Wifi security

  • 1
  • Question
  • Updated 2 years ago
If our wifi has wpa2 encryption and our users are only required to connect to our wifi with a common pass key is each user's data secured from other users on the network if wifi isolation is turned on? I was told recently that by having just one common pass key for all our users then each user's data transaction can be seen by other users since the encryption uses the same pass key (wifi is wpa2 with open authentication)
Photo of Robert Wrenn

Robert Wrenn

  • 5 Posts
  • 0 Reply Likes

Posted 2 years ago

  • 1
Photo of John D

John D, AlphaDog

  • 497 Posts
  • 136 Reply Likes
The person who told you that is 95% correct. WPA2-PSK (e.g. if you just use a passphrase that you hand out to everyone) is not intended to offer security between users, client isolation or not. Every client has a different "pairwise" key in WPA2, but it is derived from the PSK during the 4-way handshaking process. If you witness the handshake, you know the other guy's key. So technically if the attacker just walks into a room, he can only get the keys of new associations (except that's not entirely true either -- if an existing client hops off and back on the network for whatever reason, they'll probably re-handshake).

Client isolation is mostly to prevent the annoying chatter from peer-to-peer discovery traffic between users, and to give them the illusion of being alone on the network. An attacker can still use MAC spoofing and other techniques to impersonate another client or attempt to talk to another client on the network. I would not rely on that for security.

The takeaway points I think are,

(1) Use another authentication technique (DPSK, RADIUS, etc) if it is truly important that users cannot sniff each others' traffic.
(2) Don't expect privacy for cleartext communication. Your clients' devices, if they are mobile, are probably constantly going to places with completely open networks where their data is even more easily seen by onlookers. Clients should be using a secure protocol wherever possible, and maybe even mobile VPN on demand if there's services that cannot be secured the standard way (yuck!)
Photo of Sean

Sean

  • 342 Posts
  • 87 Reply Likes
Just to highlight how easy it is to hack WPA2 traffic. Once you have the key and captured the client association process, all you need to do is follow the below guide:

https://wiki.wireshark.org/HowToDecrypt802.11

Note: I do not in any way condone the hacking of a secured network :)
(Edited)