WPA2 Personal is dead. If you want "protection" while you access the net, you should just do it the old fashioned way... (just kidding)
Copyright 2015 Imperial Network Solutions, LLC
I’ve blogged in the past on Wi-Fi Sense in Windows 10 http://www.emperorwifi.com/2015/06/wi-fi-sense-how-microsoft-has.html. Now, you can get the same functionality on Google Android devices with a Chinese app called Wi-Fi Master Key: http://www.enterprisetimes.co.uk/2015/10/29/who-needs-wifi-passwords/
Wi-Fi Master Key works ostensibly the same way as Wi-Fi Sense. With both systems, the SSID and passphrase are stored centrally and then the passphrase is shared directly with your device. The focus by these services is on security for the user, not security for the network. Both systems claim security because the user never sees the WPA2 passphrase. This is little comfort to network administrators, because these users get authenticated to the network whether they explicitly know the passphrase or not. The user is also “isolated” from the network. In Wi-Fi Sense. this is really only one-way: the connected network is considered “public” in Windows, and firewall rules are set up to not allow anyone else from the network to access the PC. However, the connected PC can still access anything and everything else on the network. Wi-Fi Master Key claims similar isolation functionality, which appears to use a similar firewall mechanism because the app only can control its own device device, not the network.
In Wi-Fi Sense, the default settings are to share the network with all of your Facebook and Skype friends, though you have to explicitly agree via popup. With Wi-Fi Master Key, it appears that sharing also needs to be done explicitly, though it is probably fairly easy to do so. There are not even lip service given to controlling who the information is shared with – apparently once a network is available in Wi-Fi Master Key, it is available to anyone else running the app. Once the network is shared, it is shared and difficult to
Such apps are touted for the following types of networks:
Hotspots: Such networks are usually open
(i.e. no encryption key) or have a WPA2 Passphrase that is publicly available
and thus not a secret (see my blog on this subject: http://www.emperorwifi.com/2015/05/how-operators-can-make-hotspots-and.html)
- Private Homes: Wi-Fi Sense is really touted for someone visiting the home of a friend or family member but too lazy to ask for the Wi-Fi passphrase. These days, most consumer Wi-Fi routers come with a “guest network” feature so you can establish a secondary SSID for visitors that is isolated from your main network, though this assumes the consumer will be able to figure out and properly implement this feature, and not leave there device broadcasting “linksys” on Channel 6.
Large enterprises generally implement WPA2 Enterprise, which uses a back-end database implementing RADIUS to control what devices are on the network, and each user and/or device has its own unique set of credentials (either installed certificates or username/password information). Large enterprises also tend to have mobile device management (MDM) systems to either control what devices are on the network, or at least control what applications are allowed with particular settings or banned. As a result, large corporate and government networks are immune from these types of Wi-Fi password sharing applications.
The challenge with WPA2 Enterprise, however, is that it takes a lot of IT resources to setup and maintain the database. While large corporations have the knowledge, resources, and funds to do this, most small/medium businesses (SMBs) do not. SMBs generally do not have the IT resources (knowledge or funds) to set up WPA2 Enterprise and MDM systems, so rely upon WPA2 Personal (i.e. passphrase) for Wi-Fi security of their business. Most SMBs also have fairly liberal bring-your-own-device (BYOD) policies, and it only takes one user with one device sharing the Wi-Fi credentials to compromise the security of the network. To complicate matters further, most consumer and IoT network devices may not even support WPA2 Enterprise.
So what are SMBs to do? There are limited options:
- VLANs: Segment your
business network from your guest network, and only allow BYOD on your guest
network (http://www.emperorwifi.com/2015/05/vlans-why-you-always-want-to-use-them.html). This may require some network hardware as
well as configuration upgrades, and may not even be practical for some
businesses. This also won’t completely
protect you if you need some of those BYOD devices on your corporate network
for your daily operations.
- PPSK: Implement a Wi-Fi solution with personal pre-shared key (PPSK). Unfortunately, there are only a few enterprise AP vendors (i.e. Cisco, Aerohive, Ruckus) that offer this functionality, and while I’m sure they all want to sell in the SMB space, their pricing and complexity are generally prohibitive for the SMB market. Devin Akin has a good blog on PPSK and its relevance to IoT (http://divdyn.net/iot-fly/).
The reality is that both VLANs and PPSK will ultimately be required. AP vendors who focus on the SMB market generally support VLANs today and will ultimately offer integrated PPSK solutions. Such solutions may be slow to appear, however, so I wouldn't be surprised to see one or more plucky startup firms try to fill this security void. Watch this space.
Given the trends of more Wi-Fi Passphrase sharing applications, we need to accept that passphrase sharing is part of the new world order, and that WPA2 Personal is no longer sufficient for the needs of SMBs or even for consumers who want to keep their network resources private.