Kevin Beaver's Security Blog

Is Your Wireless Encryption Enough?

After reading this piece about the recently released report on the TJX breach from the Office of the Privacy Commissioner of Canada and the office of the Information and Privacy Commissioner of Alberta, I had a thought about the false sense of security that wireless encryption gives us. TJX was apparently using both WPA and WEP for wireless encyrption but it was the WEP that got them into trouble. The thing is, whichever one is used, it’s easy to believe that the airwaves are protected. “Encryption” is being used after all..that’s good enough, right?

Based on my own experience and that I’ve from others, I guarantee you most of the times that aircrack (or any of the other wireless encryption cracking tools) are run against a wireless network, the results come back negative. No weak encryption implementation – no cracked passphrases – nothing. All’s well in 802.11-land. Management sees this and assumes that the business network is safe.

The devil’s in the details though. If you look closer at how most wireless “hacking” or penetration tests are carried out, the techniques are often flawed:

• the timeframe for wireless testing is limited (i.e. you/they need to move on to other stuff since the budget doesn’t allow for days or weeks of analysis)
• many wireless networks don’t generate enough packets needed by the tools to crack the passphrases
• dictionaries used for cracking WPA pre-shared keys are too limited…it’s difficult if not impossible to have a dictionary of all possible passphrase combinations
• it’s assumed that if no signal can be seen outside of the building with a plain old laptops built-in wireless antenna that no one will be able to access the wireless airwaves
• testing is only performed on a limited subset of wireless access points (this is OK if all wireless networks are configured the exact same way but that’s rarely the case)

All of these provide just enough false sense of security to justify leaving things the way they are.

My point is that just because your wireless environment checks out OK, it doesn’t mean it really is secure. With the right tools and enough time and effort, it very well could be cracked. Whether it’s protected by WEP or WPA using pre-shared keys – if it’s implemented incorrectly, wireless encryption can eventually be broken leading to a TJX-like mess.

If you’re using wireless, make sure your testing is done the right way…Spend the time, money, and effort to get a real-world view of how secure or unsecure it really is. There’s no logical excuse for using WEP in a business environment either. Get everything off of it as soon as you can. TJX apparently didn’t do this and they – and a lot of people – are paying the price.