What is Over-the-Air Credential Theft?

Over-the-Air Credential Theft is the act of stealing credentials “over-the-air”, often during Wi-Fi or VPN authentication. This is often accomplished using a Man-in-the-Middle (MITM) or Evil Twin attack: Spoofing an SSID within the physical vicinity of devices that are configured to connect to that SSID, causing devices to send their credentials to the spoofed SSID instead of the legitimate one. This can occur on campus, or at a nearby facility frequented such as a Cafe or Store. According to the 2018 Credential Spill Report, an average of 1 million credentials were exposed daily in 2017, with no indication that this number will decrease.


How Do I Prevent Over-the-Air Credential Theft?

Offer Technology for Easy Configuration

An area of vulnerability for over-the-air credential theft is when users manually configure their devices for WPA2-Enterprise. When users omit a few difficult-to-configure settings, such as RADIUS certificate installation, they lose all the security benefits of WPA2-Enterprise and are susceptible to over-the-air credential theft. Providing onboarding/configuration technology to network users not only creates a better user experience, but it also significantly reduces the risk of over-the-air credential theft.

Replace Passwords with Certificates

While utilizing onboarding/configuration technology can minimize risks for over-the-air credential theft, they are not foolproof since users can choose not to utilize them. Using certificate-driven security guarantees that users go through an enrollment process that ensures their devices are properly configured and organizations can rest assured that privacy is protected.


Server Certificate Validation

Server certificate validation prevents over-the-air credential theft by configuring devices to validate the identity of the SSID’s server before sending credentials.This security measure is often overlooked for two primary reasons: the organization does not know about it, and it’s difficult for end users to configure. Misconfiguring server certificate validation is easy, especially since devices can be misconfigured and still connect to the network, which negates the security benefits of WPA2-Enterprise. Manually configuring it on Windows devices, shown in the video, takes 14 steps.


Certificate-Based Authentication

We provide everything an organization needs to deploy EAP-TLS, certificate-based 802.1X for Wi-Fi security. The #1 rated onboarding client to enroll certificates, certificate management tools, managed device auto-enrollment gateways, a RADIUS server and much more is included in the SecureW2 solution. Plus, we’re vendor neutral. You can plug and play any part of our solution, so there’s no need to forklift your existing network infrastructure.


Onboarding Client

Starting with a great end user experience, the JoinNow Suite provides customizable and adaptable onboarding clients that set up devices for Wi-Fi, VPN, Web and SSL Inspection security. JoinNow takes the frustration out of delivering secure networks by delivering all turnkey backend services for device enrollment, authentication and management. In an age where BYOD, IoT, and managed devices reign, our technology provides the answers by leveraging the components you currently own.

Powerful Certificate Management and Configuration Features

Remotely Troubleshoot Devices

SecureW2 software allows you to troubleshoot errors in real-time with individual devices and monitor network connections. View and fingerprint which devices are connecting to the network while they are being onboarded, and simultaneously monitor any connection messages users may encounter. Detailed information about individual devices such as network adapters, MAC addresses, driver versions, and manufacturer and driver dates help network admins begin the troubleshooting process and gather analytics from the cloud. End-user data including device type, operating system/build version, and application version is securely reported back to the cloud and made available for network admins for use in assessing connection patterns and creating network visibility

Configure Server Certificate Validation

Server certificate validation is one of the most important ways of preventing over-the-air credential theft. Manually configuring server certificate validation isn’t supported by Apple devices, and is very difficult to do on Android and Windows devices. SecureW2’s onboarding client ensures that devices of all operating systems are configured for server certificate validation when they are setup for network access.

Create Robust Certificate Policies

SecureW2 makes it easy to track and manage certificates. Certificate policies allow the administrator to determine the lifecycle and permissions of client certificates, as well as automated notifications to users, administrators, and external systems regarding the issuance, revocation, and expiration of certificates. For example, you could create a policy that gives students certificates with a 4-year expiration, and staff an 8-year expiration.

Revoke User Access After They Leave

SecureW2 comes with a built-in CRL (Certificate Revocation List) and provides mechanisms to validate current user status in the organization. Network administrators can also manually delete certificates from the management portal at any time. You can rest easy knowing that only current members of the organization have access to the network.

CTA Background