Wireless security has two components: Authentication and secrecy. And, in theory, responsibility for network security lies with both operators and users.
- Operators of Wi-Fi (or WLAN) access points should make sure that only those authorized can access the network and consume its resources. In more specific cases, an operator might want to know what each user does on the network and limit the number of devices they can access.
- Users of Wi-Fi networks should also have the ability to authenticate it themselves, although they rarely do. When connecting to a network, you mostly have no guarantee you are connecting to the entity you think you are connecting to.
- It’s important for both users and operators to have the ability to secure communications while they are traversing the air. Otherwise, anyone within reach of the signal would be able to eavesdrop on the connections and possibly inject data.
Ideally, all communications should at all times be encrypted. Due to what we consider a pretty serious design flaw, however, data sent between the router and your device is only encrypted if there is a password set. It’s important to note, though, that the password is not the key used to encrypt the data. Instead, a new key is negotiated for each user and session.
Authenticating Wi-Fi networks
It is theoretically possible to encrypt all data even without setting a password, but current Wi-Fi standards don’t have this ability (the newly released WPA3 standard does). As such, you should always set a password to your network, even if you later print the password on signs for everyone in the building to see.
Primarily, passwords are used for authentication (only users that know a password can log into the network). But, as everybody uses the same password there is little to prevent people from sharing it with outsiders and (non-authorized) friends. Some apps even make password sharing possible between a large number of strangers.
While far more complicated from an administration perspective, It is possible to create individual accounts with unique passwords for each authorized user or device. Additionally, this setup also makes it possible to track unique users around the building or network and eject them from the system.
It is also possible to use certificates to authenticate your connection to the correct router. These certificates, however, have to be verified through another secure channel and this feature is rarely used.
Wi-Fi standards and security
The standard known as Wi-Fi is defined under IEEE 802.11. It has been amended frequently to account for new bands, frequencies, and changes in technology (such as authentication and encryption).
Currently, there are two primary standards to secure Wi-Fi and encrypt connections: WEP and WPA.
WEP (Wired Equivalent Privacy, often also wrongly called Wireless Encryption Protocol), released in 1997, was, for a time, the only standard available. And, due to U.S. export controls, it was intentionally weak and insecure. As soon as the U.S. removed these restrictions, WEP was superseded by WPA and WPA2 (Wi-Fi Protected Access) in 2004.
WPA and WPA2 were released together, with WPA as an intermediate solution for hardware that couldn’t support WPA2. Since 2012, WPA is considered broken and defunct.
WPA3 is here, but it’s not ready
Specifications for WPA3 were announced in early 2018, but the standard is still not commonly available in software packages and hardware. WPA3 increases security and privacy, for example by encrypting all connections by default, and offers perfect forward secrecy.
WPA2 is increasingly considered broken, as demonstrated by the KRACK attacks or other techniques that allow anyone to obtain Wi-Fi passwords easily.
How to protect your Wi-Fi network
- As the operator of a Wi-Fi access point, you should always use WPA2 as it is still the most robust standard.
- Enable encryption on your network to make sure all your guests and users benefit from encrypted data while in transit between your router and their device.
- Change the passwords to your router’s admin interface to make it difficult for anybody to mess with your network and install spyware and malware on it.
- If you are worried about unauthorized access to your network, change passwords frequently and consider creating unique username and passwords for each user.
- If you are worried about your guests doing nefarious things through your internet connection, consider installing a VPN on your router to avoid being blamed for the actions of your guests.
- As the user of a Wi-Fi network, you should prefer encrypted connections over unencrypted ones. Use a browser extension with HTTPS Everywhere for greater end-to-end encryption.
- Use a VPN for your phone or laptop to fully encrypt your data as it passes the airwaves, the Wi-Fi router, and the ISP.