers and small businesses can use a NAS box as a RADIUS server. Not every NAS box, but certainly those from Synology and QNAP. For quite a while, I have used a Synology NAS as the RADIUS server that my Pepwave Surf SOHO communicates with.
Perhaps the best option for consumers and small businesses is a Synology router. As far as I know, Synology is unique in letting you run a RADIUS server on the router itself. I expect to try this soon and will report back ....
If you have an old device that is capable of WPA encryption but not the more recent WPA2 variety, then create a new network on the router that uses WPA encryption and chose an extra long password for it. If possible, this should be a guest network that is isolated from the private network.
If you have an old device that is not capable of either WPA or WPA2 encryption (that is, all it can do is WEP), get rid of it. WEP should not be used.
A March 2017 article in PC Magazine, The Best Wi-Fi Mesh Network Systems of 2017 starts with a feature overview of nine different mesh systems. The most secure devices only offer WPA2: Plume, Eero, Securifi Almond 3 and Google Wifi. Two devices, Luma and Ubiquiti Amplifi offer both WPA and WPA2. In the "what were they thinking" category are devices that still offer WEP: Netgear Orbi, Linksys Velop and Amped Wireless Ally Plus.