From corporate offices to friendly neighborhood coffee shops, nearly every organization operating a Wi-Fi network is highly exposed to vulnerabilities which bad actors can use to steal sensitive data, eavesdrop, and infiltrate further into the network. The Wi-Fi attack surface is one of the most desirable to hackers because nearly every cyber security company focuses on layer 7 application attacks (such as zero-day malware and ransomware), while historically very little effort has been made to defend against layer 2 Wi-Fi attacks. In fact, protections for layer 2 have only recently been introduced, leaving 20 years’ worth of Wi-Fi access points, routers, and clients wide open to attack. Layer 2 Wi-Fi attacks often include tactics like flooding an AP with de-authentication frames or cracking WPA2, an encryption protocol designed to protect wireless networks.
It’s important to understand that one of the main goals of any Wi-Fi attacker is to position themselves as the “man-in-the-middle (MitM).” In practice, this is where the victim’s device, say a smartphone, believes it is connected to the internet via a Wi-Fi SSID, when in reality, an attacker is broadcasting the SSID and the victim’s traffic is flowing directly through to the attacker, allowing them to see everything the victim is doing, typing, watching and more. This type of attack is surprisingly common, and much easier to fall victim to than you might think.
In response to 2017’s Key Re-installation Attack or “Krack attack,” which defeated WPA2 encryption, the Wi-Fi industry has rallied to release the WPA3 standard with improved security. Like its predecessor, WPA3 contains a Personal and Enterprise implementation. Its security improvements include the forced use of Protected Management Frames (PMF), which protect against eavesdropping on unicast and multicast management frames and the replacement of WPA2’s 4-way handshake and Pre-Shared Key (PSK) system with Simultaneous Authentication of Equals (SAE). This essentially eliminates offline dictionary attacks. These security enhancements will help eliminate the various tricks and tools attackers have been using for years to intercept WPA2’s 4-way handshake packets, and upload to multiple free services that advertise “recovering your Wi-Fi password”.
Open Wi-Fi networks supporting WPA3 also have improvements intended to prevent eavesdropping. Referred to by the Wi-Fi Alliance as “WPA3 Enhanced Open,” Wi-Fi networks that don’t require passwords will utilize Opportunistic Wireless Encryption (OWE), where each device will receive its own key. This will prevent others on the same open network from sniffing packets out of the air.
These enhancements in WPA3 have been warmly received within the industry, but despite its security improvements, at least one of the six Wi-Fi threat categories – Rogue AP, Rogue Client, Evil Twin AP, Neighbor AP, Ad-Hoc Networks, and Misconfigured APs – can still be used to compromise WPA3 networks. Each of these types of threats represent a unique method attackers can use to either position themselves as a MitM or eavesdrop on network traffic silently.
The Evil Twin AP attack, for example, is very likely to be used in Enhanced Open Wi-Fi networks, since OWE can still take place between a victim client and an attacker’s Evil Twin AP that is broadcasting the same SSID, and possibly the same BSSID as a legitimate AP nearby. Although OWE would keep the session safe from eavesdropping, the victim’s Wi-Fi traffic would flow through the Evil Twin AP and into the hands of an MitM, who can intercept credentials, plant malware, and install remote backdoors.
Although passive eavesdropping on open Wi-Fi networks will likely become a thing of the past, one very critical missing piece to WPA3 is that humans and client devices connecting to an SSID still have no way to confidently know that the SSID is being broadcasted from a legitimate access point or router. The SSID can still be broadcasted, with WPA3 enabled, from a malicious Evil Twin AP, for example. To help combat these types of widespread Wi-Fi vulnerabilities, more and more IT departments are creating Trusted Wireless Environments that are capable of automatically detecting and preventing Wi-Fi threats.
The Wi-Fi security improvements included in WPA3 are an impressive step in the right direction, but this new encryption standard will by no means put an end to Wi-Fi hacking. In a truly Trusted Wireless Environment, the access point infrastructure itself can utilize technology to remove the possibility of a human or client device connecting to malicious attacks such as the Evil Twin AP threat. That’s why today, WPA3, although much needed, is simply a complimentary security control.
Ryan Orsi is Director of Product Management at WatchGuard Technologies, which provides network security products and services to more than 80,000 customers worldwide. Ryan leads the Secure Wi-Fi solutions for WatchGuard. He has experience bringing disruptive wireless products to the WLAN, IoT, medical and consumer wearable markets. He holds MBA and Electrical Engineering degrees and is a named inventor on 19 patents and applications.
