Related papers: False Sense of Security on Protected Wi-Fi Networks

False Sense of Security on Protected Wi-Fi Networks

URL: http://arxiv.org/abs/2501.13363v1
Date: Thu, 23 Jan 2025 04:04:22 GMT
Title: False Sense of Security on Protected Wi-Fi Networks
Authors: Yong Zhi Lim, Hazmei Bin Abdul Rahman, Biplab Sikdar,
Abstract summary: This paper empirically evaluate password choices in the wild and evaluate weakness in current common practices.<n>We collected a total of 3,352 password hashes from Wi-Fi access points and determine the passphrases that were protecting them.<n>We characterized the predictability of passphrases that use the minimum required length of 8 numeric or alphanumeric characters, and/or symbols stipulated in wireless security standards.
Score: 9.895667144311412
License: http://creativecommons.org/licenses/by/4.0/
Abstract: The Wi-Fi technology (IEEE 802.11) was introduced in 1997. With the increasing use and deployment of such networks, their security has also attracted considerable attention. Current Wi-Fi networks use WPA2 (Wi-Fi Protected Access 2) for security (authentication and encryption) between access points and clients. According to the IEEE 802.11i-2004 standard, wireless networks secured with WPA2-PSK (Pre-Shared Key) are required to be protected with a passphrase between 8 to 63 ASCII characters. However, a poorly chosen passphrase significantly reduces the effectiveness of both WPA2 and WPA3-Personal Transition Mode. The objective of this paper is to empirically evaluate password choices in the wild and evaluate weakness in current common practices. We collected a total of 3,352 password hashes from Wi-Fi access points and determine the passphrases that were protecting them. We then analyze these passwords to investigate the impact of user's behavior and preference for convenience on passphrase strength in secured private Wi-Fi networks in Singapore. We characterized the predictability of passphrases that use the minimum required length of 8 numeric or alphanumeric characters, and/or symbols stipulated in wireless security standards, and the usage of default passwords, and found that 16 percent of the passwords show such behavior. Our results also indicate the prevalence of the use of default passwords by hardware manufacturers. We correlate our results with our findings and recommend methods that will improve the overall security and future of our Wi-Fi networks.

Related papers

Device-Bound vs. Synced Credentials: A Comparative Evaluation of Passkey Authentication [0.0]
With passkeys, the FIDO Alliance introduces the ability to sync FIDO2 credentials across a user's devices through passkey providers. This aims to mitigate user concerns about losing their devices and promotes the shift toward password-less authentication. We show how credential syncing has also created a debate among experts about their security guarantees.
arXiv Detail & Related papers (2025-01-13T15:00:18Z)
Recovering WPA-3 Network Password by Bypassing the Simultaneous Authentication of Equals Handshake using Social Engineering Captive Portal [1.2494184403263338]
Breaching the WPA3 network can be possible by building on various security flaws that was disclosed on WPA3 in 2021.<n>A Man in the Middle attack proposed set up is carried out by using race conditions to deauthentication WPA3 network and then using a Raspberry Pi to spawn a rouge WPA3 network.<n>This research identified that the Password was able to be recovered from Social Engineering Captive Portal when Protected Management Frames are not implemented.
arXiv Detail & Related papers (2024-12-19T20:19:34Z)
EAP-FIDO: A Novel EAP Method for Using FIDO2 Credentials for Network Authentication [43.91777308855348]
EAP-FIDO allows organisations with WPA2/3-Enterprise wireless networks or MACSec-enabled wired networks to leverage FIDO2's passwordless authentication.<n>We provide a comprehensive security and performance analysis to support the feasibility of this approach.
arXiv Detail & Related papers (2024-12-04T12:35:30Z)
Diffie-Hellman Picture Show: Key Exchange Stories from Commercial VoWiFi Deployments [2.1257201926337665]
We analyze the phase 1 settings and implementations as they are found in phones and in commercially deployed networks worldwide. On the UE side, we identified a recent 5G baseband chipset that allows for fallback to weak, unannounced modes. On the MNO side, we identified 13 operators on three continents that all use the same globally static set of ten private keys.
arXiv Detail & Related papers (2024-07-28T18:44:41Z)
Never Gonna Give You Up: Exploring Deprecated NULL Ciphers in Commercial VoWiFi Deployments [0.0]
Many operators use Voice over Wi-Fi (VoWiFi) allowing customers to dial into their core network over the public Internet. To protect against malicious actors on the WiFi or Internet domain, the traffic is sent over a series of IPsec tunnels. We want to analyze security configurations within commercial VoWiFi deployments, both on the client and server side.
arXiv Detail & Related papers (2024-06-18T07:32:38Z)
Nudging Users to Change Breached Passwords Using the Protection Motivation Theory [58.87688846800743]
We draw on the Protection Motivation Theory (PMT) to design nudges that encourage users to change breached passwords. Our study contributes to PMT's application in security research and provides concrete design implications for improving compromised credential notifications.
arXiv Detail & Related papers (2024-05-24T07:51:15Z)
Off-Path TCP Hijacking in Wi-Fi Networks: A Packet-Size Side Channel Attack [33.68960337314623]
We unveil a fundamental side channel in Wi-Fi networks, specifically the observable frame size, which can be exploited by attackers to conduct TCP hijacking attacks. We validate the effectiveness of this side channel attack through two case studies. We implement our attack in 80 real-world Wi-Fi networks and successfully hijack the victim's TCP connections in 75 (93.75%) evaluated Wi-Fi networks.
arXiv Detail & Related papers (2024-02-20T04:56:48Z)
Tamper-Evident Pairing [55.2480439325792]
Tamper-Evident Pairing (TEP) is an improvement of the Push-Button configuration (PBC) standard. TEP relies on the Tamper-Evident Announcement (TEA), which guarantees that an adversary can neither tamper a transmitted message without being detected, nor hide the fact that the message has been sent. This paper provides a comprehensive overview of the TEP protocol, including all information needed to understand how it works.
arXiv Detail & Related papers (2023-11-24T18:54:00Z)
PassGPT: Password Modeling and (Guided) Generation with Large Language Models [59.11160990637616]
We present PassGPT, a large language model trained on password leaks for password generation. We also introduce the concept of guided password generation, where we leverage PassGPT sampling procedure to generate passwords matching arbitrary constraints.
arXiv Detail & Related papers (2023-06-02T13:49:53Z)
Skeptic: Automatic, Justified and Privacy-Preserving Password Composition Policy Selection [44.040106718326605]
The choice of password composition policy to enforce on a password-protected system represents a critical security decision. In practice, this choice is not usually rigorous or justifiable, with a tendency for system administrators to choose password composition policies based on intuition alone. We propose a novel methodology that draws on password probability distributions constructed from large sets of real-world password data.
arXiv Detail & Related papers (2020-07-07T22:12:13Z)
Smart Home, security concerns of IoT [91.3755431537592]
The IoT (Internet of Things) has become widely popular in the domestic environments. People are renewing their homes into smart homes; however, the privacy concerns of owning many Internet connected devices with always-on environmental sensors remain insufficiently addressed. Default and weak passwords, cheap materials and hardware, and unencrypted communication are identified as the principal threats and vulnerabilities of IoT devices.
arXiv Detail & Related papers (2020-07-06T10:36:11Z)

This list is automatically generated from the titles and abstracts of the papers in this site.