Enterprise Wi-Fi: We Need Devices That Are Secure by Default

Would you trust security technology that makes it possible (that is, quite likely) to steal the single sign-on enterprise credentials of any specific person in your enterprise by merely walking within 30 meters from that person? The attacker does not need to do any visible activity that might raise suspicions: a 50-euros device in a bag and a few seconds of physical proximity is all that is needed. Active cooperation of the target is not required and Internet connectivity is not required either. Thus, the attack may occur anywhere and the target would not notice anything. The attacker could steal the single sign-on credentials of a large fraction of people of your enterprise that happen to pass within 30 meters from the attacker. Perhaps at the office lunchroom, near a mass-transportation hub, or anywhere outside of the enterprise.

Of course, you would not trust such a security technology. Interestingly, though, a technology of this kind is nearly ubiquitous and implicitly trusted by a lot of people and enterprises: it is WPA2 Enterprise—the suite of protocols for secure communication in enterprise wireless networks. It is necessary to emphasize the relevance of this important and pervasive yet largely underestimated risk. We need to raise the awareness on a fundamental security technology that is very often deployed by violating its requirements, which creates important risks to users.