Wireless WPA2 Encryption No Longer Secure

Original article here.

Summary:  Several years ago,WEP wireless encryption was cracked and very quickly became almost as insecure as using no encryption at all.  More recently, WPA encryption was also cracked, leaving only WPA2 as a method of keeping wireless networks secure.  With nothing more secure than WPA2 available to secure wireless networks against intrusion, it was only a matter of time.

Researchers have now presented evidence on a method by which an attacker can target a wireless network using WPA2 encryption and gain access through a weakness in the de-authentication process.  WPA2 uses a method of re-authenticating wireless devices on a regular basis, providing a new encryption key each time as part of its security protocols.  However, when the router de-authenticates a device it leaves a brief hole through which an attacker with the proper tools can gain access.  As of this posting, there is no solution for this weakness.

When implementing new networks that use wireless access points, multi-tiered security is absolutely essential to preventing unauthorized access by attackers.  I recommend using WPA2 encryption with extremely long and complicated pass-phrases combined with MAC address filtering at the access point itself.  However, with WPA2 now compromised and MAC address spoofing fairly easy, I also suggest further security methods at the DHCP server sitting behind the access point, including a second layer of MAC address filtering and assignment of static IP addresses to all authorized devices, with no further IP address allocation available to unauthorized devices.  Additionally, I suggest implementing firewall rules at the gateway that restrict all inbound and outbound traffic to those static IP addresses, blocking all traffic to and from unassigned IP addresses.  Firewalls on all client devices should also be implemented with similar restrictions.  For corporate networks where more sensitive data is involved, I recommend the further step of isolating as many computers as possible on wired connections using one IP pool, then establishing a second IP pool for wireless devices and using the wireless option only where absolutely necessary.

Each of these individual methods can be compromised given sufficient time and dedication.  But by utilizing all of these methods together, the goal is to (hopefully) make penetrating your network so difficult and time-consuming that would-be attackers will move on to lesser protected networks.

No comments yet.

Leave a Reply