Pass or Fail? Aruba’s WIPS Gets Tested by Independent Lab

As the second largest access point (AP) supplier by market share, Aruba Networks, a HPE company, has worked hard to provide worldwide businesses with enterprise-grade Wi-Fi connectivity.  You’ll see the company’s APs in many schools, retail locations and airports, among other places. Want a fun scavenger hunt idea? Look up at the ceiling next time you’re in a building and try to identify the AP brand.Be forewarned, this activity is addicting.

Without a doubt, Aruba is an expert in Wi-Fi connectivity.  But, is the company also an expert in cyber security? Do Aruba APs effectively protect businesses from the six known Wi-Fi threats categories?  These six threats operate at Layer 2 of the OSI model and are the entry point of all Wi-Fi attacks. If a business is effectively protected from these six low-layer Wi-Fi threats, then the organization is safe from countless Wi-Fi hacks (even the ones that novice techies can learn to perform in minutes on YouTube). These hacks have been around for more than twenty years and expose a flaw in the foundational invention of Wi-Fi where client devices (phones, laptops) have no way to determine if the Wi-Fi SSID is being broadcasted from a legitimate AP (for example an Aruba AP), or from a hacker’s device such as the totally legal Wi-Fi Pineapple penetration testing tool.

Wi-Fi professionals at Miercom recently took on the challenge of testing whether or not Aruba’s AP-303 AP is capable of automatically detect and prevent the six known Wi-Fi threats.  The test report shows that the AP-303 was able to automatically detect two of the six threats (Evil Twin AP and Ad-Hoc). However, the APs failed to automatically detect the other four. The AP-303 also failed to automatically prevent all six threats.  To prevent a Wi-Fi threat means that the Aruba AP would send a combination of wireless frames and wired frames out to render the threat useless while the threat is within range.

Results are seen in the table below and full test details can be downloaded here. Note the first two columns show the Aruba AP-303 operating alone, and the green columns show it when a WatchGuard AP125 is added to the network to protect the AP-303 from Wi-Fi hacks. Did you know that there is no vendor-neutral standard that defines exactly what features and capabilities an AP must have to claim it has a Wireless Intrustion Prevention System (WIPS).  As a result, the WIPS offering from Aruba and WIPS offering from WatchGuard end up being totally different in their level of comprehensiveness and protection. This is one of the main reasons why the Trusted Wireless Environment framework was created to bring transparency to the industry and raise awareness on the seriously overlooked problem of Wi-Fi hacking.

As with the Ubiquiti UniFi WIPS test results, you’d have to dig a bit deeper into Aruba’s website to see what Wi-Fi security features are advertised (and keep an eye out for asterisk footnotes indicating a claimed feature could actually still be under development).  At first glance, the advertised RFProtect (unique brand name for WIPS) feaures sound solid:

RFProtectTM software prevents denial-of-service and man-in-the-middle attacks and mitigates over-the-air security threats. You’ll never need to purchase and install separate RF   sensors or security appliances if you have an Aruba wireless LAN.

 

No obvious asterisk footnote there. But wait! A rather omnious sounding warning is located deep on page 35 of the Aruba Central User Guide:The Federal Communications Commission (FCC) and some third parties have alleged that under certain circumstances, the use of containment functionality violates 47 U.S.C. §333. Before using any containment functionality, ensure that your intended use is allowed under the applicable rules, regulations, and policies. Aruba is not liable for any claims, sanctions, or other direct, indirect, special, consequential or incidental damages related to your use of containment functionality.

That might not exactly embolden an organization to turn on the WIPS settings in Aruba. It is true that interfering with your neighbor’s legitimate Wi-Fi signal is illegal in most countries.  However, you have every right to neutralize a Wi-Fi attack against you.  Likely part of the reason why vendors such as Aruba and Cisco Meraki list these kinds of warnings is that certain variations of WIPS can suffer from false positives and false negatives.  A false positive for example could be that a WIPS feature accidentally flags a neighbor’s legitimate AP as a Rogue AP and prevents connections to it.  One such implementation of WIPS that suffers from this false positive/negative situation is wired/wireless MAC address correlation. Miercom describes this and explains why an Apple Airport AP can bypass most every vendor’s Rogue AP detection WIPS feature in their report:

Many Wi-Fi security solutions utilize MAC address correlation to identify devices on the same network. The Apple AirPort AP used as the Rogue AP in this test has a differential of more than 5 bits between the wired and wireless interfaces. This variance could potentially cause correlation algorithm to fail, making the AP undetectable on the wire and therefore undetectable as a rogue AP. Products unable to detect that the AP is connected to the same network as the DUT will result in a “Fail” outcome and imply susceptibility to attackers utilizing products similar to the Apple AirPort or who have altered their MAC address with a customized tool. WatchGuard has overcome this issue with its patented “Marker Packets” technology which identifies same network devices with a more reliable detection method.

If You Use or Deploy Aruba APs: Protect Them From Hacking with WatchGuard

Miercom test professionals recognized that WatchGuard has been gearing its Cloud-managed AP roadmap with unique security feature sets. To determine how existing Aruba Wi-Fi networks can become Trusted Wireless Environment compliant, Miercom configured a WatchGuard AP125 AP as a security sensor dedicated to protecting the AP-303 from the six known Wi-Fi threats. The results show that Aruba was 100% protected once a WatchGuard AP125 APs was added.  From a deployment perspective, network and security administrators will find a simple solution where the Aruba APs continue to connect Wi-Fi users as usual and the WatchGuard APs act as a sort of WIPS sentry, constantly monitoring the air space and wired network for presence of any of the six threats.

If you have an Aruba Wi-Fi network and are wondering how many WatchGuard APs you need to add to your existing Aruba network to protect it, any WatchGuard reseller has access to a professional service from WatchGuard that will provide you with a predictive simulation survey that determines the recommended number of WatchGuard APs, installation locations, and WIPS/Wi-Fi coverage range.

Testing Your Own Wi-Fi Network for Wi-Fi Hacking Vulnerability

Those interested in testing their own Aruba Wi-Fi networks for Trusted Wireless Environment compliance can follow the Trusted Wireless Environment test guide, and contact Miercom via their website for a more thorough test involving live client workloads.  The Evil Twin Test procedure is provided below and the five other tests are included in the test guide:

Evil Twin Access Point

An Evil Twin is a type of AP where a malicious user duplicates and broadcasts the same SSID name of a legitimate AP within the range of the network. The Evil Twin can also spoof the MAC address of the legitimate AP. Wi-Fi clients connect to the Evil Twin AP unaware that this is not a legitimate AP. When the unsuspecting Wi-Fi client is connected to an Evil Twin AP, the malicious user can execute various man-in-the-middle attacks to intercept the client’s communications and data.

Requirements:

  • An AP to operate as the Evil Twin AP
    • This can be a WiFi Pineapple device, or any hardware or software-based access point or mobile hotspot with MAC spoofing capabilities.
      Note: The WiFi Pineapple Nano only operates on 2.4 GHz. For best results, consider the WiFi Pineapple Tetra for 2.4 and 5 GHz operation.
  • Authorized AP
    • An AP connected to your wired network that is known and trusted by your Wi-Fi security system as a legitimate AP.
  • One authorized wireless client.
  • A host connected to your wired network that can accept a ping request.

Test Steps:

  1. Configure an SSID on the Authorized AP. This SSID will act as the legitimate SSID. Note the subnet of your authorized network (for example: 192.168.x.x).
  2. Verify this legitimate SSID is detected as an authorized AP by your Wi-Fi security system.
  3. Enable the prevention (containment) measures of your Wi-Fi security system.
  4. On the AP that will operate as the Evil Twin AP, configure the Evil Twin AP to spoof and broadcast the same SSID as the Authorized AP (case sensitive). Configure the subnet of the Evil Twin AP to be different than your authorized network (for example: 172.16.42.x).
  5. Configure the Evil Twin AP to only allow associations from your own wireless client (MAC filtering). This is important to avoid disruption to the legitimate Wi-Fi network you are testing.
  6. Use the NetSpot or inSSIDer software to make sure you can see the Evil Twin AP’s SSID on the network.
  7. Start a timer so that you can see how long it takes for your Wi-Fi security system to detect the presence of the Evil Twin AP.
  8. Periodically refresh the management user interface of your Wi-Fi security system and note the approximate time it takes for the system to detect the Evil Twin AP.
  9. From the authorized wireless client, connect and associate to the Evil Twin AP’s SSID. Note the subnet of the DHCP assigned IP address that the client has received from the Evil Twin AP (for example: 172.16.42.50).
  10. Note the approximate time it takes for the authorized wireless client to have its IP address subnet changed from the Evil Twin subnet (172.16.42.x) back to the legitimate authorized AP’s sub net (192.168.x.x). This indicates when your Wi-Fi security features have detected and automatically prevented the authorized client from associating to the Evil Twin’s spoofed SSID, and forced the client to re-associate to the legitimate authorized AP.

Evil Twin AP Test Pass/Fail Summary:

  • Detection: If the Evil Twin AP is detected in step 7, the Wi-Fi security system has passed the test.
  • Prevention: If the authorized client’s IP subnet automatically changes from the Evil Twin subnet to the authorized AP subnet, the Wi-Fi security system has passed the test.

To learn more about protecting your AP installations from Wi-Fi hacks visit https://www.watchguard.com/wifi-wips-report

Meraki’s Air Marshal Gets Help from a New WIPS Sheriff

Wi-Fi hacking is a hot topic, but one that’s plagued by ambiguous and often contradictory technical terminology. Luckily, the lack of common definitions for Wi-Fi threat vectors has actually produced a solution to the problem: the Trusted Wireless Environment. The Trusted Wireless Environment framework succinctly defines the six Layer 2 Wi-Fi hacks that affect nearly every business today and provides a simple test criterion to determine if a Wi-Fi network is protected from each type of attack.

Wi-Fi professionals at Miercom, a global, independent security and performance testing laboratory, recently tested Cisco Meraki’s MR33 access point (AP) to determine if it could automatically detect and prevent the six known Wi-Fi threats. The MR33 was only able to automatically detect one of the six threats – the Evil Twin AP – and failed to automatically detect the other five. The MR33 also failed to automatically prevent all six threats. These results are likely not surprising to Wi-Fi security researchers and enthusiasts who have witnessed the Wi-Fi industry consistently deprioritize security protection in Wi-Fi products in favor of improving speed, capacity, and network efficiency.

Having been exposed to the Trusted Wireless Environment in the past, Miercom test professionals recognized that WatchGuard has been gearing its cloud-managed AP roadmap with unique security feature sets. To determine how existing Cisco Meraki networks can become Trusted Wireless Environment compliant, Miercom configured a WatchGuard AP125 AP as a security sensor dedicated to protecting the Meraki MR33 from the six known Wi-Fi threats. The results show that Meraki Wi-Fi networks that would’ve been vulnerable to the six Wi-Fi threats are 100% protected once a WatchGuard AP125 APs was added.  From a deployment perspective, network and security administrators will find a simple solution where the Meraki APs continue to connect Wi-Fi users as usual and the WatchGuard APs act as a sort of Wireless Intrusion Prevention System (WIPS) sentry, constantly monitoring the air space and wired network for presence of any of the six threats.

If they’re as curious as I am, Meraki Wi-Fi network administrators have probably been banging their heads against their desks trying to understand how Air Marshal (the WIPS solution included with most Meraki APs) functions in a live network. For many of us, we tend to feel nervous about enabling the Air Marshal containment feature and often disable it completely after reading the warning message from Cisco:

Rest assured Meraki administrators! You can disable Air Marshal completely and safely offload WIPS to WatchGuard APs, which are designed specifically to plug the serious security gaps in the Wi-Fi attack surface.

Those interested in testing their own Meraki Wi-Fi networks for Trusted Wireless Environment compliance can follow the Trusted Wireless Environment test guide, and contact Miercom via their website for a more thorough test involving live client workloads. Lastly, if you’re wondering how many WatchGuard APs you need to add to your existing Meraki Wi-Fi network to protect it, any WatchGuard reseller near you has access to a professional service from WatchGuard that will provide you with a predictive simulation survey that determines the recommended number of WatchGuard APs, installation locations, and WIPS/Wi-Fi coverage range.

How MSPs Can Get a Leg Up on Their Competition with Wi-Fi Security

TWE graphic

I’m a little embarrassed to admit this, but I think about Wi-Fi ALL THE TIME. Not just because Wi-Fi has become a necessity that I can’t live without, but also because I work for a company whose mission is to not only offer Wi-Fi to our partners and customers, but offer them secure Wi-Fi, so that they don’t ever have to worry about their data being compromised by hackers.

When I think about the Wi-Fi market today, it consists of Wi-Fi offerings that are all relatively the same, making it extremely difficult for MSPs to differentiate themselves. When choosing a Wi-Fi solution, simply offering consumer-grade Wi-Fi fails to provide the performance, security, or even scalability that today’s organizations require, while traditional enterprise-grade Wi-Fi comes at high costs with added overhead. This leaves SMBs in search of a middle ground.

So what is an MSP like yourself left to do? Offering a Trusted Wireless Environment that is fast, easy to manage, and most importantly, secure is the way to go. When MSPs offer a Trusted Wireless Environment, they deliver on the three core pillars of market-leading performance, scalable management, and verified comprehensive security, defending their customers against the six known Wi-Fi threat categories:

1.     Rogue Access Point

You own a retail store that has customers coming in and out all day. When it’s busy, it’s impossible to keep an eye on everyone there every second of the day. It’s easy for someone to jump into the wire closet and plug in the cheapest access point they could get and they’re now able to gain access to the company’s private secure network and can hijack POS systems to reveal credit card numbers and more.

2.     “Evil Twin” Access Point

On your lunch break you decide its finally time to update your wardrobe – nothing wrong with that! But a hacker is using an evil twin access point and you’ve now unsuspectedly connected to their copy of your Wi-Fi SSID. Once you go to check out and enter in your credit card information to order that new dress, the hacker has your information and is ready to go sell it on the dark web.

3.     Rogue Client

You stop by the same café on the way to work every day. Since you’ve connected to their Wi-Fi network before, your phone automatically connects as soon as you set foot in the door. Unfortunately, that day, someone had set up an evil twin access point, tricked your phone, and infected your phone while you’re in range of your private WLAN with ransomware for you to take back to the office. As soon as you’re back at your desk, your phone connects to your corporate Wi-Fi and the ransomware is off and running!

4.     Neighbor Access Point

Susan in marketing cannot get through the morning without listening to her favorite new soundtrack. Her phone is almost dead, so she wants to use her company-issued computer to connect to a streaming site. Her company’s firewall restricts access to streaming music, but that’s no worry for Susan – she’ll just connect to the downstairs coffee shop’s unsecure Wi-Fi and start listening away. Unfortunately for you, a hacker is sipping his first cup of coffee, just waiting for her to connect and get to work on accessing your network.

5.     Ad-hoc Network

As a meeting is getting ready to start, Carl’s boss is STILL waiting for that file he promised would be there this morning. It would take him too long to use the corporate-approved secure network file sharing, so he decides to set up an ad-hoc network to send it directly from laptop to laptop. Sending files via AirDrop or AirDroid creates security and legal implications that could affect your organization.

6.     Misconfigured Access Point

An access point gets shipped from corporate to your new office and Charlie, the receptionist, volunteers to set it up! He follows the instructions and installs the access point that’s now broadcasting an open SSID, which is leaking private data like a sieve. You can’t blame him, because he’s not an IT pro, but you’re still left with a misconfigured AP that could be a serious risk to your organization.

All these threats are not new and have been around since Wi-Fi went mainstream 20 years ago. But one thing that has remained the same and is so shocking to me, there are no security standards around Layer 2 Wi-Fi to keep Wi-Fi users like you and me safe. This is why I’m advocating for change. We all deserve to connect to Wi-Fi we can trust. I want to be able to connect to Wi-Fi at my favorite coffee shop and not have to look around wondering if the person sitting next to me on their laptop is a hacker. Hackers prefer to go after Wi-Fi because it’s the weak link in the security chain and it doesn’t take much to hack into a Wi-Fi network. There are thousands of how-to videos on YouTube and a $99 pen testing tool like the WiFi Pineapple to make any Wi-Fi hack seamless.

We must put a stop to this! Join me and let’s end Wi-Fi hacks together by signing this petition: www.TrustedWirelessEnvironment.com. Every signature we collect will help us partner with organizations such as Congressional Wi-Fi Caucus, WiFiForward, PCI Security Standards Council, Wi-FiNOW, IEEE, and Wi-Fi Alliance to name a few. These organizations help build security standards for businesses around the world and we want to join forces by collaborating with them to make this world a safer place.

Establishing a Global Standard for Wi-Fi Security

wi-fi
When was the last time you thought about the security of your wireless communications? We’re constantly leveraging Wi-Fi networks during business meetings, and at coffee shops, restaurants, airports and more. It’s almost second nature to tap into the local Wi-Fi network wherever we go. And while wireless security and privacy standards have been around for quite some time, none are completely immune to the six known Wi-Fi threat categories. This leaves businesses, employees and everyday users open to data theft and other major security issues.

In his latest Forbes Technology Council column, WatchGuard CTO Corey Nachreiner highlights the shortcomings of existing wireless standards and protocols, and calls for the industry to rally together to establish a global standard for Wi-Fi security that truly protects organizations and their users from every class of Wi-Fi attack. Here’s a brief excerpt from the piece:

The problem is that there are Wi-Fi threats that work regardless of these encryption and authentication protocols. The Evil Twin attack is one such example, where an attacker simply copies the wireless network name (something called an SSID) of a Wi-Fi network you have joined before, such as your official corporate Wi-Fi network. Unfortunately, Wi-Fi clients happily connect to any network with the name they are looking for. Which version of that network they join depends more on the range and signal strength of the network than any other factor.

Even if your real wireless network uses strong WPA3 encryption to make sure only authenticated clients join it, your phone or laptop will connect to a fake version of that network, even without any wireless security enabled at all. While Wi-Fi security standards have protocols that can protect you when you join the right network, they don’t have industry-wide security technologies that keep your devices from unknowingly connecting to evil fake networks (the Mystique version).

Beyond the Evil Twin attack, other examples of Wi-Fi threats today include ad-hoc or peer-to-peer wireless networks, rogue access points, rogue clients and more. For more information on all six of the known Wi-Fi threat categories, check out the Trusted Wireless Environment (TWE) movement. This movement outlines the threats that WPA3 and other Wi-Fi security standards don’t currently detect and prevent and is gathering support for the development of a better worldwide Wi-Fi security standard.

It’s clear that we need to standardize new wireless security technologies that not only encrypt users’ wireless communications but ensure wireless devices aren’t tricked into joining networks without any security. The good news is that there are methods organizations can use to defend against each Wi-Fi attack category. Generically, solutions that provide Wireless Intrusion Prevention System (WIPS) provide extra layers of security that not only discover bad actors on your wireless network or within your wireless proximity but can actively prevent your devices from connecting to evil networks or block attackers from completing their attacks.

Read the full article on Forbes for more information on the weaknesses of today’s wireless security standards. And to help advocate for a new worldwide Wi-Fi security standard, sign the Trusted Wireless Environment movement petition today.

How MSPs Can Differentiate with Secure Wi-Fi


The Wi-Fi market is one of the most established and mature in the broader IT landscape. Wi-Fi vendors produce highly similar product offerings with highly similar capabilities, making it increasingly challenging for managed service providers (MSPs) to differentiate themselves in a crowded field of wireless service competitors.

Fortunately, there’s a clear answer to this problem, which WatchGuard’s resident Wi-Fi expert, Ryan Orsi, covers directly in his recent guest blog post and podcast segment with Auvik, a leading provider of network management software for MSPs. Ryan explains that offering Trusted Wireless Environments is the most effective way for IT solution providers to stand out and differentiate their wireless services. Here’s a brief excerpt from the blog post:

“The Trusted Wireless Environment framework is a guide to building Wi-Fi networks that are fast, easy to manage, and most importantly, secure. The framework helps you defend clients from the six known Wi-Fi threat categories.

I challenge you to find a business of any size that doesn’t have Wi-Fi. Businesses spanning every vertical, and crowded public places like coffee shops, conferences, and train stations, are perfect places for a hacker to take advantage of the six attack vectors.”

To learn about each of the six known Wi-Fi threat categories and how the Trusted Wireless Environment framework can help you defend against them and differentiate from the competition, check out the complete blog post and podcast at Auvik.com. Sign the Trusted Wireless Environment movement petition today to help us make the world a safer, more secure place by advocating to establish a global standard for Wi-Fi security.

How to Enhance Wi-Fi Security Controls for PCI DSS

Credit Card Reader
The Payment Card Industry Data Security Standard (PCI DSS) is a widely accepted and mature information security standard designed to secure credit/debit card transactions and protect cardholders against misuse of their personal information. But, more could be done to help protect against Wi-Fi Layer 2 attacks such as flooding an access point (AP) with de-authentication frames, cracking WPA2/WPA3, and connecting a Rogue AP onto the network that allows attackers to siphon cardholder data over Wi-Fi.

To help educate readers on these major security challenges, WatchGuard recently worked with Wayne Murphy, a passionate Senior Security Consultant at Sec-1 Ltd, on a blog post that addresses today’s growing Wi-Fi security vulnerabilities and threats. What Wi-Fi threats should you be worried about? Wayne outlines each of the six known threat categories, as defined by the Trusted Wireless Environment framework, in this new PCI Ramblings blog post. Here’s a sample of the first two:

Rogue Access Point: Rogue access points are physically connected to an organisation’s IT infrastructure without their knowledge.  These APs will then provide the threat actor with connectivity into the organisations networks and IT systems.  From here, the threat actor will attempt to compromise the system components being used by the organisation.  Think of a Rogue AP like a long invisible ethernet cable that attackers can use to connect to a company’s Local Area Network (LAN) and comfortably work their way into the rest of the network over a Wi-Fi connection.

Rogue Client: A rogue client is a client that is authorized on the wireless network but has been compromised by malware.  This can occur if the client has been involved in an “Evil Twin” attack, which has resulted in malware being installed.  This risk is that the malware that the client has been infected with could spread through the organisation’s environment.”

Read the entire post to learn more about these Wi-Fi threats, along with neighbor APs, ad-hoc networks, evil twins, and misconfigured APs. To join the Trusted Wireless Environment Movement, click here. For more information on WatchGuard Secure Wi-Fi solutions, click here

Coffee and Wi-Fi with Ryan Orsi

On May 14-16 Washington D.C. hosted Wi-Fi NOW 2019 USA ‘Celebrating 20 Years of Wi-Fi’ conference and expo. Surrounded by all the Wi-Fi industry players who gathered together to present and discuss future opportunities and challenges – it was the place to be! For three days, the conference agenda was packed with inspirational keynote speakers, innovators, and experts. At the expo, you experienced live demos and had the opportunity to connect with companies representing every aspect of the Wi-Fi industry.

While at the event, I took the opportunity to connect with Ryan Orsi, director of product management, at a nearby coffee shop. As we sat down, it felt appropriate to ‘cheers’ with our coffee mugs and offer congratulations, since shortly before Ryan delivered the message about just how vulnerable Wi-Fi users are, that there is not enough education about the very real threats they’re up against when using Wi-Fi every day, and the need for new Wi-Fi security standards. Here’s a recap of our Q&A:

MB: We are celebrating the 20th anniversary of Wi-Fi. Where do you think Wi-Fi will be 20 years from now?

RO: To try to think about where Wi-Fi will go in the next twenty years is a tall order. If I forget, for a moment, what APs and clients devices look like today as well as their limitations like battery life, security of the connection, and just think about what kinds of problems the world twenty years from now will need to solve, I see everything getting faster, smaller, and more secure. We all love the convenience of staying connected wherever we go and we like information coming to us in more visual and interactive ways. We also hate carrying bulky electronics around or slapping big honking devices around our homes and offices that ruin the Feng Shui going on. This means that twenty years from now versions of us are going to want everything, literally everything connected and it better be fast, inexpensive, tiny (not implying Zoolander size mobile phones) and not leak personal or business information. I’ve seen brilliant advancements in antenna technologies that could allow Wi-Fi devices to be made much smaller and other technologies like energy harvesting that could power Wi-Fi devices with no batteries. I also think the average person is going to hear the message about Wi-Fi security and the pressure to design better security into Wi-Fi devices will be very high. Over time, I think these kinds of advancements, and more I’m not even thinking of now, will become cost- effective and we’ll all be enjoying secure Wi-Fi connectivity in whole new ways twenty years from now.

MB: Over 90% of people find Wi-Fi the most important amenity when they travel. Why do you think the general public is not as cautious about connecting to public Wi-Fi as they should be?

RO: Have you ever seen those caution signs on the jetway when you board a plane that warn people that there are chemicals nearby that are known to cause cancer, birth defects and other medical problems? Rhetorical question there. I travel a lot –like, a lot –and have never seen a single person read the sign and do a one-eighty. So these warning signs are there to educate us, raise awareness of a serious issue that effects our health and still most everyone ignores them. When’s the last time you saw a warning message on a public hotspot saying “use the Wi-Fi at your own risk, everything you’re doing could be stolen by someone nearby”?  We have a long way to go in just raising the general public’s awareness to the seriousness of the dangers of using Wi-Fi that’s not properly protected from well-known hacks. That’s one of the reasons we brought the Trusted Wireless Environment Framework into the industry. For the first time, people can have their Wi-Fi tested to see if it’s safe from the six attacks that have literally been around for twenty years. I think it should empower hotspot network operators to test their Wi-Fi security and if it passes the test, advertise it to let people know “this Wi-Fi can be trusted, and you won’t be hacked”.

MB: Every presenter at the Wi-Fi NOW 2019 touched on Wi-Fi 6. Is it really that much faster?

RO: Faster is just one benefit and I should say faster in a real-world dense environment. Those of us who have been around wireless for a while don’t get too excited about cabled laboratory speed tests. Wi-Fi 6 brings OFDMA among other features that will really make users in the real world feel Wi-Fi work better, more reliably, and yes faster. I’m excited about where Wi-Fi will go with this sixth generation. If you think about areas you tend to turn Wi-Fi off on your phone because it just “doesn’t work” and go try cellular, many of those use cases could now be addressed much better with Wi-Fi 6. Large indoor public areas come to mind, for example. The future is bright for Wi-Fi thanks to the folks that have put together this sixth generation; can’t wait to see where we go from here.

MB: And does Wi-Fi 6 mean better security?

RO: Some people mix in WPA3 into the discussion about Wi-Fi 6 and that’s fair because most vendors are going to support WPA3 with their Wi-Fi 6 products. So yes, WPA3 is better than WPA2, which was completely cracked in 2017 and shocked many of us; that in fact WPA2 had been broken for ten years before the whistle was blown. Without going too deep, one of the security improvements of WPA3 is that people shouldn’t be able to passively sniff traffic as easily anymore as is common with malicious and even bored people at hotels, airports, and so on. Also, it’s a bit of a sore subject but WPA3 should eliminate the easy-to-do “handshake” Wi-Fi password cracking techniques that WPA2 suffered from. Sore subject because the Dragonblood vulnerabilities, now patched, showed that WPA3 could still be vulnerable.

MB: Since we’re talking about Wi-Fi security, why do you think the Wi-Fi industry has not adopted any standards around Layer 2 security?

RO: Most all the demand over the last twenty years has been for connectivity and performance. The industry isn’t going to build something if they don’t think their market wants it. I definitely want this to change and I think vendors that normally compete need to come together and design new security into the Wi-Fi standard that solves these hacking problems for the average person without them having to take additional steps beyond what they do today: tap or click to connect.

MB: I’ve been following #TrustYourWiFi hashtag on social media and see that you’ve been traveling the world advocating for safe Wi-Fi for everyone. Where are you off to next?

RO: What a first half of 2019 it’s been! Spain, Germany, Chile, Italy, The Netherlands, Denmark, Sweden, Puerto Rico, Washington DC, Croatia and I’m probably forgetting some stops. I go where people want to learn what they’re up against with Wi-Fi security. One of my next stops is going to be in Utah where members of the AIM (an Association for Information Management – security) group want to learn.

With just minutes left of our meeting, I couldn’t resist and snuck in a few non-Wi-Fi-related questions (you’re welcome!):

MB: How do you spend your free time?

RO: Anytime there’s not a laptop, camera, or AirPod around, I’m spending time with my wife and two young boys in San Diego. Everything we do, we do as a team like day hiking 14-mile trails, camping, crawling the zoo, or living it up on the Coronado Island beaches. Let’s say Team Orsi works hard and plays hard, too.

MB: What’s one food item you can’t live without?

RO: Avocado. I’m unapologetically Californian and we put that amazing fruit on many things.

MB: What are you reading right now?

RO: Astrophysics for People in a Hurry by Neil deGrasse Tyson. Nerd alert, I love space, string theory, dark matter and energy.

MB: Favorite place you’ve ever visited?

RO: That’s a hard one but Tarragona on the Mediterranean cost of Spain is near the top of the list. My wife and I took the boys there last summer and the place was amazing.

MB: If you weren’t a director of product management, who would you be and why?

RO: Product management is pretty fulfilling, especially at WatchGuard where I get to make an impact and that’s really what drives me is to be able to impact the world nudging it to a better future. If I was in one of Neil’s parallel universes, I suppose I’d be your Californian tech startup entrepreneur. I’ve done several startups and highly recommend everyone get that experience at least once in life!

And it’s a wrap, folks!

At the end of the day, it’s critical every organization understands that most Wi-Fi products available today simply aren’t enough when it comes to the level of security they can provide, and for users to remain educated about the very real threats they’re up against when using Wi-Fi every day.

To join the Trusted Wireless Environment Movement and advocate for a global security standard for Wi-Fi visit TrustedWirelessEnvironment.com

Until next time!

Great Wi-Fi Security Comes in a Small & Affordable Package

Where other enterprise-grade Multi-User MIMO (MU-MIMO) access points (APs) focus only on serving up Wi-Fi to users, the new AP125 model does this and also blocks hackers from stealing passwords, credit cards, and other valuable data from you. More and more devices are leveraging Wi-Fi connectivity. This trend isn’t expected to slow down anytime soon, and while your customers and employees demand access to fast Wi-Fi, you might not know the huge gap it’s leaving in your security.

Wi-Fi served by WatchGuard’s AP125 is built using the Trusted Wireless Environment framework. When deployed, companies can rest assured that they are protected by verified, comprehensive security that automatically detects and prevents the six known Wi-Fi threat categories, while enjoying the benefits of Wi-Fi networks with market-leading performance and scalable management.

What’s more, WatchGuard’s secure Wi-Fi products are compatible with most other Wi-Fi solutions, so companies can leverage them to deploy a WIPS overlay without ripping out and replacing every existing AP in their network (Meraki, Ubiquiti, Ruckus, etc). For more information about how managing the AP125 as a dedicated WIPS sensor click here.

“When customers ask for Wi-Fi, they want to make an investment into a future-proof infrastructure with the best technology available to date,” said Jean-Pierre Schwickerath, head of IT, HILOTEC AG. “With the 2×2 Wave 2 AP125 we found the perfect match for these SMB requirements: it has a low footprint, a most attractive price, and easy installation, configuration and management of the whole network out of WatchGuard’s Wi-Fi Cloud. With this powerful little beast, we can deliver and guarantee a high-quality Wi-Fi network, protected by WIPS, which will make the customer happy for many years to come.”

The AP125 can be managed with either a Firebox, via the Gateway Wireless Controller, or with WatchGuard’s Wi-Fi Cloud. When managed by the Wi-Fi Cloud, you get strong set-up, management and reporting features including:

  • Patented Wireless Intrusion Prevention System (WIPS) protection against the six known Wi-Fi threat categories
  • Intelligent Network Visibility & Troubleshooting
  • Engaging Guest Portal Experiences
  • Powerful Location-Based Analytics
  • Scalable Management

Take our Wi-Fi Cloud for a test drive: www.watchguard.com/wifi

To join the Trusted Wireless Environment movement and advocate for a global security standard for Wi-Fi, click here.

To learn more about WatchGuard’s Secure, Cloud-Managed Wi-Fi visit: www.watchguard.com/wifi

Why WPA3 Is Not a Cure-all for Wi-Fi Hacking

Do you remember the Key Re-installation Attack or “KRACK attack” news from 2017? Most of us will never forget. When one researcher uncovered a number of vulnerabilities present in WPA2’s 4-way handshake, the world was shocked to realize that such a trusted standard’s encryption could be defeated so easily. In response, the Wi-Fi industry rallied together to develop an improved standard with better security – WPA3.

Although WPA3 is leaps and bounds better than its predecessor, we need to be wary of the Wi-Fi security threats that persist in spite of it. That’s why Ryan Orsi, director of product management for Wi-Fi at WatchGuard, just published a guest article on RCR Wireless that outlines the top Wi-Fi attacks we all face today and how building a Trusted Wireless Environment can protect against them. Here’s Ryan’s take on WPA3:

These enhancements in WPA3 have been warmly received within the industry, but despite its security improvements, at least one of the six Wi-Fi threat categories – Rogue AP, Rogue Client, Evil Twin AP, Neighbor AP, Ad-Hoc Networks, and Misconfigured APs – can still be used to compromise WPA3 networks. Each of these types of threats represent a unique method attackers can use to either position themselves as a MitM or eavesdrop on network traffic silently.

The Evil Twin AP attack, for example, is very likely to be used in Enhanced Open Wi-Fi networks, since OWE can still take place between a victim client and an attacker’s Evil Twin AP that is broadcasting the same SSID, and possibly the same BSSID as a legitimate AP nearby.  Although OWE would keep the session safe from eavesdropping, the victim’s Wi-Fi traffic would flow through the Evil Twin AP and into the hands of an MitM, who can intercept credentials, plant malware, and install remote backdoors.

Although passive eavesdropping on open Wi-Fi networks will likely become a thing of the past, one very critical missing piece to WPA3 is that humans and client devices connecting to an SSID still have no way to confidently know that the SSID is being broadcasted from a legitimate access point or router. The SSID can still be broadcasted, with WPA3 enabled, from a malicious Evil Twin AP, for example. To help combat these types of widespread Wi-Fi vulnerabilities, more and more IT departments are creating Trusted Wireless Environments that are capable of automatically detecting and preventing Wi-Fi threats.

For more information on today’s most prevalent Wi-Fi threats and why WPA3 alone isn’t enough to protect against them, read the full article on RCR Wireless. At the end of the day, it’s critical every organization understands that most Wi-Fi products available today simply aren’t enough when it comes to the level of security they can provide, and for users to remain educated about the very real threats they’re up against when using Wi-Fi every day.

The 6 Threats Every Wi-Fi System Should Be Able to Prevent

Wi-Fi has become an integral part of everyday business and life in general, yet Wi-Fi security still doesn’t receive as much attention or investment as it should. According to Wi-Fi NOW, nearly 75 percent of US smartphone traffic runs over Wi-Fi, as of Q4 2018. This spells a significant amount of opportunity for bad guys looking to attack unsuspecting users over under-secured or unprotected Wi-Fi connections. Due to the overall rise of smart devices and their reliance on Wi-Fi networks, we can’t afford to wait any longer to get serious about redefining Wi-Fi with security in mind.

What types of security threats target Wi-Fi specifically? In his latest guest article for Network Computing, Ryan Orsi, director of product management at WatchGuard, details the six known Wi-Fi threat categories your network must be able to block, and why more IT departments are developing Trusted Wireless Environments capable of automatically detecting and preventing them. Here’s a quick look at the first threat:

Rogue APs: A rogue AP is an AP that has been physically connected to a network without explicit authorization from an administrator. It’s an instant PCI-DSS violation. Rogue APs are connected to the authorized network, allowing the attackers to bypass perimeter security. Wi-Fi systems need to detect if a signal in the air is being broadcast from an AP physically connected to the authorized network. If so, it needs to be able to prevent the Rogue AP from gaining access to the LAN, which is typically done via ARP poisoning. It should also be able to prevent Wi-Fi clients from associating to it, usually via a surgical flood of deauthentication frames.

Read the full story on Network Computing to learn about the other five Wi-Fi threat categories you need to be aware of today. For more information about the Trusted Wireless Environment movement and how to build one, visit here. And be sure to sign up for the Secplicity Email Newsletter for more Wi-Fi security news and best practices!