Are WiFi repeaters safe?

WiFi security

In networks with lines and cables, eavesdropping on the communication requires the physical tapping of the line. Since network cables usually run concealed within secured buildings, eavesdropping is made difficult from the start.
In a wireless network it looks very different. Here the free space serves as a transmission medium for the radio signals. The range of the data transmission is only limited here by the strength of the radio signals. As soon as a wireless device sends its data, an attacker only needs a receiving device that is within range of the radio signals in order to be able to receive data.
At the same time, there is a risk that unauthorized persons could use the WLAN infrastructure or gain access to a network.
Therefore, safety precautions must be taken. Specifically, the encryption of the data packets and the authentication of users and WLAN clients.

At the beginning of the WLAN development, the IEEE standard 802.11 was a single security risk. The access to the WLAN was open, i.e. without authentication of the user and the data transfer was unencrypted and therefore visible to everyone. Both are completely unacceptable for security reasons.

In order to operate a WLAN securely, the user must be authenticated and the data transmission must be encrypted. German jurisprudence requires the authentication and encryption of a WLAN. If the law is strictly interpreted, the operator of an inadequately secured WLAN is considered to be an interferer and is therefore held liable in the event of a violation of the law via his Internet connection.
Anyone who operates a WLAN router or access point should make sure that authentication and encryption are always switched on.

Overview: WLAN security

Because of the need for encryption and authentication in WLANs, WEP was developed in a snap shot. But it quickly turned out that it can be cracked with simple means. The weak points were largely eliminated with the successor WPA. At the same time, the IEEE developed the IEEE 802.11i standard with a secure encryption process based on AES. WPA2 emerged from the IEEE 802.11i standard. WPA2 is considered to be sufficiently secure and is preferable to WEP and WPA.
WPS is used to simplify authentication using a pin or button in order to register a WLAN client with a WLAN secured by WPA or WPA2. Unfortunately, this simplification makes the authentication less secure as long as WPS is enabled.

  • WEP (insecure and out of date)
  • WPA (obsolete)
  • WPA2 (obsolete)
  • WPS (insecure and current)
  • WPA3 (secure and up-to-date)

WLAN authentication

With WLAN authentication, the user must authenticate himself to the wireless access point (WAP). So makes it credible that he is allowed to use the WLAN. There are essentially two methods of doing this. One consists of a password, the so-called pre-shared key. In other words, a secret character string that serves as an access key or password, and is usually referred to as a WLAN password. The wireless access point only grants the WLAN client access to the WLAN by entering this password.
Another possibility is to query the user name and password of the user in a centrally controlled manner. Typically via IEEE 802.1x. This has the advantage that each user has their own access data, which can be activated and deactivated centrally.

WLAN encryption

Encryption is understood to be processes and algorithms that convert data into an illegible form using digital or electronic codes or keys. At the same time, it is ensured that the secret data can only be decrypted again with the knowledge of a key.

Weak points in a WLAN infrastructure

  • Default users and passwords in access points and WLAN routers
  • Insecure basic configuration of access points and WLAN routers
  • Outdated security standards
  • Incorrect implementations of WPA2 and WPS
  • Vulnerability through Denial-of-Service (DoS)
  • Evil Twin and MAC spoofing
  • Insecure user access points in enterprise networks

Outdated security standards

Outdated security standards that are still supported by WiFi devices are a major problem. Foolishly, some WLAN operators have accidentally activated outdated standards or still activated them for reasons of compatibility. In this way, you ensure that old devices also have access to the WLAN. For example with WEP and WPA with TKIP. This of course makes it easy for an attacker to gain access despite authentication and encryption.
According to security experts, anyone who still uses WEP is acting with gross negligence. WLAN components with WPA2 are so cheap that there is no excuse for replacing outdated devices with WEP or WPA with new ones with WPA2 encryption.

Since 2011, new wireless access points (WAP) are no longer allowed to support TKIP. This has been the case for all WLAN devices (clients and WAP) since 2012. Since 2014, new wireless access points have only been allowed to offer WPA2-AES. Unfortunately, it looks different in practice.

Sniffing and war driving

Sniffing and war driving are common names for spying on WLANs. Special WLAN adapters are used, which are used for channel hopping by means of a driver. In this way, the frequency spectrum can be searched for WLANs. The WLAN adapters listen passively via a monitor mode, but do not establish a connection.
In the simplest case, war driving is driving around in a car with a laptop with a built-in WLAN adapter and external antenna. In combination with a GPS receiver, the location of a WLAN can be logged so that it can be found on a map later. With special software, a sniffer, all WLANs are recognized and logged. Also whether they are open or encrypted, which access point equipment is used (known security gaps?) And what network speed is present. Open WLANs without encryption then literally invite you to penetrate the network.
War-driving was a popular sport in the early days of WLANs because many WLANs were not encrypted. Today, war driving is of no interest because private WLANs are also encrypted by default, which makes it difficult to access using simple means.

Use of third-party WLANs

For everyone who wants to fill up with a little paranoia: Using foreign WLANs is risky. You don't know who is running the WLAN and who is still using it in parallel. This is why foreign WLANs have a completely unknown security status. It's not about not using the WiFi of friends or acquaintances. The problem is that your own WLAN client may connect to WLANs that only pretend to be a known WLAN. So one to which you have already registered and the same access data also apply to the unknown WLAN. As a rule, the same access data should not appear in another WLAN. Unless that is intentional, because for greater wireless coverage you operate several access points whose WLAN names and passwords are conveniently identical. The situation is different if an attacker duplicates a WLAN and uses this to access access data to websites or unencrypted data.

For security reasons, you should only use the WLAN at home and on the go via cellular network. If you don't want to do without the use of third-party WLAN while on the move, then only with an additional VPN connection. This ensures that unencrypted data traffic is also transmitted over a secure connection.

WPS - Wi-Fi Protected Setup

WPS is a specification of the industrial consortium Wi-Fi Alliance (WFA) behind which an automatic configuration is hidden. WPS simplifies the WLAN configuration of WLAN clients. The configuration is done either by pushing a button (WPS-PBC) or entering a pin (WPS-PIN).
The main difficulty when configuring a WLAN client is entering the WLAN password (pre-shared key), which is stored in the access point. WPS simplifies and automates this inconvenience.

Unfortunately, activated WPS creates a vulnerability, which is why WPS routers are a worthwhile target for attackers. The weak point results from weak random number generation and the possibility of using a brute force attack to get the WPS pin out within a few hours or even minutes. This vulnerability is so large that an attack on a WLAN secured by WPS is usually always crowned with success (depending on the implementation).

WDS - Wireless Distribution System

The Wireless Distribution System (WDS) allows WLAN base stations to exchange data traffic directly with one another without going over a LAN. Many manufacturers use WDS for a simple implementation of WLAN repeaters. A WLAN repeater receives WLAN signals and sends them on. In this way, it extends the radio path or increases the range of a WLAN.
Unfortunately, WDS is not specified precisely enough. As a result, WDS together with WPA2 does not always work across manufacturers. There is a risk that users will forego authentication and encryption for functional reasons.

How secure is WiFi security?

Almost all methods of WLAN security have weaknesses in some way. If the procedures are implemented correctly, their security in the private sector is sufficient. The danger here usually only comes from an attacker who records a successful connection establishment and guesses the password with a dictionary attack. For just a few dollars you can rent the computing power to calculate the password for a WLAN recording in a relatively short time.

In commercial or large-scale use, a WLAN should always be secured in enterprise mode with IEEE 802.1x. Only the Enterprise Mode of WPA2 offers the most secure protection, because here the WLAN key is linked to individual access data. However, here the attack vector shifts to these access data, which can only be fully secured with certificates.
Listening to and decrypting the data transmission in the WLAN is then only possible with a disproportionate amount of effort. If you want to be on the safe side, you can keep your hands off WLAN and only transmit your data via cable connections.

Open WLANs (without authentication and encryption) should not be operated and actually should not be used. Even if that is very convenient. You should be aware that any other WLAN user can eavesdrop on the unencrypted data traffic. If the use of an unencrypted WLAN cannot be avoided, the data transmission should be protected with additional measures. Communication between applications can be made more secure with SSL, SSH and IPsec.

6 simple measures for basic WiFi security

  1. Assign your own admin password for the access point (router, etc.). Writing down and keeping in a safe place is allowed.
  2. Assign your own WLAN password with at least 16 characters for the access point. Writing down and keeping in a safe place is allowed.
  3. Turn on the guest WiFi or change your WiFi password if you have given it to guests.
  4. Activate only WPA2 encryption. Not "WPA / WPA2" or "mixed".
  5. Always turn off WPS when you don't need it.
  6. Turn on the auto-update function on your router if it has one.

6 further measures for strong WLAN security (optional)

  • Use enterprise mode.
  • Assign an indefinable WLAN name (SSID) that cannot be traced back to you. Avoid names and terms that have to do with you personally or with your location.
  • Separate WLANs from other network segments (guest WLAN).
  • Install a firewall between WLAN and LAN.
  • Set up an IDS in the WLAN.
  • Perform regular audits with the latest hacking tools.

2 measures that you can do without

  • Use a MAC address filter at device level.
  • Prevent the SSID from being announced by broadcast (Hidden SSID).

Why a MAC filter does not provide more security

A MAC filter is a conceivable measure to increase the security of a WLAN. However, a rather dubious one. The increased security is a fallacy and does not outweigh the loss of comfort that this entails.
A MAC filter basically prevents someone from connecting to a WLAN if the hardware address of their WLAN adapter is not registered in the wireless access point beforehand. The access point will then reject any connection attempts. Even if the client in question has the correct WLAN password.

However, in practice it is the case that if an attacker knows and has the ability to find the correct password, then the MAC filter does not represent a real hurdle for him. In other words, if an attacker finds out the password, then he will not let the MAC filter stop him.
He will simply overwrite his wireless adapter with the MAC address of an authorized wireless adapter. And the MAC filter is bypassed. You can therefore do without a MAC filter.
In principle, a MAC filter only entails a loss of convenience and represents an additional source of error for WLAN use.

Why hiding the WLAN name (Hidden SSID) does not bring more security

Hiding the WLAN name in the form of "Activate Hidden SSID" or "Deactivate Broadcast SSID" is a conceivable measure to increase the security of a WLAN. The attacker not only needs the WLAN password, but also the WLAN name in order to be able to authenticate on a WLAN. However, "Hidden SSID" as a security measure is rather dubious and also does not conform to the standards. The apparent increase in security does not outweigh the loss of comfort.

  1. As a user, you have to create the connection manually when connecting to the hidden WLAN for the first time.
  2. Some WLAN clients that cannot see the access point cannot log in there either.
  3. Because some WLAN adapters and clients cannot cope with hidden SSIDs, the error rate and troubleshooting increases.

The argument that hidden WLANs cannot be found by war drivers and WLAN hackers is also wrong. Of course, a WLAN with "Hidden SSID" is visible, but without a name. An attacker who is actually interested will not be deterred by a hidden SSID. He sees the WLAN without a name. And as soon as a client logs on to a WLAN with a hidden SSID, the SSID is transmitted.

For a WiFi hacker, the WiFi name is actually irrelevant. First of all, the attacker does not even need the WLAN name for most attacks. And if it does, it can use a de-authentication attack to force the connected WLAN clients to log in again. As part of the re-authentication of a WLAN client, the attacker can determine the SSID. For an attacker who is actually willing and able to find out the WiFi password, this is not an obstacle, but an easy finger exercise.

Anyone who still believes that hiding the SSID is a sensible measure should be aware that it can lead to a security hole. Normally, the WLAN access point would provide regular information about its WLAN. If it does not do this, the WLAN client that was once connected to it must actively search for this WLAN. This is why this client regularly broadcasts the SSID on its own. He is practically constantly calling for the hidden WLAN. Even if that's not close at all.

If a WLAN hacker wants to break into a WLAN with a hidden SSID, he will first find out the SSID. This is not a problem because the clients are very talkative. The attacker then sets up his own access point with the same SSID. Any WLAN client will then connect to this supposedly known WLAN. When attempting to log in, the attacker can then pick up the WPA handshake and find out the password by trying it out. And all of this without having to be near the WLAN.

Vulnerability: rogue access point

A "rogue access point" is a user-defined access point that operates without authentication (Open Authentication) and without encryption (No Encryption) and enables WLAN clients to connect to a network that actually provides authentication.
"Rogue Access Points" are often operated by technically experienced users who do not comply with the security measures in a network and who are not very aware of security requirements and critical weak points. You operate the open WLAN to get more comfort and accept to circumvent the sensible and necessary security measures.
"Rogue access points" cannot be completely prevented and can only be determined as part of a pentest. Since the exact location is not known, you usually have to go looking.

Legal meaning of an unencrypted WLAN

An open WLAN looks like an open barn door. When surfing over the open WLAN, the IP address of the WLAN operator leaves a trace in the network. This IP address can be assigned to the subscriber afterwards. The subscriber is therefore identified as the first suspect in the context of an infringement.It can quickly happen that a criminal offense is attached even though strangers have misused the unencrypted WLAN access. It doesn't help to explain that you only let your neighbor into the network or that you accidentally switched off the encryption. Anyone who operates a WLAN router or wireless access point should make sure that the encryption is always switched on.

Basic WLAN security measures

Advanced measures for WLAN security

WiFi hacking and pentesting

Other related topics:

Product recommendations

Everything you need to know about networks.

Network technology primer

The network technology primer is a book about the basics of network technology, transmission technology, TCP / IP, services, applications and network security.

I want that!

Everything you need to know about networks.

Network technology primer

The network technology primer is a book about the basics of network technology, transmission technology, TCP / IP, services, applications and network security.

I want that!