A researcher at the Catholic University of Louvain in Belgium discovered a security breach in WPA2, the protocol used to protect wifi networks (wireless networks), we learn on Monday. Every device that uses wifi is probably vulnerable according to the researcher. All the more reason to secure what can be!
Terminal power
The first thing to do when setting up a wireless network is to intelligently position access points according to the area you want to cover. However, it is not uncommon for the area actually covered to be much larger than desired, in which case it is possible to reduce the power of the access point in order to adapt its range to the area to be covered.
Default values
When first installing an access point, it is configured with default values, including the administrator’s password. Many budding administrators consider that once the network is up and running, there is no need to change the configuration of the access point. However, the default settings are such that security is minimal. It is therefore imperative to connect to the administration interface (usually via a web interface on a specific port of the access point) in order to define an administration password.
On the other hand, in order to connect to an access point it is essential to know the network identifier (SSID). Thus it is strongly recommended to modify the name of the default network and to disable its broadcast on the network. Changing the default network identifier is all the more important because it can give hackers information about the brand or model of the access point used.
MAC address filtering
Each network adapter (generic name for the network card) has its own physical address (called MAC address). This address is represented by 12 hexadecimal digits grouped in pairs and separated by dashes.
Access points generally allow in their configuration interface to manage a list of access rights (called ACL) based on the MAC addresses of devices authorized to connect to the wireless network.
This slightly restrictive precaution makes it possible to limit access to the network to a certain number of machines. On the other hand, this does not solve the problem of confidentiality of exchanges. This filtering is also easily bypassable for an experienced user.
WEP – Wired Equivalent Privacy
To solve the problems of confidentiality of exchanges on wireless networks, the 802.11 standard includes a simple data encryption mechanism, WEP, Wired equivalent privacy.
WEP is a protocol for 802.11 frame encryption using the RC4 symmetric algorithm with 64-bit or 128-bit keys. The WEP principle consists in first defining a secret key of 40 or 128 bits. This secret key must be declared at the access point and client level. The key is used to create a pseudo-random number of a length equal to the length of the frame. Each data transmission is thus encrypted using the pseudo-random number as a mask thanks to an Exclusive OR between the pseudo-random number and the frame.
The session key shared by all stations is static, i.e. to deploy a large number of WiFi stations it is necessary to configure them using the same session key. Thus the knowledge of the key is sufficient to decipher the communications.
In addition, 24 bits of the key are used only for initialization, which means that only 40 bits of the 64-bit key are actually used to encrypt and 104 bits for the 128-bit key.
In the case of the 40-bit key, a brute force attack (i.e. trying all possible keys) can very quickly cause the attacker to find the session key. In addition, a flaw detected by Fluhrer, Mantin and Shamir regarding the generation of the pseudo-random string makes it possible to discover the session key by storing 100 MB to 1 GB of intentionally created traffic.
WEP is therefore not sufficient to guarantee real data confidentiality. However, it is strongly recommended to implement at least 128-bit WEP protection in order to ensure a minimum level of confidentiality and thus avoid 90% of intrusion risks.
WPA / WPA2
To achieve a higher level of security, WPA or WPA2 encryption should be used.
Improve authentication
In order to more effectively manage authentications, authorizations and user account management (AAA) it is possible to use a RADIUS (Remote Authentication Dial-In User Service) server. The RADIUS protocol (defined by RFC 2865 and 2866), is a client/server system for centrally managing user accounts and associated access rights.
Setting up a VPN
For all communications requiring a high level of security, it is preferable to use strong data encryption by setting up a virtual private network (VPN).
