2

I have found myself in a situation where I need to setup a somewhat secure Wifi network. I am primarily concerned about these attacks, however I welcome any advice about other attacks that I should be concerned with as well:

  • An unauthorized party gaining access to the network without any prior knowledge (eg. by a neighbor brute-forcing the PSK)
  • A user that is authorized to use the network as a user (eg. no access to the router's admin panel or the RADIUS server) decrypting another user's data to violate their privacy
  • A 3rd party attacker (or an authorized user) that sets up an evil twin attack and is able to get the PSK (or RADIUS credentials) and/or the data itself, thus violating all users' privacy and/or accessing the network without authorization

My research tells me that the normal standard that I have used for years, WPA2 PSK with AES, is vulnerable to all but the first attack. Upon further reading, I have discovered WPA2 enterprise and that it is supposed to be more secure against these types of attacks. It appears to have many different modes, however (eg. What is the difference between EAP, PEAP, and MSCHAP?), and I am finding conflicting and incomplete information about whether or not it is vulnerable to the middle (conflicting information) and last attack (no information).

As such, I ask, what is the best way to setup Wifi to be secure against all three of these attacks? I suspect that some sort of SSH-style key will need to be given to each client, along with an AP/server key that the client can use to defend itself against evil twin attacks, but I can't find anything that precisely describes how to set this up. I am looking for instructions as precise as something like this, for high quality TLS.

john01dav
  • 215
  • 1
  • 6
  • EAP-TLS for example is not vulnerable to the middle attack. However I think waiting for WPA3 would be ideal. – forest Jul 08 '19 at 00:48
  • EAP is a framework to use any other authentication protocol (PEAP, EAP-TTLS, EAP-TLS). PEAPv0 with EAP-MSCHAPv2 is the most popular since it's native support on Windows, but there's also PEAPv1 which is with EAP-GTC, also PEAP-EAP-TLS which also it's supported ONLY by MS. But tbh I don't know how these apply to the scenarios you provided. For all I know, EAP-TLS is the most secure. – Azteca Jul 08 '19 at 03:35
  • What's your budget? Newer, 'enterprise grade' APs and management tend to come with systems that support this kind of set-up - but depending on the manufacturer, may require fairly significant investment (Cisco Meraki) or slightly more reasonable (Ubiquiti) for example. –  Jul 08 '19 at 08:37
  • @Ian I'm trying to use standard issue consumer equipment that I already have. When asking the question, I was hoping to get information on how to configure freeradius on a raspberry pi to use with a consumer router. I could install 3rd party firmware (e.g. dd-wrt) on the router too. – john01dav Jul 08 '19 at 08:41
  • Also, regarding the advice about WPA2 modes, I don't have the context to fully interpret it, nor can I find a website that explains it. In my current mental model, that I want to improve, WPA2 enterprise is something that is better than WPA2-PSK thst requires a separate server that is very complex to configure for authentication. I don't know any more details than that, except for some names (EAP, for example) without definitions. – john01dav Jul 08 '19 at 08:45

2 Answers2

2

An unauthorized party gaining access to the network without any prior knowledge (eg. by a neighbor brute-forcing the PSK)

If you have a sufficiently strong password, such as }H/,uj^kGbtQ(WtqjdY{KCdQT[_G@[R>Bm+~\Sb[X(3na, then the chances of an attacker recovering this password with brute force are negligibly small. Note that this doesn't prevent an attacker from gaining access to the password in other ways, such as social engineering, but it protects you from an attacker capturing a handshake and cracking it offline.

A user that is authorized to use the network as a user (eg. no access to the router's admin panel or the RADIUS server) decrypting another user's data to violate their privacy.

WPA2-Enterprise with endpoint certificates will solve this.

A 3rd party attacker (or an authorized user) that sets up an evil twin attack and is able to get the PSK (or RADIUS credentials) and/or the data itself, thus violating all users' privacy and/or accessing the network without authorization.

This answer by Matthew Peters excellently describes how an Evil Twin attack can be mitigated. It also includes using WPA2-Enterprise.


But what if my client device does not support WPA2-Enterprise?

Many consumer devices, and even some business devices, are not built to support WPA2-Enterprise, such as some phones, printers, handheld game consoles, various "smart" devices, etc.

In this case, your only option lies in using WPA2-PSK, with all its associated risks. Again, using a long, randomly-generated Pre-Shared Key is the best option you have.

guntbert
  • 1,825
  • 2
  • 18
  • 21
  • I won't comment on the other consumer devices mentioned, but higher-end consumer phones specifically do tend to support WPA2-Enterprise. And the rest need not be connected by WiFi; ethernet is still an option, assuming things are physically close enough to the router. – Nic Jul 08 '19 at 19:29
  • @NicHartley It depends entirely on the device. Chromecast, for example, does not support WPA2-Enterprise as far as I know, neither does the Nintendo Switch. Both of them would be nice to have on a network though. The idea that, if it doesn't support the highest security possible, it should not be on the network, is just not practical. In practice, nobody will care about your home network, and having a long PSK is good enough to prevent skiddies from accessing your data, –  Jul 09 '19 at 07:52
  • ...which is why I was talking specifically about high-end consumer phones, not Chromecasts or Switches, yes. – Nic Jul 09 '19 at 14:15
0

Network access control products usually have capabilities to defend against these kinds of threat. Some may have more relevant feature sets than others. At least one that I know of can do evil twin detection, and has some additional actions when that kind of threat is detected. It's also a common feature to be able to quarantine a device on the network if it is a newly detected device (unknown mac that was able to brute force into access credentials)

The second situation is a bit trickier but generally network monitoring and security products will let you set baselines for what kind of traffic is considered suspicious. For example, if an authorized user is running a port scan against another authorized users device, you could automatically revoke their network access or something like that.