It’s no secret that pre-shared keys are insecure, especially compared to digital certificates.
However, with many services being moved to the cloud, fewer and fewer resources are being stored in-network. Shared files aren’t stored on an intranet these days, they’re in the cloud. New software runs on cloud-based servers, not on dusty racks in a basement server room. Even if you’re still using the Microsoft Office Suite, chances are you’re storing the files in Google Drive or Microsoft Onedrive.
Practically nothing is stored on your business’ network. What’s the big deal if a hacker manages to compromise your PSK and gain access? All of the juicy stuff is still behind another layer of protection in the cloud.
It’s true that those resources are better protected, but even if the hacker only manages to breach your network they can inflict a lot of harm in a short amount of time.
Vulnerabilities of a Network Secured with PSKs
Layer 2 Attacks
Layer 2 of the OSI model is the “Data Link Layer”, the layer that transfers data between adjacent nodes on a wide area network. It’s a foundational layer that establishes the protocols and procedures that computers use to communicate.
It’s not typically the first route a hacker would choose to compromise a system due to the limited influence of the layer, and so layer 2 protection is often not prioritized. There are a number of attacks that occur there, however:
- Address Resolution Protocol (ARP) Attacks
- Content Addressable Memory (CAM) Table Overflows
- Spanning Tree Protocol (STP) Attacks
- Media Access Control (MAC) Spoofing
- Switch Spoofing
- Double Tagging
- Cisco Discovery Protocol (CDP) Reconnaissance
- Dynamic Host Configuration Protocol (DHCP) Spoofing
In fact, it’s possible to discover the IP address subnet of a network simply by examining the DHCP to see what IPs are assigned to it. A malicious actor can statically configure a duplicate IP of key devices like routers or printers and gain access to the network that way.
It’s unlikely or impossible that a hacker could access your files or resources with these techniques, but that’s hardly the only damage they can cause. Even simply taking down the network is enough to cause havoc in an office, and lacking internet access for days or weeks can be even more costly than a breach.
Man-in-the-Middle Attacks (MITM)
We have gone in depth before about the specifics of MITM attacks, but it’s a problem shared by all networks that are secured with PSKs.
Even if your employees are smart enough to avoid standard phising attempts, a clever hacker can exploit your “dumb” smart devices to give up important passwords. Your Wi-Fi network is almost certainly detectable by people outside the office, giving them all the information they need to spoof it. Smartphones and laptops will connect to a spoofed network masquerading as the true one if the signal strength is stronger than the original (which might be the case when you leave the building).
Even if you don’t store resources on local drives, it’s probable that those passwords are reused for other applications that do have valuable information attached. Even if you have excellent password protocols and that’s not the case, the hacker can use the network access to distribute any manner of viruses, opening you up to a litany of further attacks.
Replace PSK with Certificate-Based WPA2-Enterprise
The only way to truly be confident in the security of your authentication is to ditch pre-shared keys and use digital certificates.
Certificates offer several key advantages over passwords:
- They tie identity to access so you always know exactly which person or device is using the network
- They are more convenient to users, reducing authentication time and removing the need to remember login information
- They eliminate password-related disconnects caused by 90-day password-reset policies and similar
- The asymmetric cryptography that underpins certificates is vastly more secure than the symmetric cryptography of PSKs and other credentials
The best part? Transitioning to certificates has never been easier.
Migrating Away From PSK
Being faced with the prospect of a large infrastructure overhaul is daunting. Moving from WPA2-PSK to WPA2-Enterprise certificate-based authentication isn’t as difficult as you might think, however. You can migrate from PSK to certs by enabling the EAP-TLS network authentication protocol on your network and configuring devices to enroll for certificates.
If that sounds like a lot of hassle to you – you’re not alone. It’s been known for years that certificates are a much more robust method of authentication, but setting up the infrastructure has always been too burdensome. For small businesses especially, the cost of set up and maintenance was prohibitively expensive.
Fortunately, that’s no longer the case. SecureW2’s turnkey solution can integrate with your existing network infrastructure without any forklift upgrades. You get to keep using the equipment you already have and we’ll fill in the gaps. Our engineers are industry-experts and they’re happy work with you to identify exactly which services are necessary to fit your organization’s need.
We have affordable options for organizations of any size. For more info about our pricing, click here.
*** This is a Security Bloggers Network syndicated blog from SecureW2 authored by Patrick Grubbs. Read the original post at: https://www.securew2.com/blog/risks-pre-shared-keys-psks/