WPA2-PSK is not good enough for using in your company
In this day and age, employees are accessing their corporate resources wherever they can get a strong wireless signal, whether it be a public hotspot, an airport, or a friend’s apartment. Methods of authentication based on a pre-shared key (PSK) are most often found in these types of environments because they are simple to implement and only involve remembering a single password.
However, most people are unaware of how dangerous PSK networks can be. We often hear from network managers who feel WPA2-PSK network security is sufficient because they are able to move their sensitive data to the cloud. What many fail to realize is that just because your data is in the cloud does not mean in is inaccessible by outside actors.
Attack possibilities with when PSK is known
When your WPA2-PSK is compromised, hackers can easily access your network’s Layer 2 (the OSI layer that is used to transfers data between adjacent nodes). Below are just some of the actions a hacker is capable of with Layer 2 access:
- Address Resolution Protocol (ARP) Attacks
- Spanning Tree Protocol (STP) Attacks
- Media Access Control (MAC) Spoofing
- Content Addressable Memory (CAM) Table Overflows
- Switch Spoofing
- Double Tagging
- Dynamic Host Configuration Protocol (DHCP) Spoofing
PSKs are incredibly easy to steal and someone can wreak havoc on a network if they obtain access. Not only that, millions of "private" WiFi passwords are shared via apps, social media and forums. Distributing a single password for network access in a WPA2-Personal environment requires putting a lot of good faith on each user that they will keep the password confidential. A single credential is quickly shared with outsiders when a dedicated guest network isn’t available. The more a credential is shared and distributed to unapproved network users, the greater chance of it falling into nefarious hands.
Even organizations that utilize unique credentials for every user run into similar credential-based issues. While this does increase the difficulty for an outsider to obtain a password, it falls prey to many of the same issues and attacks.
Since the network relies on the user to uphold high security standards, it has many of the same risks as WPA2-Personal. Users can still share passwords with outsiders, risk losing their credential from writing it down, or fall victim to the inefficiencies of password expiration policies.
Dictionary attacks and over-the-air attacks can be performed and are made only slightly harder with multiple unique credentials in use. If a malicious intruder obtains the PSK and captures the key handshake when a device joins the network, that individual can decrypt ALL of that particular device’s traffic.