WiFi & Security: Why RADIUS Is Required

By Kayla Coco-Stotts Posted November 4, 2019

Modern WiFi networks come with built-in security protocols, but what if those protocols cannot combat the rising tide of hackers and phishing? Cybersecurity has become quintessential to organizational success, and RADIUS authentication offers a significant step up in security for wireless networks

Is Your WiFi Secure?

Though WiFi is protected by security encryption protocols, this built-in security has historically proven to be ineffective against hackers, whose attacks are reported to surpass $2 trillion in damages this year, and by 2021 they are expected to hit $6 trillion

Thorough WiFi hackers can generally find information on finances, client databases, and emails from clients or employees, regardless of the security protocols established on a given network. 

Cyber attacks emerged as the third largest global threat in 2018; the future of cybertechnology shows it’s more important than ever to understand whether the steps you’re taking to secure your network are enough. 

A Brief History of WiFi Security Protocols

In 1999 the Wi-Fi Alliance formed as a non-profit trade association to hold the Wi-Fi® trademark and promote WiFi technology and certificates. This alliance has been responsible for the promotion and release of various WiFi protocols, most specifically on the security measures taken to keep information transmitted through organizations’ wireless networks. 

Since their initial creation, the Wi-Fi Alliance has worked to update the protocols installed on wireless networks in response to the adaptive techniques of hackers. And although newer protocols offer increased protection, sensitive information can still be readily available for hackers to procure. 

WEP: The Wired Equivalent Privacy

The original WEP was introduced in 1997 and required users to input a 10- or 26-digit hexadecimal pre-shared key. This protocol, introduced in conjunction with the adoption of wireless networks, is best remembered as being flawed, and most IT professionals ended up turning it off rather than using it. 

IT admins avoided WEP because it was difficult to use. One wrong keypunch put out an error message and the user would have to start all over, and in the early stages of the WiFi era, this security practice was seen as unnecessary.

WEP was incredibly easy to crack because it used unencrypted, low frequency radio waves to transit network data, making it one of the earliest weaknesses for organizations looking to move away from wired Internet access.

WPA: WiFi Protected Access

WPA™ was designed to make WiFi security more user-friendly and could be implemented through upgrades on wireless network interface cards originally designed for WEP. 

Meant as an intermediate step, WPA introduced the Temporal Key Integrity Protocol (TKIP) that prevented replay attacks and encrypted data, making it possible to join a network without exposing your traffic to all other users on that network. Because this was meant to be temporary, WPA introduced a more user-friendly interface, but did not make vast improvements on its efforts to make WiFi more secure.

In 2008, Toshihiro Ohigashi and Masakatu Morii introduced the Beck-Tews attack, highlighting the weaknesses of TKIP and proving that networks could be hacked in 12-15 minutes on average. Although the WPA standard increased the confidentiality of wireless networks, it was still easy to hack and could be infiltrated in as little as one minute.  

WPA2: WiFi Protected Access II 

In 2006, WPA2™ was introduced to improve upon WPA’s security and to facilitate user authentication. WPA2 came with a stronger encryption, called Advanced Encryption Standard (AES), no longer allowing for the use of TKIP. WPA2 also required users to generate a longer, more complex shared password that was meant to increase security while being practical in its implementation for users and admins.

The problem with WPA2 was that AES transmits a scrambled version of a Wi-Fi network’s password that is highly susceptible to password cracking attacks. Mathy Vanhoef, a security expert at KU Leuven in Belgium, found in 2017 that an attacker can use key reinstallation attacks (KRACKs) to read encrypted information like credit card numbers, passwords, messages, emails, photos, and more. 

WPA3: Wi-Fi Protected Access III

WPA3™ was announced in January 2018 and upgraded WPA2’s AES encryption and pre-shared key exchange to a 128-bit encryption and a system called Simultaneous Authentication of Equals (SAE).

Unfortunately, even with WPA3, a hacker within range of a targeted victim can still recover the shared password of a WiFi network and read encrypted, personal information. 

Because WPA3 is compatible with WPA2, users can switch between the two protocols and cause a device to unintentionally leak password data. Researchers Mathy Vanhoef, now of New York University Adu Dhabi, and Eyal Ronen, of Tel Aviv University, called this a downgrade attack, and they found WPA3 could be hacked five different ways, with relative ease. 

Even with modern modifications, WiFi protocols continue to offer weak protection over sensitive information, forcing IT admins to seek other ways to keep networks safe.

Why RADIUS?

RADIUS is used to authenticate and authorize users to WiFi networks, ultimately making wireless connections more secure. RADIUS requires users to input unique credentials, ensuring that another authentication process prevents bad actors from gaining access to your network, even when they procure your SSID and passphrase. 

Users need the SSID and WPA2 passphrase to join a network, then they have to get permission to do anything on the network with their unique credentials. Unlike legacy security protocols, RADIUS authentication provides a significant step up in protection against compromised SSIDs and passphrases.

RADIUS enables IT admins to pick and choose the security protocols that are best suited for their individual needs. For example, IT professionals can employ EAP-TTLS and EAP-PEAP protocols to verify that client desktops, laptops, and mobile devices are communicating with the correct WiFi infrastructure. These protocols verify that a user isn’t connecting to a bad actor, ensuring that there is no unauthorized access within an environment and that data remains protected.

It should be noted that having a built-in security protocol isn’t enough to keep a network (and the information stored on it) safe. There are dozens of attacks that hackers can leverage against a “secure” network, many of which are caused by weak WiFi defenses. 

RADIUS-as-a-Service

RADIUS provides a simple way for IT admins to secure WiFi networks whose security protocols are ineffective at blocking potential hacks. Interested in protecting wireless networks with RADIUS? Check out our blog on how you can leverage RADIUS from the cloud for a simple, fast admin and user experience.

Kayla Coco-Stotts

Kayla is a content writer at JumpCloud with a B.A. in Print Journalism from the University of Kentucky. She hails from St. Louis, Missouri, and loves to eat good food and hike Boulder's beautiful trails when she is not writing.

Recent Posts