Network World recently published an article stating that a researcher from Air Tight Security found a vulnerability in WPA2 enterprise encryption. They refer to the vulnerability as hole 196 because the vulnerability was discovered on page 196 of the IEEE 802.11 standard. Remember that WPA2 is considered to be the strongest wireless encryption method currently available. So this is big, big news. Right? Well maybe not.
Reading the details of the exploit, you realize that the villain must first be authenticated and authorized on the WPA2 network in order for it to work. Once authorized, the user can use exploits to decrypt and/or inject malicious packets into other users’ “secure” wireless traffic. So the person has to be authenticated first, which means you have to trust them at least a little bit. The other thing is that WPA2 was never really meant to be the end of all things, to be everything in encryption. People lose sight of why it’s there.
These types of wireless security exploits are good news as they make all business leaders panic because they don’t understand what WPA2 and all wireless encryption methods are for. Wireless encryption is implemented, so the wireless connection from your device (laptop, iPad, etc.) is as secure as a wired connection. Until now, the wireless portion of a WPA2 connection has been far away MORE secure. Keep in mind that most of the time, once the data has been transmitted onto a wired connection, wired traffic is not encrypted at the network level unless you tunnel it with something like IPSec or GRE. With this new vulnerability, your internal users may be able to snoop and manipulate traffic… just like they can now with your wired connection. Is this new vulnerability a problem? Well, it’s not good, but it’s not the end of the world either, as some will tell you.
This is something that often happens with network engineers. When I’m in design meetings, the topic of end-to-end encryption for an application that runs in the clear over the network often comes up. Everyone wants crazy-complex point-to-point encryption solutions built for their network-level applications. My answer has always been, “If you want securely encrypted applications, why not look into it fuse the applications? Have your application developers ever heard of SSH or SSL?” The point is, don’t focus on encryption methods like WPA2 to “secure” your data. Secure the data at the application level first, then we’ll talk more.