6

At home, I have a simple ISP supplied router where I have set up a WPA2-PSK wireless network for our laptops and other devices. While I played around with Wireshark, I noticed that I could use my laptop to see what my tablet is doing in the internet, without the tablet noticing anything.

Network Topology

I think this works because all devices have the same wireless key and there is no way to send packages to one recipient. The recipients are usually kind enough to ignore all the packages that are not addressed to them.

When people visit, I will give them the key since I do trust them enough to perform illegal activities (at least knowingly) or eavesdrop on my traffic. However, they could technically. I came up with the extreme case where Eve would take an old smartphone, enter the key of Alice's network and charge that behind some furniture. It would record parts of the traffic (like DNS requests and passwords in HTTP) and sent it to some server. Alice would not notice this, and even if she finds the phone, Eve could say that she just forgot that she charged the phone there.

Would setting up WPA2-Enterprise mitigate this sniffing problem, at least across the different identities?

lzam
  • 872
  • 5
  • 16
Martin Ueding
  • 658
  • 6
  • 17
  • If you're that worried about unauthorized devices on your network, you should be performing periodic reviews of the network configuration and attached devices. With a rogue device under her control on your network, Eve could do a lot worse than just sniff traffic. – Iszi Aug 29 '14 at 19:29

5 Answers5

2

It's not possible to see unicast traffic from other users on your wireless network, unless you happened to capture their initial EAPOL registration which contained their session key. Otherwise, even in monitor mode, you're only going to see their broadcast traffic, which is designed to be received by every other device and shouldn't pose a security risk. I believe you've noticed this broadcast traffic and have assumed that you can see all communication from the other devices on your network.

This is a feature of WPA2, not specifically WPA2-Enterprise. Anything else which happens at a higher level in the stack (such as ARP) has no impact on this situation. You can think of WPA2 as analogous to a wired network switch.

James
  • 51
  • 4
1

Yes, WPA2-Enterprise prevents the sniffing you describe. Since every client gets a new & different PMK for every session clients can't decrypt the traffic of other clients.

ARP poisioning can be prevented by turning on client separation (that way the clients won't be able to reach each other, only the wired network). Although I think most newer access points won't even allow any ARPs through, but will itself reply to arps to the wired network and wireless clients, stripping what they don't, or may not, see.

Terrence Koeman
  • 599
  • 4
  • 5
1

If I understand correctly (wireless networking is not one of my areas of expertise), WPA2-Enterprise negotiates a unique encryption key for each client, which should make passively sniffing the WiFi much harder.

On the other hand, if a user is able to join the network, he doesn't need to care about how your computers communicate with the access point. He can just always just try using ARP poisoning to route all traffic through his machine.

lzam
  • 872
  • 5
  • 16
  • So, to sum things up, you're saying that a passive attack won't work, but an active one will? Why does routing it through your machine decrypt it? Unless you're saying that, once you're pretending to be the router, you pretend to no longer support that encryption scheme... And that seems a bit far-fetched. – KnightOfNi Aug 29 '14 at 22:47
  • Since the RADIUS server has to have some certificate, it should not be possible to spoof the access point. Or would Eve just authenticate against my RADIUS server? – Martin Ueding Aug 30 '14 at 08:53
  • @KnightOfNi All of the encryption WPA2 (personal or enterprise) provides is between the access point and the clients. _If_ Eve is allowed to join the network (as was implied by the question), she can trick alice in to addressing traffic to her, instead of another machine on the network (say the default gateway). The access point receives this misaddressed frame from Alice, decrypts it, and not knowing any better, forwards it to Eve. – lzam Aug 31 '14 at 14:09
  • Right, but you can't impersonate the AP, right? Because then Alice would encrypt it with her PSK, which Eve doesn't know, before sending it. – KnightOfNi Aug 31 '14 at 19:10
0

The whole process is named pre-shared key precisely because it is a key that allows access to the group that has the key to access! if you want to keep more control of who can or can not access the network itself is using the control via hardware address "of each device that may or may not access the network" and the control of setting the IP address, but this cause a great job of managing and that not all devices allow, they allow only a few control devices in large networks and there it gets a little more complicated!

But as I always say to those who come to me for advice is always worth more deck have a good key "shared the same", but a good and well-designed encryption key of 128 bits or more doque using just one word or a small group of numbers as a lot of people do it!

With a pre shared key you can "and should update it" periodically every two weeks or three, it is important you always keep it updated, so you will not have problem even if it is pre-shared by a group of users a network with more than 200 machines. The important thing is to keep it under control and updated.

schroeder
  • 123,438
  • 55
  • 284
  • 319
Joke Sr. OK
  • 109
  • 4
  • Changing the PSK periodically means that I have to enter it on three devices, my girlfriend on one each time. I think WPA2-Enterprise would allow me to specifically allow friends into the network and cut their access later on. – Martin Ueding Aug 30 '14 at 08:55
  • 'You can do this without problems of course depending on the device you have there "your router" since many allow you to set access rules for device and at what time such a device can not access or take a verified if the device used has a section to configure this, if hou not try to see through the FW section - "firewall" or packet filtering that you will be able to define these rules I set rules of this type in my poor router from TP-Link. Know you can do the same there! – Joke Sr. OK Aug 30 '14 at 14:48
0

I think the easier way to solve this problem is to broadcast multiple SSIDs. Most SoHo routers do have support for multiple SSIDs.

With multiple SSIDs, you could designate 1 for personal/family usage and 1 for guest usage. The traffic on each SSID is isolated from the other through VLAN tagging, however it would be prudent to double check as I have come across some routers which bridge the networks automatically and have no option of disabling the bridge.

More information here : https://superuser.com/questions/354958/how-do-multiple-ssids-provide-security

WIth WPA2-Enterprise, you need a router that has an in-built radius server or run your own radius server on a separate machine. In-built radius is available on only some business routers.

limbenjamin
  • 3,944
  • 50
  • 72
  • 1,281