3

We have a guest wifi network setup on a separate VLAN, using an open connection (e.g. NO wpa/wep).

A (semi-technical) customer recently complained that he wasn't happy about his traffic not being encrypted, I gave him the usual advice that if security is important should be using a VPN even on a WPA network etc ...

But it got me thinking:

Is there any point to setting up WPA2 on a guest network, where we give out the password to anyone that asks anyway (and write it on the walls!)?

I understand it'd limit snooping between connections that are already established, but if you're listening when someone connects isn't it relatively trivial to capture the authentication information / 4-way handshake and then use that to snoop?

Doesn't that defy the point of having WPA on a guest/"open" network?

Venison's dear isn't it
  • 78
  • 1
  • 5
  • See also: http://security.stackexchange.com/questions/8591/are-wpa2-connections-with-a-shared-key-secure – Shane Madden Jul 28 '14 at 23:20
  • Thanks @ShaneMadden that matches my understanding. So, is there any advantage to having WPA/2 on a guest network? As I mention below, at least with an 'unsecured' network, most major OS *warn* that the information might not be secure. – Venison's dear isn't it Jul 28 '14 at 23:32
  • It's a trade-off. WPA2 means someone trying to sniff data needs to actually obtain the password, and needs to go through the effort to decrypt the data - these barriers won't stop someone determined, but will stop someone clueless with firesheep. On the other hand, it's an extra barrier to customers to get on the network, and as you pointed out, might be giving a false sense of security. In the end, it depends on what makes the most sense for your business. – Shane Madden Jul 28 '14 at 23:38
  • @ShaneMadden if you're happy to write up your comment as an answer, I'll accept. EEAA's answer below is incorrect and misleading. Don't have the rep to mark it down. – Venison's dear isn't it Jul 29 '14 at 23:18

3 Answers3

4

Depends on the situation. Someone with the WPA2 PSK and the right tools and knowledge can indeed decrypt traffic of the other users on the network (see here).

On on the one hand, the barriers of having the key, having the tools, and having the knowledge can be a useful deterrent, and prevent some clueless jerk with a copy of firesheep from casually stealing other people's sessions.

On the other hand, needing to get and enter a key can be a pain for your legit users, and as you pointed out, can provide a false sense of security.

Which way you go depends on which option makes the most sense for your organization.

Community
  • 1
Shane Madden
  • 112,982
  • 12
  • 174
  • 248
3

First, you should be using WPA2, not WPA. To my knowledge, there is no known, easily-exploitable way to intercept and decrypt a WPA2-protected wifi stream, even if you're snooping the entire conversation.

Your guest is absolutely right, there is no good reason to have open wireless networks. Doing to is just inviting abuse, not to mention looking incompetent in front of your customers.

EEAA
  • 108,414
  • 18
  • 172
  • 242
  • 1
    My understanding was with only the pre-shared key (PSK) you cannot decrypt other user's traffic, but, it is fairly simple to collect the additional info needed + then snoop. The PSK is used to generate a Pairwise Master Key (PMK) which in turn generates the Pairwise Transient Key (PTK) used for encrypting packets. Both parties, the station and access point (AP), calculate the PTK using nonces (random numbers), the MAC addresses, and a couple other pieces of data combined with the PMK. All the data other than the PSK is in the 4-way handshake and is not encrypted. – Venison's dear isn't it Jul 28 '14 at 22:40
  • So knowing the PSK and collecting the 4 frames of the RSN protocol (a.k.a the 4-way handshake) is enough information to feed into something like Wireshark and decrypt traffic between a station and AP. You can argue that collecting the data from the 4-way handshake is timing sensitive, but several (free) tools exist that allow a third party to forge de-authentication packets enabling an attacker to better predict when to capture this information. – Venison's dear isn't it Jul 28 '14 at 22:41
  • @Venison'sdearisn'tit Even if there are possible ways to break WPA2, it will deter the casual wardriver, which gets rid of a lot of trouble. – Michael Hampton Jul 28 '14 at 23:13
  • @MichaelHampton hate to sound pedantic, but I'd be tempted to argue that then you're just creating a false sense of security, rather than security per se. – Venison's dear isn't it Jul 28 '14 at 23:16
  • @Venison'sdearisn'tit Not to mention the attack you're referring to does not get you in or let you decrypt others' packets, it only gets you enough information to [run an offline brute force attack on the WPA2 passphrase](http://www.drchaos.com/breaking-wpa2-psk-with-kali/). – Michael Hampton Jul 28 '14 at 23:17
  • @MichaelHampton Sorry to elaborate ... at least with an open network, people are warned about the security issue in most of the major OS in use. Using a WPA2 secured network, but then giving the PSK to all and sundry will fool people into thinking they're on a secure network, when in reality they're not... – Venison's dear isn't it Jul 28 '14 at 23:20
  • @MichaelHampton the link points to an attack that allows you to gain the passphrase as you mentioned. My understanding was if you *already had* the PSK(/passphrase), it's possible to intercept the 4 frames from the RNS protocol, and then with those, to decrypt traffic between the station that authenticated and AP. As I mentioned, all the data other than the PSK is in the 4-way handshake and is not encrypted. It's very possible that I'm wrong here, and would be happy to be proved so! Not my area of expertise – Venison's dear isn't it Jul 28 '14 at 23:24
  • Good point. [This apparently is possible.](http://security.stackexchange.com/q/8591/11291) Your options, then, are kind of limited. Still it's better than nothing...or is nothing better? Anyone who's truly concerned should be using a VPN regardless of what security you have, because _your company_ might not be trustworthy. But even WPA2-PSK will protect from people outside the building who don't know the PSK. – Michael Hampton Jul 28 '14 at 23:28
0

I realize this isn't much of an "answer", but we have a WPA2 pre-shared key on our guest WiFi network. (For reference we use Ubiquiti UniFi Access Points and the guest network locked down for Internet access only.)

We printed tent cards with the guest SSID name and the key and put them on all of the conference tables. To get the key you would have to get past reception or the locked doors.

As an additional layer of security, you can change the key periodically and print new cards.

I can't really think of any reason not to have it encrypted, besides laziness. Cuts down on the possibility of someone randomly attaching to the WiFi from the parking lot.

myron-semack
  • 2,573
  • 18
  • 16