Don't assume WPA2 is more secure than WPA

Don't assume WPA2 is more secure than WPA

Summary: AirDefense recently did a Wireless LAN security survey of New York City retailers where they declared two thirds of retailers insecure according to John Cox's story.  According to the AirDefense survey, a third used zero link layer wireless LAN security (explanation of link layer here) and a third used "weak security".

SHARE:
24

AirDefense recently did a Wireless LAN security survey of New York City retailers where they declared two thirds of retailers insecure according to John Cox's story.  According to the AirDefense survey, a third used zero link layer wireless LAN security (explanation of link layer here) and a third used "weak security".  AirDefense goes on to say that one third was secure using WPA2 which Cox described as a "quantum improvement" and said that it "brought 802.1x authentication down to every device".

The first problem with this report is that AirDefense lumped WPA-PSK in with WEP which is ludicrous since there's no comparison on the level of security.  WPA-PSK if deployed with a reasonably complex password of 10 or more random alphanumeric characters has never been broken whereas WEP can be broken in minutes.  The second problem is the implication that only WPA2 brings 802.1x authentication when in fact 802.1x has been used since 2000 with dynamic WEP mode or WPA (AKA 802.11i draft) mode.

WPA2 can just as easily be used in PSK (pre-shared key) authentication mode along with the weaker TKIP encryption mode.  WPA can just as easily be used in 802.1x authentication mode along with the strongest AES encryption mode.  So in this particular example, WPA can actually be deployed in a stronger authentication and encryption mode than WPA2.

WPA is an industry standard that is based on the IEEE draft 802.11i security standard whereas WPA2 is based on the ratified standard so they're essentially the same thing.  Both WPA and WPA2 let you choose your authentication modes and both let you choose between TKIP and AES encryption mode.  A WPA compliant device however can implement AES optionally whereas WPA2 compliant devices must be capable of both though you're not required to use AES.  The only other thing that WPA2 adds is pre-authentication and PMK (Pairwise Master Key) caching which improves seamless roaming of clients between access points but has nothing to do with security.

The other issue is that large chain stores often cannot avoid using WPA-PSK mode because of the reliability issues with remote RADIUS servers in 802.1x mode.  These stores often don't have redundant WAN (Wide Area Network) connectivity and they can't afford to have their wireless cash registers go down if the WAN goes down.  One vendor Ruckus actually came up with a unique Dynamic PSK scheme that allows you to have unique per-user per-device WPA-PSK passwords.  Since his solution can survive WAN failures, it may be just the right solution to avoid the shared key problems of WPA-PSK and the reliability problems of remote 802.1x authentication.  For your typical enterprise however, I still recommend doing it the right way with 802.1x.

So the lesson here is to never make kneejerk assumptions that WPA2 is automatically secure and WPA-PSK is just as bad as WEP.  This isn't to say that WPA2 isn't good because it is, but I'm surprised that AirDefense would lump WPA-PSK in with WEP.

Topics: Wi-Fi, Networking, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

24 comments
Log in or register to join the discussion
  • Whatever you do, don't use WEP!

    Just to re-iterate a point: Don't use WEP. It can be broken in about a minute, so it's basically as secure as having an open connection with no security.
    CobraA1
    • Unless you don't live near other people

      If you live in an apartment, with lots of people in 802.11 range of your network, then, sure, be secure. If you don't live near anyone who is in range of your network... you know... whatever. I mean, be secure there, too, but the world won't actually end if you're not.
      SBArbeit
      • Why even take the chance?

        Unless your data isn't worth protecting, why take the chance? It's not like WPA is any more difficult to set up than WEP, in fact it's easier.
        Michael Kelly
      • "In range" has different meaning to different people

        "In range" has different meaning to different people. I nice directional antenna can pick you off from more than a mile.
        georgeou
    • I use WEP

      I see 3 or 4 open APs when I look at the wireless network list on my laptop. Sure, my WEP can be cracked but for someone looking for connectivity even WEP is a high enough hurdle to get them to glom onto someone else's open network.

      I'm not advocating WEP - I've been using the same AP for a few years now and set it up with WEP from the get go, so I'm reluctant to reconfigure the network now - I'm just saying that if you use WEP it's not the end of the world.

      You can't secure your home with a picket fence but it will keep neighbors off your lawn. I'm just worried about the neighbors on my lawn.







      :)
      none none
  • Verizon uses WEP as Default on there DSL

    Every verizon wireless router installed with FIOS or DSL comes setup as WEP and is left that way by the installers. When I go out to service clients with internet issues and see they have verizon I know to look at the side of the router where the ESSID and WEP key are at on a preprinted sticker.<br>

    They also have the router username and password there also. I've stopped trying to figure out why.
    k12IT
    • It's a great way to get free Internet if they leave it on

      It's a great way to get free Internet if they leave it on. I don't even know why they provide wireless LAN access with public IP addresses. I recommend people turn it off.
      georgeou
      • Great advice, George...

        You are kidding, right?

        http://www.mostlycreativeworkshop.com/Article312.html

        "Miami, FL - Earlier this week, police in St. Petersburg reported that a man who was arrested for stealing a wireless internet signal faces a pretrial this month..."

        -Mike
        SpikeyMike
        • I think this was a WEP network.

          I think these cases are people who are warchalking the neighborhood to look for unsecured networks to use. These articles don't tell how they go on the the wireless network and the wireless was even secure in the first place. Even so most home networks use WEP for security because of Windows and so the owner doesn't have too much hassle with connecting to the wireless network. Most people don't want to hassle with security and they leave it open simplicity sake . Like a most thieves they look for simple targets first like the unlocked car to take stuff and mostly ignore the secure stuff. I use my wireless sparingly and turn it off when I'm not using it to minimize this exposure. Yes it is pain but I rather have this than a serious cracker take my personal information.
          phatkat
  • Create a Closed Network for Added Security

    The name of a "closed network" is hidden. To join the network, a
    user must know the name of the network.

    This is especially valuable to home users who wish to remain anonymous to "drive by" hackers.
    msackett
    • You mean False Sense of Security.

      Obtaining the SSID of such a network is fairly trivial using Kismet. The moral of the story? If someone wants to infiltrate your network, a hidden SSID is of no real help, unless your attacker is a complete amateur.

      The real answer is the use WPA2 with AES, preferably using RADIUS on the backend.

      Personally, I'm currently using WPA2 with AES, broadcasting my SSID (which doesn't contain any personally identifying info) with a long PSK (30+ characters). I'm working on migrating to WPA2 "Enterprise", using PEAP, but I'm having trouble getting it working with Windows XP. Remarkable, since after all, it IS a Microsoft drafted standard, and it works fine with Mac OS X and Linux.
      woot@...
      • Try out KB893357 (WPA2) for Windows XP.

        http://www.microsoft.com/downloads/details.aspx?familyid=662bb74d-e7c1-48d6-95ee-1459234f4483&displaylang=en
        Grayson Peddie
      • No, I Mean Add One More Step

        NT
        msackett
        • It's not an extra step at all

          The same sniffer that cracks a WEP password searches the area for wireless signals (a part of the first step in the process) and will show the SSID, hidden or not.

          The other problem with hidden SSIDs is that not only is the router broadcasting the SSID, but the computer is too. So if you use a laptop to connect, you're broadcasting that hidden SSID everywhere you take that laptop.
          Michael Kelly
      • Microsoft supported WPA2 long before Mac and Linux

        Microsoft supported WPA2 long before Mac and Linux. As the other gentleman noted, there was a patch for it. FYI, WPA2 based on 802.11i was ratified years ago.
        georgeou
    • SSID suppression and MAC filtering are worthless

      http://blogs.zdnet.com/Ou/?p=454
      georgeou
  • Wireless and Retail don't mix

    "Wireless LAN security survey of New York City retailers where they declared two thirds of retailers insecure according to John Cox???s story. According to the AirDefense survey, a third used zero link layer wireless LAN security (explanation of link layer here) and a third used ???weak security???."

    http://www.washingtonpost.com/wp-dyn/content/article/2007/06/27/AR2007062700062.html

    According to a June '07 article in the Washington Post: "Insecure networks and point-of-sale terminals are riskier than online shopping, Gartner charges."


    In my considerable experience servicing the retail sector, retailers want wireless, but don't understand the security implications. I never recommend or support wireless networking for the simple fact that there is credit card information flying around on the LAN. (Visa is nervous enough!)
    http://usa.visa.com/merchants/risk_management/cisp.html

    Sure, *we* could secure it, and monitor it, and react to new threats. A retailer will not.

    Retailers need to quit deploying wireless. Consumers should be wary of doing business (at least WRT electronic payment) with merchants who deploy wireless networks.

    -Mike
    SpikeyMike
    • Don't use a broad paint brush

      There is nothing wrong with using a secured wireless LAN using the methods I mentioned.
      georgeou
      • In the real world

        Whatever George... So much for 'Real World' computing.

        In the real world, wireless and retail don't go together.

        http://www.eweek.com/c/a/Retail/PCI-The-Panacea-For-Everything-Other-Than-Security/

        "The truth is that the next wave of retail applications?with their heavy emphasis on wireless capabilities of all sorts?will bring with them an ocean of new security problems. Ostensibly, they'll be addressed by the next wave of PCI requirements, which will free up more dollars for investment."

        Smart money says don't use wireless in a retail environment. What does your money say?

        -Mike
        SpikeyMike
        • I do live in the real world, and they all use wireless

          I do live in the real world, and they all use
          wireless. I used to design secure wireless
          networks for national retail chains.
          georgeou