WPA2 | Jason Palmer, CPA, CITP

Almost every modern day Wi-Fi® Router and Access Point supports Wi-Fi® Protected Setup™ which is an optional hardware method for quickly enabling security on a Wi-Fi® network. As you may recall, you have the option of manually naming your network with an SSID (Service Set Identifier) and specifying the specific password to be used by devices to connect. (See my article on “Securing the Home Network – Wi-Fi® Security.”)

Using the hardware based Wi-Fi® Protected Setup™ can be much faster than going in to the setup pages of the Router or Access Point. It is far simpler and easier to “press a button” than to have to navigate through the configuration screens or even use a vendor provided setup program. This does assume that all of the Internet enabled devices that you want to connect to your Wi-Fi® network support the Wi-Fi® Protected Setup™ feature.

To create a secure connection using Wi-Fi® Protected Setup™, you press a button (appropriately marked on the Router or Access Point), it usually flashes for a short period of time and then you press the equivalent Wi-Fi® Protected Setup™ button on your Internet enabled device or click on a soft button in the configuration screen of your Internet enabled device. Either way, in a matter of minutes, you have created a random SSID (network name) and random passphrase using WPA2 secure encryption to create a connection between your Router or Access Point and your Internet enabled device.

An alternative implementation of the Wi-Fi® Protected Setup™ is a predetermined “Personal Identification Number” (PIN) code that is usually printed on a sticker on the Router or Access Point. If the Internet enabled device you want to connect does not have a Wi-Fi® Protected Setup™, you can enter in the PIN code from the sticker on the Router or Access Point in to the appropriate setup screen and accomplish the same automated setup.

In some cases, especially with Verizon FiOS Wi-Fi® Routers, both the SSID (network name) and Password (Passphrase) are written on a sticker attached to the Router. No additional configuration of the Router is necessary. You simply enter in the predefined SSID and Password to your Internet enabled device (Home Computers, Printers; Cell Phones, Tablets, Gaming Computers and other Internet enabled devices like Blu-Ray Players and Internet enable Flat Panel TV Sets), and you will be securely connected to your new Wi-Fi® network.

Security Note: Unfortunately, in December 2011 a gentleman named Stefan Viehböck determined that the Wi-Fi® Protected Setup™ PIN could be guessed in a brute force attack of a Wi-Fi® Protected Setup™ Router or Access Point in an average of four hours. This is due to a design flaw that enables an attacker to know when the first half of the eight digit PIN is correct. Since there is no lockout after failed attempts at guessing the PIN, the attacker can more easily determine that the first half of the eight digit PIN is correct. In addition, the fact that the last digit is checksum for the other seven digits, it takes only approximately 11,000 attempts to crack the PIN code completely. For more details, read the United States Computer Emergency Response Team (CERT) Vulnerability Note: VU#72355 and Alert (TA12-006A) “Wi-Fi Protected Setup (WPS) Vulnerable to Brute-Force Attack”

It is for this reason that CERT recommends that Wi-Fi® Protected Setup™ NOT be used and that it be specifically “disabled” in the affected Routers and Access Points. A few manufactures have corrected the design flaw and updated the firmware (programming) in their Routers and Access Points but many have not.

Keep in mind that your Wi-Fi® Router or Access Point would have to be the target of a specific attack for this to be an issue. More likely, you would be the target of someone randomly testing their hacking skills than of someone specifically trying to gain access to your home Wi-Fi® network. The risk of your Wi-Fi® Protected Setup™ is minimal. To be absolutely safe, turn off the “Wi-Fi® Protected Setup™” completely and manually configure your Wi-Fi® Network Security. (See my article on “Securing the Home Network – Wi-Fi® Security.”)

Most Cable and Phone Company Internet providers are installing Routers with Wi-Fi® capability. Unfortunately, not all Carriers take Wireless Security seriously. Many early Carrier Wi-Fi® Router installations did not set any network security at all. To be fair, many early Wi-Fi® enabled Computers did not properly support the newly defined security methods so it was easier to just leave the Security Features off. Modern day Internet Enabled devices no longer have these issues so you should make sure that your Wi-Fi® Router has its’ Security Features enabled.

Public Wi-Fi® HotSpots are great and extremely convenient. Your Home or Office should not be one as this could allow anyone who connects to your Wi-Fi® network to potentially access your computers and their files without your knowledge or permission.

The best and easiest way to secure your Wireless Router’s Wi-Fi® network capability is to set strong and complex password [See my article on “A Complex Password may not be a Strong Password”] and to select the highest grade of encryption supported. For most modern day Wi-Fi® Routers, that is WPA2 or WPA encryption. Older Wi-Fi® Routers may only support WEP Encryption, which is sub-optimal as any determined hacker can break the encryption fairly quickly using readily available tools found on the Internet.

An important security tip is to make sure that the SSID, (the name of your Wi-Fi® network), does not personally identify your home or small office. Try to select a name that completely not associated with your family, likes, favorite vacation spots or anything else that might identify your Wi-Fi® network to someone who might be trying to locate and access your network without authorization.

The logic is simple: If the hacker cannot see or find you, it makes it that much more difficult to compromise your network. Instead of selecting an SSID name like “Palmer-Home” select something for like “Butterfly.” Someone passing by and scanning for Wi-Fi® Routers broadcasting SSID’s would have no reason to believe that the Wi-Fi® network named, “Butterfly” is associated with me. (And neither does anyone reading this article at that is not an SSID that I use.)

An even more secure option is to turn off the broadcasting of the SSID completely. To a user “Scanning for Wi-Fi® Networks”, your network will be invisible. Anyone who wants to connect to your Wi-Fi® network will need to explicitly enter the SSID Network Name and Security Key provided by you.