Zero Day in wireless

AirDefense recently did a Wireless LAN security survey of New York City retailers where they declared two thirds of retailers insecure according to John Cox’s story. According to the AirDefense survey, a third used zero link layer wireless LAN security (explanation of link layer here) and a third used “weak security”. AirDefense goes on to say that one third was secure using WPA2 which Cox described as a “quantum improvement” and said that it “brought 802.1x authentication down to every device”.

The first problem with this report is that AirDefense lumped WPA-PSK in with WEP which is ludicrous since there’s no comparison on the level of security. WPA-PSK if deployed with a reasonably complex password of 10 or more random alphanumeric characters has never been broken whereas WEP can be broken in minutes. The second problem is the implication that only WPA2 brings 802.1x authentication when in fact 802.1x has been used since 2000 with dynamic WEP mode or WPA (AKA 802.11i draft) mode.

WPA2 can just as easily be used in PSK (pre-shared key) authentication mode along with the weaker TKIP encryption mode. WPA can just as easily be used in 802.1x authentication mode along with the strongest AES encryption mode. So in this particular example, WPA can actually be deployed in a stronger authentication and encryption mode than WPA2.

WPA is an industry standard that is based on the IEEE draft 802.11i security standard whereas WPA2 is based on the ratified standard so they’re essentially the same thing. Both WPA and WPA2 let you choose your authentication modes and both let you choose between TKIP and AES encryption mode. A WPA compliant device however can implement AES optionally whereas WPA2 compliant devices must be capable of both though you’re not required to use AES. The only other thing that WPA2 adds is pre-authentication and PMK (Pairwise Master Key) caching which improves seamless roaming of clients between access points but has nothing to do with security.

The other issue is that large chain stores often cannot avoid using WPA-PSK mode because of the reliability issues with remote RADIUS servers in 802.1x mode. These stores often don’t have redundant WAN (Wide Area Network) connectivity and they can’t afford to have their wireless cash registers go down if the WAN goes down. One vendor Ruckus actually came up with a unique Dynamic PSK scheme that allows you to have unique per-user per-device WPA-PSK passwords. Since his solution can survive WAN failures, it may be just the right solution to avoid the shared key problems of WPA-PSK and the reliability problems of remote 802.1x authentication. For your typical enterprise however, I still recommend doing it the right way with 802.1x.

So the lesson here is to never make kneejerk assumptions that WPA2 is automatically secure and WPA-PSK is just as bad as WEP. This isn’t to say that WPA2 isn’t good because it is, but I’m surprised that AirDefense would lump WPA-PSK in with WEP.

Please leave your comment on the topic