The Wireless Broadband Alliance (WBA) industry alliance organisation claims wi-fi networking now achieves parity with cellular technologies when it comes to security capability and confidence.
WBA has published a new wi-fi security framework [pdf] that consolidates existing standards and best practices.
The framework covers mutual authentication, encryption, identity privacy, credential storage, physical access point security and roaming hub governance.
To reach security parity with cellular networks, operators and enterprise IT teams need to implement the full stack of WBA’s recommendations, which are not mandatory.
The parity claim itself rests on the combined effect of several already-deployed technologies.
They include wi-fi protected access three enterprise (WPA3) with protected management frames, the OpenRoaming federation framework built on the Wi-Fi Alliance’s Passpoint specification.
Operators should also adopt RadSec, a protocol that uses transport layer security (TLS) for RADIUS authentication of traffic, to reach security parity for wi-fi with cellular networks.
RADIUS is an acronym for remote authentication dial-in user service, a protocol with origins in the modems on phone networks era of the early 1990s.
While RADIUS still underpins much of the world’s wi-fi infrastructure, the authentication protocol transmits much of its traffic in plaintext, and the weak Message Digest 5 (MD5) hashing for some attribute values.
RadSec encapsulates authentication traffic within encrypted TLS packets which provides far greater security.
WBA’s guidelines warn about the widespread risk of using “transition mode”; this is when access points are set to accept both the older WPA2 and newer WPA3 standard at the same time, in order to support legacy devices.
An attacker’s device could negotiate the connection security down to WPA2 which lacks WPA3’s Protected Management Frames, and stronger authentication requirements.
Separately, the guidelines also advise against using the broadly deployed extensible authentication protocol tunnelled transport layer security (EAP-TTLS) method for corporate networks, with Microsoft Challenge Handshake Authentication Protocol version 2 (MSCHAPv2) for inner authentication.
MSCHAPv2 requires that the authentication server stores passwords as MD4-based NT hashes, a very early standard that security researcher Moxie Marlinspike and hardware researcher David Hulton demonstrated could be cracked within 24 hours in 2012, regardless of password strength.
“These guidelines show how proven standards and best practices can be applied consistently to deliver secure, privacy-preserving, and interoperable wi-fi experiences, ” WBA chief executive Tiago Rodrigues said.
“By aligning security across devices and networks, wi-fi achieves parity with cellular in security capability and confidence,” he added.
Well-known wireless security researcher professor Mathy Vanhoef agreed with Rodrigues and told iTnews that a properly configured wi-fi network can indeed be equally as secure as cellular counterparts.
“Cellular can have quite some issues and flaws – it just requires more specialised equipment to attack,” Vanhoef said.
