Wireless security primer for users in 2021
Almost everyone has at least one internet-connected gadget in today's connected society. With the number of devices on the rise, it's critical to have a security plan to reduce the risk of their being exploited.
The number of WLAN-connected devices has risen from 8.36 billion in 2016 to 22.2 billion in 2021!
There are some security issues with the wireless connection. The good news is that these security problems can be addressed quickly, doing wireless networking as secure as conventional connectivity.
Let's look at what those issues are and how to address them!
Table of Contents:
- Concept of wireless security
- Wireless security attacks
- How to prevent wireless network attacks
- Home Wi-Fi security tips for users
- Wireless security protocols for users in 2021
- Differences in WEP, WPA, WPA2, WPA3
Wireless security, which includes Wi-Fi networks, prevents unwanted access to or harm to computers or data over wireless networks. Wireless network security is frequently supplied by wireless equipment (typically a router or switch) that encrypts and protects all wireless traffic by default.
Even if a hacker gains access to your network, the encryption prevents them from seeing any of your data. But that's not all there is to wireless network security.
Without Wi-Fi security, anybody with a computer or mobile device within range of the router's wireless signal may access networking equipment such as a wireless access point or a router.
We can now perform our business activities online, without being tethered by cables and wires, thanks to the widespread usage of the internet. Wireless networks are simple to use, make our business operations more manageable, and allow us to move about more easily.
While on the other hand, they are far more vulnerable to assaults and intrusions than wired networks.
Below are some commonly known wireless network attacks.
The purpose of networks is to make information flow more easily and quickly. The data is delivered in packets over both wired and wireless networks to achieve this aim. These packets are transmitted over the air due to the nature of wireless networks.
As a result, capturing them is pretty simple.
Image source − cyberhoot.com
Any illegal access point (AP) on a network is referred to as a rogue access point. An attacker or even a misguided employee can generate it. Furthermore, rogue APs expose the entire network to DoS attacks, packet grabs, ARP poisoning, and other threats.
Image source − kalitut.com
To safeguard your company, you may employ network access restrictions and protocols, as well as authentication methods.
Creating an evil twin is one of the most common tactics used by wireless network attackers. Put another way, attackers obtain a wireless access point and configure it to function as the current network.
The 'evil' access point can no longer be differentiated from legitimate access points in this manner.
Image source − cybersecurityasean.com
One of the simplest methods to prevent evil twins is to use data encryption, which means that even if an attacker succeeds in creating an evil twin, they will be unable to access your data.
The goal of jamming (interference) is to disturb the network. Interference is almost unavoidable due to the wireless characteristics.
Intruders with malicious intentions frequently combine jamming techniques with additional means such as evil twinning. If you want to safeguard your company, you should get a spectrum analyzer and increase the power of your existing access points or use other frequencies.
- MAC Access Control List
- Virtual Private Networks (VPNs)
- Built-in router Firewall
- Disable SSID broadcast
Changing default passwords for network devices is a fundamental recommended practice for Wi-Fi security.
Changing network device default passwords to more complex passwords—and changing them frequently—are easy but effective methods to increase Wi-Fi security. Other Wi-Fi network security measures are as follows:
Another fundamental method to Wi-Fi security is the MAC access control list, which limits/filters the traffic to your Wi-Fi network based on the MAC addresses list you provided.
MAC address access control list permits or deny access to your Wireless network based on the device MAC address.
While this strategy provides greater security than an open network, it is still vulnerable to assault by adversaries employing "spoofed" or changed addresses. Since it is straightforward to spoof a MAC address, even a noob attacker can do that after some Googling.
One of the most effective methods for defending against wireless network assaults is a VPN, which provides end-to-end encryption for your internet-connected devices. To ensure maximum network-wide safety in the office, you may install a VPN on each device or have one set up on your router.
A virtual private network (VPN) creates a secure connection between you and the internet. All your data traffic is routed over an encrypted virtual tunnel via the VPN. When you access the internet, this masks your IP address, making its location opaque to everyone. It makes it more difficult for third parties to follow your internet activities and steal information.
How to enable and configure router's built-in firewall
A firewall is an effective deterrent to hackers and cybercriminals. Most wireless internet routers have a hardware-based firewall that is inactive unless it is activated.
Firewalls aid in the prevention of port-based assaults that originate on the internet. By blocking harmful traffic from leaving your network, firewalls can also prevent an infected computer inside your network from attacking other computers.
How to enable and configure router's built-in firewall
Although routers differ, the following is an essential procedure for enabling and configuring your built-in firewall:
Consider the case of a thief. When you leave the house, lock the door. It stops the ordinary thief from strolling straight in. On the other hand, a determined thief will either smash down the door, pick the lock, or enter through a window.
Similarly, while keeping your SSID hidden is preferable, it is not a foolproof security precaution. Someone with the appropriate tools and enough time may sniff your network's traffic, identify the SSID, and further breach the network.
However, it's always better to take precautions. Avoid making your SSID public to prevent strangers from readily accessing your network. Users secure their device's SSID on all Wi-Fi routers, making it more difficult for attackers to locate a network.
Change your SSID to something unique at the very least. Leaving it at the manufacturer's default might allow a potential attacker to figure out what kind of router you have and exploit any known flaws.
- Default username and passwords should be changed
- Updating your router's software is essential
- Remote Administration should be disabled
- Be cautious when exchanging files
- When you are not at home, turn off your Wi-Fi network
Many individuals are ignorant of the security hazards that internet-connected devices might provide if not adequately secured by a secure Wi-Fi network. We would never leave our home door unlocked, yet leaving our Wi-Fi networks unlocked exposes us to the same security threats.
Preventing these hazards may be as simple as taking a few measures when configuring and using your devices. Let's look at some of these measures:
Change the default username and password to something safer as the first and most essential step in securing your home Wi-Fi network.
Hackers can readily obtain these default credentials online since Wi-Fi providers automatically provide an username and password to the network. They can change the password to anything they want, lock the owner out, and hijack the network if they can obtain access to it.
By changing the username and password, attackers will have a more challenging time determining whose Wi-Fi it is and gaining access to the network. Select a strong password that contains letters, numbers, and symbols to make it more challenging to break.
To keep your home's network secure, make sure your Wi-Fi software is up to date.
The firmware of the router, like any other form of software, might include flaws that hackers are eager to exploit. Because most routers don't have an auto-update feature, you'll have to update the software to keep your home network safe manually.
The remote administration function on a router is another technique for hackers to access a home network connection
Anyone within a reasonable distance of your home may monitor and alter your Wi-Fi settings via remote administration. It's advisable to disable this function if you don't need to remotely connect to your Wi-Fi router.
It may be done by heading to the Wi-Fi settings administrative area and selecting the deactivate button.
Always enable file sharing only on your home or business networks and never on public networks.
You might want to try establishing a separate file-sharing directory and restricting access to all other folders.
Be careful: never share a whole hard drive's worth of files!
It may appear easy but turning down your home network when you are not at home is one of the simplest methods to safeguard it against assault. Your home Wi-Fi network does not have to be operational 24 hours a day, seven days a week.
When you turn off your Wi-Fi when you leave the house, you minimize the odds of opportunistic hackers attempting to get into your home network while you're not there.
Passwords are only half the fight when it comes to wireless security. Choosing the appropriate degree of encryption is equally important, and the right decision will decide whether your wireless LAN is a straw hut or a resilient castle.
Most wireless access points (APs) support one of four wireless encryption standards:
- Wired Equivalent Privacy (WEP)
- Wi-Fi Protected Access (WPA)
Find out below which is ideal for your wireless security needs
The Wi-Fi Alliance created WEP, the initial encryption algorithm for the 802.11 standards, with one aim in mind: to prevent hackers from eavesdropping on wireless data as it was transferred between clients and access points.
WEP uses RivestCipher4 (RC4) stream cipher to protect wireless networks in secrecy and CRC32 for data integrity.
The standard initially called for a 40-bit pre-shared encryption key; however, a 104-bit key became accessible once the United States government relaxed some federal limitations.
An administrator must manually input and update the key to improve encryption, combined with a 24-bit initialization vector (IV).
The tiny size of the IV, on the other hand, increases the probability that users would recycle keys, making them easier to break.
WEP is a dangerous choice for wireless security because of this feature and numerous other security faults and weaknesses, including faulty authentication techniques.
WPA is an improved form of wireless security released in 2003 by the Wi-Fi Alliance to address the shortcomings of WEP.
The IEEE committee advised users to update to WPA, which uses the Temporal Key Integrity Protocol (TKIP) for encryption and is based on WEP.
WPA uses the same hardware as WEP and needs a firmware upgrade. While RC4 encryption is still utilized, TKIP uses a temporal encryption key that is refreshed regularly, making it more difficult for a key to be stolen and subsequently used to decrypt a valuable quantity of data.
WPA makes effective use of TKIP to increase data encryption. TKIP uses a 128-bit per-packet key and dynamically changes keys for each packet as the system is utilized.
The Michael algorithm is employed to offer a message integrity check and a re-keying method, therefore addressing WEP's shortcomings.
The IEEE 802.11i standard uses Wi-Fi Protected Access 2 (WPA2) to describe wireless technologies. The WPA 2 draft standard was approved on June 24, 2004, and implemented in September. WPA 2 is an improved version of WPA that utilizes AES instead of TKIP to address WPA's weaknesses.
In particular, the Michael Algorithm (MIC) is replaced with a completely secure message authentication code, CCMP and RC4 are replaced by AES.
Additional Authentication Data (AAD) is produced in WPA 2, and the AAD contains field integrity protection provided by the CCM algorithm.
In 2017, Mathy Vanhoef, a Belgian security researcher, found the Key Reinstallation Attack (KRACK) vulnerability in WPA2, which exploits the re installation of wireless encryption keys.
KRACK was widely recognized as a significant WPA2 security issue, prompting technology companies to swiftly roll out software updates to minimize risk until the next generation of wireless security arrived.
The Wi-Fi Alliance began certifying WPA3, the most modern wireless security standard, in 2018. Experts now believe WPA3 to be the most secure. All devices seeking Wi-Fi certification must support WPA3 by July 2020, according to the Wi-Fi Alliance.
Protected Management Frames, which assist prevent eavesdropping and forgery, are mandated by WPA3. It also codifies the 128-bit cryptography suite and prohibits the use of old-fashioned security methods.
WPA3-Enterprise includes a 48-bit IV and optional 192-bit security encryption to protect critical business, financial, and governmental data. CCMP-128 and AES-128 are used in WPA3-Personal.
Simultaneous Authentication of Equals (SAE), a variant of the Internet Engineering Task Force's dragonfly handshake in which either the client or the AP can start communication, solved WPA2's KRACK issue.
SAE restricts users to active, on-site authentication attempts and flags anyone who attempts too many password guesses.
WPA3 is widely regarded as the most secure wireless protocol available today, according to experts.
From WEP through WPA3, every type of security protocol is an upgrade & enhancement over the previous one, as seen in the introduction above. Here is a quick overview of four generations that will answer your basic questions like:
- What is the most secure wireless protocol?
- Should I use WPA3 or WPA2?
- Is WPA2 still secure?
- Which is more secure, WPA3 or WEP?
Let's have a look at salient features of these four security protocols:
First 802.11 security standard. Easily hacked due to its 24-bit initialization vector (IV) and weak authentication
An interim standard to address major WEP flaws. Backward compatible with WEP devices
Upgraded hardware ensured advance encryption did not affect performance
Current standard. New authentication methods help thwart KRACK and offline dictionary attacks
How it works
Uses RC4 stream cipher and 64- or 128-bit keys
Retains use of RC4 but adds longer IVs and 256-bit keys. Each client gets new keys with TKIP. Enterprise mode: Stronger authentication via 802.1x and EAP
Replaces RC4 and TKIP with CCMP and AES algorithm for more robust authentication and encryption
Replaces PSK four-way handshake with SAE. Enterprise model has optional 194-bit encryption and a 48-bit IV
Should you use it?
If WPA3 is not available
As we get closer to a future when everything from our phone to our refrigerator is connected to the internet through a wireless connection, it's becoming increasingly vital to know how to keep our Wi-Fi safe and secure.
The procedures described above are simple enough for even the least tech-savvy individual to follow.
Of course, none of these measures are fail-safe, but they are worth an effort that can significantly reduce danger concerns in your wireless network.