Tuesday, February 2, 2010

WPA vs WPA2 - Worth the upgrade?

BLUF: WPA (Wi-Fi Protected Access) only supports TKIP (Temporal Key Integrity Protocol) which has been weakened a couple of times. It is expected that since it was built on the old WPA technology, that more weaknesses will be found.

WPA2 uses AES (Advanced Encryption Standard) and is considered unbreakable (for now).

However, is it worth the cost and trouble to upgrade?

When prioritizing what fires to fight within my organization, I break it down to:

How much does the safeguard cost? What is the likelyhood that the exploit will be realized? and finally - How much would the exploit cost if realized?

That's usually the order I look at things. How much is this going to run me? Is it really that likely? Only then do I look at the value proposition of the solution against the exploit cost so I can push it up to the bean counters.

Also, if we have a number of WAPs (Wireless Access Points) deployed that can run WPA but not WPA2, then migrating to WPA2 will affect my budget beyond man hours.

Why do so many legacy WAPs run WPA and not WPA2? Because WPA was an excellent solution made to exist on wimpy WEP hardware. WPA uses TKIP which is not very resource intensive. WPA2, on the other hand, uses AES which is incredibly robust but at a price. Hardware that could handle the processing needs of TKIP just don't have the oomph to crunch AES.

This means, if you're legacy hardware falls into this category, then migrating to WPA2 is not quite as trivial of a task.

So let's get back to our decision...

First you must look at the weaknesses of WPA. In order to exploit WPA, someone would need to be incredibly motivated to try and break TKIP. If someone wants in THAT bad, they’ll probably find another way to get what they want. Plus, the exploits of TKIP that have been reported are limited and more complex than the vast majority of bad guys out there are capable of. That doesn't mean that someone won't leverage TKIP's weaknesses to hax0r your intertubz but it does make it significantly less likely.

I believe in the "electric hacker" theory when it comes to threat agents. The vast majority of the time, someone trying to access your assets is going to take whichever path provides the least amount of resistance. Just like electricity. Least effort will usually be the motivating factor in what exploits will be attempted. It doesn't mean that there aren't some overachieving miscreants out there, just means that there are not a lot of them and they are probably focused on more rewarding booty than what you can provide.

If you are looking at upgrading 10 WAPs at $700 each you will spend seven grand plus the man hours to deploy these new devices. If you have the budget and the time then you might as well. However, most organizations I know are not blessed in that way. Time and money are tight and you have to fight the fires with what limited resources you have.

My pragmatic opinion is: The threat is not likely enough to spend the money and time to mitigate the risk. Most infosec teams have more pressing issues to address.

Your thoughts?

Michael Mongold

1 comment: