BACHELOR DEGREE PROJECT CHALLENGES OF WIRELESS SECURITY IN THE HEALTHCARE FIELD - A STUDY ON THE WPA3 STANDARD - DIVA PORTAL
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Bachelor Degree Project
Challenges of Wireless Security in
the Healthcare Field
A study on the WPA3 standard
Author: Georgiana Mironov
Supervisor: Diego Perez
Semester: VT 2020
Subject: Network Security
Abstract The healthcare environment is a complex one, saturated by wireless medical devices and sensitive patient data flowing through the network traffic. With the increased popularity of wireless medical devices in the healthcare domain together with the announcement of the new wireless security standard WPA3 comes a need to prepare for a new generation shift in wireless security. The goal of this study is therefore to investigate what challenges the healthcare sector can encounter when faced with the inevitable transition to WPA3. By performing a literature review on the security state of WPA3 compared to its predecessor and performing qualitative interviews with network technicians working in the healthcare sector, three major challenges were identified. IT professionals in the healthcare domain struggle with integrat- ing legacy software systems, keeping middleware software solutions secure, and with handling hardware medical devices that come with outdated wireless standards. By analysing existing literature, several mitigating actions to battle these challenges were presented in this study. Keywords: WPA3, Wi-Fi Protected Access 3, WPA2, Wi-Fi Protected Access 3, wire- less security standard, healthcare, wireless medical devices
Acknowledgements Studying at Linnaeus University in Växjö has been a wonderful journey. I was able to grow as a person, build friendships I can cherish for the rest of my life and discover the field of cybersecurity that I want to dedicate my future career to. This would not have been possible, however, without the help of the wonderful people I met along the way. I want to thank my programme director, Ola Flygt, for all the guidance offered in my three years of university and for helping me discover my interest in digital forensics. I also want to express my gratitude to my supervisor, Diego Perez, for the invaluable support and feedback throughout the thesis project. I would also like to thank my respondents who allowed me their time and attention during the interviews. I am deeply grateful to my family for all their unconditional love and care, and I want to thank my boyfriend, Johan, for always being there and always believing in me. Last, but not least, a big thank you to my friends for keeping me sane during this thesis project.
Contents
1 Introduction 1
1.1 Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
1.2 Cybersecurity in Healthcare . . . . . . . . . . . . . . . . . . . . . . . . 2
1.3 Related work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.4 Problem formulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
1.5 Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
1.6 Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
1.7 Expected Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
1.8 Limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
1.9 Target group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
1.10 Outline . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
2 Method 9
2.1 Literature Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
2.2 Qualitative Interview . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
2.2.1 Interview Guide . . . . . . . . . . . . . . . . . . . . . . . . . . 11
2.2.2 Resulting Interview . . . . . . . . . . . . . . . . . . . . . . . . . 12
2.2.3 Sampling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
2.2.4 Data Interpretation . . . . . . . . . . . . . . . . . . . . . . . . . 14
2.3 Reliability and Validity . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
2.4 Ethical considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
3 Current State of Wireless Security 17
3.1 Wi-Fi Protected Access 2 . . . . . . . . . . . . . . . . . . . . . . . . . . 17
3.1.1 WPA2 Authentication . . . . . . . . . . . . . . . . . . . . . . . 17
3.1.2 WPA2 Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . 18
3.2 Wi-Fi Protected Access 3 . . . . . . . . . . . . . . . . . . . . . . . . . . 18
3.2.1 Dragonfly Key Exchange Protocol . . . . . . . . . . . . . . . . . 19
3.2.2 WPA3 vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . 19
4 Results 21
5 Analysis 32
5.1 Strong Security Awareness . . . . . . . . . . . . . . . . . . . . . . . . . 32
5.2 Objective view on WPA3 . . . . . . . . . . . . . . . . . . . . . . . . . . 32
5.3 Problematic Medical Devices . . . . . . . . . . . . . . . . . . . . . . . . 33
5.4 Complex Attack Ecosystem . . . . . . . . . . . . . . . . . . . . . . . . . 35
6 Discussion 37
6.1 Proposed Mitigating Actions . . . . . . . . . . . . . . . . . . . . . . . . 38
6.2 Contributions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
7 Conclusions and future work 40
References 42
A Appendix 1 A
B Appendix 2 D
1 Introduction
Wireless networks are continuously expanding. Whether for personal use at home, or
for public use offered at an enterprises level, Wi-Fi has become a normal part of our
daily lives. We are connected at home, we are connected at school, at work and at the
doctor. It comes as no surprise then that in 2019 there were an estimated number of 15
billion Wireless Local Area Network (WLAN) connected devices worldwide. Within the
upcoming year, in 2021, this number is forecasted to grow up to 22 billion [1]. That
means 22 billion devices that at some point wirelessly carry sensitive personal data. With
this increasing popularity of Wi-Fi enabled devices, one could say that Wi-Fi technology
is the pulsating heart of our current society.
By sensitive personal data, we refer to data concerning the racial origin, political
opinions, religious beliefs, health, or genetic data, among other things [2]. When it comes
to the case of health data we can notice a trend in the recent years where the healthcare
sector has shown to be especially popular as a target for data breaches, ransomware, and
phishing, to name a few. One reason for this is that the value of medical records on the
black market highly exceeds the value of credit card information [3].
Another aspect to consider is that in 2019 there were an estimated 3.2 billion smart-
phone users worldwide [4], which shows the existence of a wide wireless audience in the
general public. Moreover, research shows there is a trend of continuously increasing the
number of wireless medical devices in the health industry [5]. Combining these factors
together shows that there is a need for ensuring the security of personal healthcare data,
now more than ever due to its transmission over the wireless spectrum.
To ensure the security of wireless connections, different wireless security protocols
have been defined throughout the years. The first known protocol came out in 1997
and was called Wired Equivalent Privacy (WEP). 16 years ago, in 2004, WEP became
deprecated. That same year another protocol was ratified, the Wi-Fi Protected Access 2
(WPA2), which is currently the go-to security standard for both home users and enter-
prise users alike. Early 2018 the Wi-Fi Alliance announced the coming of a new wireless
security protocol: the Wi-Fi Protected Access 3 (WPA3). The new protocol is said to suc-
cessfully tackle the shortcomings of its predecessor, increasing the security and usability
within the new standard.
The goal of this work is to provide information about the perception of the new wire-
less security protocol WPA3 in the public healthcare sector. The reason I have specifically
chosen the healthcare sector is that, as will be further elaborated later on in this paper, this
sector handles remarkably sensitive data. Therefore, security and privacy are of uttermost
importance in this area. The study of this topic will first begin with a literature study of the
WPA3 protocol, focusing on gathering relevant information about the details of WPA3,
how it compares to its predecessor and what its caveats are. Afterwards, the study contin-
ues with a series of interviews with network professionals from the healthcare field and
their perspective on the challenges of implementing WPA3 in a healthcare environment.
The concluding findings of the study are anticipated to be used as a guideline for future
researchers when studying the security of WPA3, as well as network professionals that
wish to implement the WPA3 wireless security protocol within the healthcare domain.
1.1 Background
When discussing wireless technologies the terms Wi-Fi and WLAN are oftentimes used
interchangeably. It is important, however, to make a distinction between the two. Wire-
1less Local Area Networks, also known as WLANs, are types of networks where data is
exchanged wirelessly typically using spread-spectrum or orthogonal frequency-division
multiplexing radio through an environment where an access point is used to connect wire-
less clients or nodes with a router or switch that are afterwards connected to the Internet
[6]. Wi-Fi, on the other hand, denotes the family of wireless network protocols, com-
monly known as IEEE 802.11, that can be used to build WLANs. Wi-Fi is the most
popular and highly trusted type of WLAN.
Previous research on wireless security states that the current encryption algorithms
used in wireless technologies have weaknesses that enable cybercriminals to engage in
illegal activities such as eavesdropping, data destruction, gaining unauthorized access
controls as well as compromising data integrity [7]. An encryption algorithm is defined
as the set of rules used to encode a message so that its meaning is not obvious [8]. The
encryption algorithm that WPA3 uses is the Advanced Encryption Standard (AES), also
known as Rijndael.
Furthermore, both the Wi-Fi Protected Access 2 & 3 protocols are designed to im-
plement the IEEE 802.11 standards by specifically indicating security mechanisms for
wireless networks [9]. IEEE 802.11ac is the current generation of Wi-Fi, more recently
known as Wi-Fi 5. The latest emerging Wi-Fi standard is the 802.11ax, which is also
known as Wi-Fi 6. To achieve Wi-Fi 6 certification, WPA3 security is a requirement.
The National Institute of Standards and Technology (NIST) Standards for Security
Categorization of Federal Information and Information Systems (FIPS 199) lists confi-
dentiality, integrity, and availability as the three security objectives for information and
for information systems [10]. These three concepts form what is known as the CIA triad
(see Figure 1.1), where C refers to Confidentiality, I to Integrity, and A to Availability.
Since these terms will be used throughout this research paper, is it important to define
them. In the context of this study, confidentiality ensures that only authorized parties have
access to private information. Integrity ensures that private information is only modified
by authorized parties, and lastly, availability ensures that services or information are not
denied to authorized users.
Figure 1.1: Illustration of the CIA Triad
1.2 Cybersecurity in Healthcare
Cybersecurity in the healthcare field is unique due to the type of information that could be
put at risk and due to the level of impact attacks in this field could have for patient safety.
Compared to the financial sector where stolen credit cards are easily replaceable, albeit
at a monetary cost, an individual’s health information that is stolen cannot be replaced.
A patient will continue to have the same birth-date and genetic information regardless of
2how many data breaches their patient information is exposed to. Furthermore, the finan-
cial sector has been facing cybersecurity threats for a much longer period of time than
the healthcare domain. This has led to the financial sector establishing policies and allo-
cating dedicated investments towards cybersecurity measures, areas where the healthcare
domain still struggles [11].
The current cybersecurity state of the healthcare industry is crippled by several com-
peting pressures that weigh on IT, such as outdated systems, skyrocketing costs, patient
consumerisation and the explosion of data [12]. Healthcare is also the only industry on a
global level where the biggest threat to data security breaches originates internally from
negligent employee behaviour [13], such as clicking on phishing links or abusing access
to data.
Furthermore, with the increased interest in leveraging Internet of Things (IoT) and big
data technologies in the healthcare industry comes another challenge. The sensors used by
many medical IoT devices communicate with a server using their own unique proprietary
protocol that is manufacturer-specific. This creates a fragmented software environment
where sensors from different manufacturers can simply not communicate with each other,
causing privacy concerns and isolating data, undermining the whole concept of connected
healthcare [14].
Different measures are being implemented in order to improve the strength of health-
care security, from general awareness training in order to prevent human error, to blockchain
technology that helps securely manage electronic patient records [13], to new standards
and models being created, that can aid IoT interoperability in healthcare [15]. But chal-
lenges remain, clinicians and administrative staff must undergo more training, decision-
makers must enforce proper policies and invest in cybersecurity tools, and manufacturers
must in their turn equip their products with appropriate cybersecurity measures [11]. All
in all, this shows that only with a shared responsibility between both clinicians, admin-
istration staff and manufacturers can many of the remaining challenges of the healthcare
domain be mitigated.
1.3 Related work
When investigating related work on WPA3 in a healthcare environment the results show
an abundance of research on the medical effects of wireless technology on patients, as
well as research on Real Time Location Systems (RTLS) [16] using Wi-Fi in a healthcare
environment. However, these studies focus on the medical aspects and not on the type of
wireless standard used or the effects on patient data. At the time of this study, no research
on the security of WPA3 in the context of the healthcare field was found, or any studies
that touched the topic of wireless standards that did not have a purely medical focus.
Nonetheless, being a relatively new topic, the author performed new searches on the
topic of WPA3 in healthcare even towards the end of the study which led to finding the
work of a researcher called Giovanni Ordonez. In his paper entitled Cyber Security in
the Healthcare Industry [17] published in 2020, Ordonez brings light into some of the
attacks intruders could perform on medical devices as well as attacks existing in the con-
text of medicine. The author discusses security aspects using a Five Layer IoT Device
Architecture, which is illustrated in Figure 1.2, describing the vulnerabilities and possible
attacks existing on each layer. While Ordonez discusses the Network Layer as a part of
the bigger picture, this study focuses entirely on the Network Layer. Furthermore, Or-
donez examines the ethical aspects of cybersecurity in healthcare as a central part of his
3work, whereas the aim of this study is about exposing the general challenges of wireless
security, specifically WPA3, in a healthcare context.
Figure 1.2: Five Layer IoT Device Architecture [18]
Although Ordonez takes a different approach in discussing WPA3, he does present a
practical example of medical devices that use wireless technology and whose vulnerabil-
ities could in the worst case lead to human death. In fact, the motivation for his research
comes from his personal experience. He found that the pacemaker that his grandmother
— who was admitted to the hospital — was wearing could be hacked. An attacker could
transmit a signal to the pacemaker than would have induced her death. The person who
discovered the hack against the pacemaker was a security expert named Barnaby Jack
who unfortunately died before he could present his findings at a hacking conference.
The risks that Ordonez highlights in his research help reinforce the need for studies
in the wireless healthcare field. There is a clear research gap, where studies need to be
performed not only on the effect wireless technologies and standards have on the health
of individuals but also what effect they have on the integrity of their data. Ordonez gets
closer to this topic by discussing the ethics related to cybersecurity in healthcare.
Looking at the studies performed on the security of the WPA3 standard alone, there are
several that are relevant to this study. To begin with, one such study is the work of Mathy
Vanhoef and Eyal Ronen, Dragonblood: Analyzing the Dragonfly Handshake of WPA3
and EAP-PWD[19], where the authors discovered several different types of attacks against
WPA3 and proposed design fixes which were later on adopted by the Wi-Fi Alliance.
Furthermore, the authors state that despite WPA3 not meeting the standards of a modern
security protocol, it is an improvement over the WPA2 standard.
The earliest security analysis of WPA3 after its announcement is that of Christopher P.
Kohlios and Thaier Hayajneh, who present in their paper, A Comprehensive Attack Flow
Model and Security Analysis for Wi-Fi and WPA3 [20], that WPA3 has resolved many of
the issues present in WPA2, such as de-authentication, off-line dictionary attacks and the
4KRACK vulnerability. However, since the authors focus on the overall picture of Wi-Fi
security instead of strictly comparing it to its predecessor, they also find that WPA3 falls
short of solving some of the major vulnerabilities existing in Wi-Fi networks, such as
rogue access points, evil twins and ARP spoofing, to name a few.
After the Wi-Fi Alliance had presented their recommendations in response to the vul-
nerabilities found by M. Vanhoef et al. in their study, another group of researchers dis-
sected the WPA3 standard now in line with the new security improvements. Songhui
Kwon and Hyoung-Kee Choi further reinforce in Evolution of Wi-Fi Protected Access:
Security Challenges [21] how WPA3 addresses the shortcomings of WPA2, but still lacks
in attending to DoS attacks, validation of Wi-Fi security implementations as well as con-
sistency in security configurations.
1.4 Problem formulation
With wireless networks becoming more and more popular in the healthcare domain,
whether used to track assets or people [22], to increase usability for personnel, or used
to access medical devices physically connected to patients, there comes a need to ensure
the security of the wireless networks used in the medical field together with the data they
carry.
What makes wireless networks so popular in the healthcare domain is the need to
manage Medical Internet of Things (IoT) devices. These IoT devices are known to pro-
duce large volumes of highly sensitive patient information [23]. For example, modern
implantable medical devices with wireless connections, such as cardiac implants, in-
sulin pumps, and neurological implantable pulse generators, contain personal informa-
tion stored in their memory [24]. These devices can contain data such as contact details
of physicians, date of birth, and name of the patients, which could be misused by cyber-
criminals who intend to illegally gain access to the data and perform social engineering
attacks and identity theft.
Currently, in the healthcare domain, the WPA2 standard is used to protect the se-
curity of wireless networks and therefore help ensure the confidentiality, integrity, and
accessibility of the previously mentioned sensitive healthcare data. However, in 2018 a
new wireless security standard with improved security features was announced known as
WPA3. This announcement means it is only a matter of time until the healthcare domain
must upgrade their wireless security standard and replace WPA2 with WPA3.
The problem that arises, in this case, is that the last time the healthcare domain had
to consider updating the wireless security standard was 16 years ago and the considera-
tions that had to be made at the time were suited to a different threat landscape than the
one existing today. Furthermore, since WPA3 is still so new the effect of WPA3 in the
healthcare domain is not sufficiently known yet. This is a problem because attacks against
the healthcare institutions have become more sophisticated with time and the healthcare
domain has gradually become a more common target for cybercriminals.
In late 2019, the number of ransomware attacks on healthcare providers increased by
350%, with 764 healthcare providers being affected in the United States alone that year
[25]. Moreover, in 2019 there was a 196% increase in healthcare data breaches compared
to the previous year [26], showing that the healthcare domain is not only a popular target
for cybercriminals but a rapidly increasing one as well. In order to solve the problem of
the little known effect of the challenges of upgrading to WPA3 in the healthcare domain
the following research question was composed for this study:
5What are the perceived challenges when upgrading to the WPA3 wireless security
standard in the healthcare sector?
To answer this question existing literature on WPA3 will be examined and the perspec-
tive of network technicians working in the healthcare field will be investigated in order
to find what challenges come with the task of upgrading the wireless security standard in
a healthcare environment and how these can be overcome. The goal of this research is
to assess the challenges found and build a list of considerations that should be followed
before upgrading the security standard of the wireless networks in the healthcare domain.
1.5 Motivation
Although standards such as the Health Insurance Portability and Accountability Act (HIPAA)
from 1996 that protects the privacy and security of health data [27], have been around for
a long time, only in recent years has the importance and value of personal data truly been
put into the spotlight and assessed at a wider scale. Regulations that focus on the integrity,
confidentiality and availability of personal data such as the General Data Protection Reg-
ulation (GDPR) or the Directive on Security of Network and Information Systems (the
NIS Directive) only came out in 2016, the date of their reinforcement being placed two
years later, in 2018. Also, another historical event that further reinforced the importance
of user data, was the Facebook–Cambridge Analytica data breach in 2018 [28] where
personal data was harvested without consent and used for political advertising.
Altogether these events show there is a strong need to protect sensitive personal user
data is. In a healthcare context, sensitive personal user data can be described as person-
ally identifiable information and protected health information that is handled by medical
personnel such as physicians, nurses or pharmacists, that use electronic health records
(EHR), e-Prescribing software, remote patient monitoring, and laboratory information
systems [11]. Although standards such as HIPAA offer guidelines as to which wireless
security standard should be used, no standard discusses the challenges of upgrading from
WPA2 to WPA3 in the healthcare domain.
What makes the healthcare environment so interesting to study are the high-density
medical-grade WLANs. What is meant by high-density is the high amount of differ-
ent services and medical devices that use the same electromagnetic spectrum. Exam-
ples of services characteristic to healthcare WLANs are RTLS, Voice over Wi-Fi, Elec-
tronic Health Records (EHR) and guest internet, whereas among medical devices we can
find pacemakers, insulin pumps, gastric stimulators, cochlear implants or deep brain neu-
rostimulators, to name a few. Having so many services and devices saturates the wireless
environment with countless clients, each carrying a certain amount of data. On one hand,
this implies that some devices might interfere with each other because they are using the
same radio frequency, such as Bluetooth and Wi-Fi using the 2.4 GHz band. On the other
hand, having a saturated environment also increases the threat landscape, since more de-
vices become possible attack points.
Taking into consideration the value of sensitive patient data as highlighted previously,
together with the scale of the wireless threat landscape in the healthcare domain, it be-
comes evident that this is a necessary topic to research. For this reason, this study aims
to bring perspective into the WPA3 standard within the context of the healthcare domain
and the challenges that arise when having to shift to a new generation of wireless security
standards.
6Introducing new technology is inherently challenging, it comes with the need to inte-
grate the new technology with existing ones, it is a process that may take more time than
anticipated depending on the scale, and lastly, it comes with the need to train existing staff
how to use the new technology. This research could help provide knowledge that could
be used by healthcare IT-personnel when adjusting to the new wireless security standard
WPA3. Furthermore, from a business perspective, this study could be used to motivate
financial investments in WPA3-enabled devices in the healthcare domain by presenting
an objective view of the security of WPA3 as a wireless standard.
When it comes to wireless technology in general, there are two dominant technologies
in the field known as Wi-Fi 6 and 5G. Wi-Fi 6 is the next generation standard in Wi-Fi
technology, whereas 5G is the fifth and most recent generation standard for broadband
cellular networks [29]. These technologies can be seen as complementary in a healthcare
environment, where Wi-Fi 6 could be used in a hospital by doctors managing IoT devices,
while 5G could be used by clinicians using blood donation busses that must travel to re-
mote locations where Wi-Fi connectivity is not possible. When it comes to security, Wi-Fi
6 uses WPA3, whereas 5G provides end-to-end security and global identity management.
The research on WPA3 in this study could be used to help businesses make a decision
regarding their choice of wireless technology by indirectly offering insights on some of
the challenges Wi-Fi 6 faces with using WPA3 security.
1.6 Objectives
The problem to be investigated in this study has been divided into several objectives that
must be achieved in order for the study to be successful. These objectives involve con-
ducting literature reviews on WPA2 and WPA3, respectively, as well as constructing in-
terviews, conducting the interviews and analyzing the final results. The objectives are
presented in the table below:
Literature review of WPA2 security & vulnerabilities on Google
O1
Scholar, DiVA, OneSearch
Literature review of WPA3 security & vulnerabilities on Google
O2
Scholar, DiVA, and OneSearch
Construct interviews based on known qualitative research methods
O3
Interview network professionals that have experience in the healthcare
O4
sector
Analyze interview results based on qualitative methods
O5
1.7 Expected Results
The expected result of this study is a list of challenges that come with upgrading the
wireless security standard in the healthcare domain. These challenges should provide
enough knowledge that after assessed could be used in future research to build a model
for network technicians to use when upgrading from WPA2 to WPA3 in the healthcare
field.
1.8 Limitations
The research revolves around network security standards but focuses only on the most
most recent two: WPA2 and WPA3. Although previous standards exist, discussing them
7would not bring any valuable insights into the study since they are obsolete. Furthermore,
the scope of the research on WPA3 is limited to the available official documentation from
the Wi-Fi Alliance as well as a few academic papers on the subject. The limited academic
research on the WPA3 topic in the context of healthcare will further limit the results of
the literature review.
On the other hand, the qualitative research that will be performed through interviews
is strictly dependent on the number of professionals in the healthcare field willing to par-
ticipate in the interviews. This is the greatest limitation of this study, and as an effect of
this one may argue that the interviews could turn out biased. In order to prevent any pos-
sible bias, however, the measure taken will be to compare the statements of the interviews
to existing research data from other studies.
1.9 Target group
By discussing wireless security in a healthcare setting this study becomes relevant for
medical professionals working with IT in the healthcare field who wish to gather insight
into some of the challenges in their environment, but also for network professionals seek-
ing an understanding of WPA3 in a healthcare context. This study could also be used by
network researchers as an outline of areas related to WPA3 security that require further
investigation.
1.10 Outline
This paper is divided into different sections and subsections as follows. The following
section 2, called Method, contains a description of the scientific research methods used
during this study, the section being divided according to the two methods used, namely,
Literature Review and Interview. The Interview section is further divided into its own
steps, starting with building the Interview Guide, then presenting the layout of the Re-
sulting Interview, continuing with arguing about how the Sampling process took place
and finishing with discussing which Data Interpretation methodology was chosen and
why. The Method section then continues with the sections that ensure the Reliability and
Validity of the study as well as its Ethical Considerations.
Then follows section 3, Results, where the results of the Literature Study are presented
along with the Interview Results in the form of transcriptions. Further, in section 4, Anal-
ysis, the results of the literature review will be dissected following a thematic analysis
of the interviews. The results are then discussed in section 5, Discussion, in relation to
the related research presented at the beginning of the study to assess whether the research
question has been answered. The report ends with section 6, Conclusion, where an overall
summary of the study is presented together with relevant Future Work.
82 Method
In this section, the methodology of the study will be presented together with the different
considerations behind the choices of scientific methods. The chapter is divided into a
section called 2.1 Literature Review and another section called 2.2 Qualitative Interview,
each describing how the specific method was employed in the study and to what purpose.
The methodology is based on the research question presented in the 1.3 Problem Formula-
tion section and the exact scientific methods used in the study were selected depending on
the objective to be fulfilled as listed in the 1.5 Objectives section. The four objectives are
directly tied to the research question in the sense that only after fulfilling each objective
can the research question be answered.
To fulfil objectives O1 and O2 the literature review was chosen as the scientific method.
The reason behind this is to gain a better understanding of the WPA3 standard without
threatening the reliability of the study. Different methods could be chosen to investigate
the WPA2 standard, such as a controlled experiment where the standard could be im-
plemented. However, since WPA3 is so new the same method could not be employed
due to the lack of WPA3-enabled devices, meaning that the comparison between the two
standards would not be fair.
Next, to fulfil objectives O3 and O4 a qualitative interview was chosen as the scien-
tific method. The motivation, in this case, is because a qualitative interview allows us
to get a snapshot of what network professionals in the healthcare domain experience as
challenges. To fulfil objective O5, a thematic analysis was chosen as a scientific method
to extract relevant information from the interviews. This is due to the fact that thematic
analysis produces themes as results which can further be developed into challenges or
requirements that can answer the research question posed in this study.
By employing these methods for the aforementioned objectives this research can be
used as a groundwork for further studies where the design science scientific method can
be used to build an artefact, more specifically a model, containing guidelines for net-
work professionals to follow in order to mitigate the challenges that could otherwise be
encountered in the upgrading process of the wireless security standard.
To gain a deeper understanding of why literature reviews and interviews were chosen
as scientific methods in this study we can dissect the research question with the help of
two specific keywords present in the question, namely "challenges", and "WPA3". The
"WPA3" keyword can be understood as a theoretical aspect that relates to technical details
in the WPA3 protocol itself, whereas the "challenges" keyword can be translated into
a human aspect that takes into account the consequences of implementing the WPA3
protocol and how it can affect users.
Starting with the technical aspect, since the study is about a wireless security protocol,
the first option was to actually implement the protocol and perform controlled experiments
on it to collect data. However, due to the lack of appropriate hardware that supports
the protocol, this option was discarded since the protocol would not be implemented as
intended and thus provide a false image of it. To prevent the collection of any inaccurate
results another method was chosen to fulfil the same need, and that method was to perform
a literature study over the existing flaws of WPA3.
When collecting data on the human aspect, a quantitative method was first considered,
namely, conducting questionnaire surveys. This method requires finding a large scale of
people willing to participate in the survey who have been into contact with the standard
and have professional knowledge about the wireless field. However, such an audience
9does not exist at the current time because the WPA3 protocol has not been widely imple-
mented yet. The method that was chosen instead was to perform qualitative interviews
with network professionals that work in the healthcare field. This increases the quality of
each response with respect to the survey method, but it reduces the target population of
the respondents making the method more feasible to implement.
2.1 Literature Review
The Wi-Fi Alliance announced WPA3 in early 2018, making the protocol around two
years old. While this explains the limited academic work available, it also increases the
difficulty to study the protocol. Although limited, the existing research on the WPA3
protocol provides valuable insights into the inner workings of the protocol. The first step
in the literature review is to focus on available academic research on WPA3, but in order
to balance for the limited results, the approach taken is to shift focus to WPA2, since
both protocols are built on the same foundation. The goal is to reveal flaws in WPA3
that have been inherited from WPA2. The second step is therefore to perform a literature
review of WPA2. The following platforms were used to find relevant research papers
when performing the literature review on both the protocols:
• Google Scholar
• DiVa platform
• OneSearch platform
Firstly, research papers were selected by checking if the title contains specific key-
words or a combination of specific keywords. In the case of the WPA3 protocol, these
exact keywords were: "WPA3", "Wireless Protected Access 3", "standard", "security",
"vulnerabilities", "WLAN", "wireless protocol", "wireless", "Wi-Fi", and "WIFI". No pa-
per required to contain all keywords in the title but had to at least contain the keyword
"WPA3". Afterwards, for each paper with a relevant title, the abstract was reviewed to
see if the content of the paper was of relevance to the study. If the paper only mentioned
WPA3’s existence but was not discussing it in more detail then the paper was discarded.
Lastly, matching research papers were reviewed in detail and data about the security of
WPA3 were extracted. When granulating the search to suit the healthcare field the follow-
ing keywords were added: "healthcare", "hospital", "medical". As of date, no results were
found that contained both the "WPA3" and "healthcare" keywords in the same research
paper title.
A similar approach was taken when performing the literature review on the WPA2
protocol. However, since WPA2 was released in 2004, 16 years ago, the research on the
protocol is comprehensive and thus fewer keywords are needed in order to find relevant
results. Starting with the title, the keywords used in this case were: "WPA2", "vulnera-
bilities", and "security". Afterwards, after selecting research papers with a relevant title,
the abstract was checked. If the paper did not discuss vulnerabilities or the security of the
WPA2 protocol, then it was discarded. After this process, the entire paper was reviewed
and a list of flaws in the WPA2 protocol was extracted from the paper.
During the development of this study, a new vulnerability related to WPA2 was discov-
ered that was not known during the initial literature review. The vulnerability in question
is called Kr00k and is formally known as CVE-2019-15126. The flaw is not present in
the standard itself but is a hardware-specific vulnerability found in Broadcom and Cypress
Wi-Fi chips that permits unauthorized decryption of some WPA2-encrypted traffic [30].
102.2 Qualitative Interview
Qualitative interviews were chosen in order to collect secondary data for the study. Com-
pared to quantitative interviewing, which focuses on the standardization of the interview
process, qualitative interviewing is more flexible and emphasises on interviewees’ own
perspectives [31]. Quantitative interviews are also known as structured interviews be-
cause of their fixed nature, where the goal is to generate answers that can quickly and
easily be coded and then processed. Qualitative interviews, on the other hand, are more
relaxed in their character and can be categorized in unstructured and semi-structured in-
terviews.
In the unstructured interview, the researcher may ask as little as one question and
let the interviewee speak freely, intervening only when deemed necessary. This type
of interview can be compared to a conversation [32]. In a semi-structured interview,
however, the researcher has an interview guide containing a list of topics or questions to
be covered during the interview. Wording may differ from interviewee to interviewee and
new questions may arise as the interview progresses. In both cases, the process is flexible,
with the most important aspect being to extract what the interviewee considers important
about the understanding of the topic.
This study used the semi-structured type of interview for data collection. The flexibil-
ity offered by this type of interview allowed for both building a template of the interview
and at the same time let the interviewee talk about what they consider relevant. Thus, the
interviewees themselves could delve into an aspect which could have been missed while
the author could address more specific issues related to the research question.
2.2.1 Interview Guide
Building the qualitative interview guide was done by following a series of steps depicted
in Figure 2.3. The first step starts with defining the general research area, which in the case
of this study is the WPA3 standard and its vulnerabilities. The next step is defining specific
research questions. In the case of this study, there is one primary research question:
What are the perceived challenges when upgrading to the WPA3 wireless security
standard in the healthcare sector?
As suggested by Lofland [33], in preparing for qualitative interviews the researcher
should ask themselves exactly what about the topic is puzzling them. Furthermore, the
questioning must cover necessary topics but from the perspective of the interviewees. As
such, building the interview guide was based first on using creative thinking to under-
stand the research question, and secondly on finding questions that focus not on finding a
straightforward answer but formulating the questions in such a way that interviewees can
describe their own view on a topic.
These steps led to the discovery of interview topics and thus on concrete interview
questions. The process proceeded with the continuous refinement of the questions, draft-
ing an initial interview guide and afterwards testing of the guide with a volunteer inter-
viewee. After the test, a final revision was made before finalizing the guide.
11Figure 2.3: Formulating questions for an interview guide [31]
2.2.2 Resulting Interview
The interview guide was originally written in English, but in a later revision, most ques-
tions were translated to Swedish to suit other interviewees. To see the guide in its entirety
along with the Swedish translation see section A Appendix 1. The interview questions
were readjusted for each interviewee depending on their knowledge and personality, thus
the exact wording or the order of some interview questions was changed from interview
to interview. However, each interview was based on the same topics which are described
as follows:
• Verbal consent — Acquire verbal consent on the fact that the interview is recorded
for research purposes.
• Interviewee — Collect data on the name, role, age and experience of the intervie-
wee.
• Qualitative interview introduction — Present to the interviewee that the inter-
view should be around 30 to 40 minutes long and that the goal is to have a relaxed
conversation.
• Background information — See how the interviewee comes into contact with
wireless technologies in their work.
• Details about Wi-Fi security — Follow up questions designed to see the intervie-
wees’ general knowledge on wireless security.
• Details about WPA3 — Here, the chosen strategy was to first present a list of found
WPA3 flaws as general vulnerabilities with no connection to a specific standard, as
12depicted in section B Appendix 2 [34]. Then see what the interviewees perspective
is on them.
• WPA3 and its effect on patient data integrity — Reveal that the vulnerabilities
belong to the WPA3 standard and assess the interviewees perspective again. Follow
up with their perspective on sensitive data and what the interviewee opinion is on
implementing the standard in a healthcare environment.
• Closure — Allowing the interviewee to speak up about aspects they consider rele-
vant but were not mentioned so far.
During the construction of the interview guide, Kvale’s [35] nine types of questions
were used as guidelines follows: Introducing Questions were used to begin the interview,
for example by asking the interviewee about their background. Follow-up Questions and
Probing Questions were used to delve deeper into a subject, such as an interviewee’s
knowledge about sensitive data in a healthcare environment. Specifying Questions were
used to get more precise descriptions of certain topics such as asking for more concrete
examples of sensitive traffic that can be seen in a healthcare environment.
Other types of questions such as Direct Questions were used to assess the intervie-
wees level of trust on the new WPA3 standard. Indirect Questions were sparsely used in
order to avoid biased answers. Structuring Questions were used to introduce or change
topics throughout the interview, for example moving from talking about the interviewee’s
background to talking about WPA2. Silence was sometimes used at the end of an inter-
viewee’s answer in order to leave space for any thoughts the participant might have come
up with during their own answer. Lastly, Interpreting Questions were often used to con-
firm whether the interviewer and the interviewee saw a topic the same way, for example
checking if the assumption that the interviewee knew about WPA2 was correct.
2.2.3 Sampling
To begin with, choosing an appropriate sample can be complex since it requires one to
take into consideration several different aspects — the research question, the research ob-
jectives and the understanding of the study based on the literature review. Additionally,
practical constraints could also limit the sampling process. According to Palys & Atchin-
son [36], the constraints of this study suggest using non-probabilistic sampling methods
since these methods are more suited to qualitative research. The alternative, probabilis-
tic sampling, is more suited to quantitative research, where a statistically representative
sample is desired.
The qualitative research in this study is based on two different non-probabilistic sam-
pling methods. The first method used is called purposive sampling, where the subjects
were selected based on the study purpose, with a relevant background that would pro-
vide unique and valuable information to the study. Since the research question in this
paper focuses on getting a perspective on the challenges of implementing WPA3 in the
public healthcare sector, candidates had specific criteria to meet. Firstly, an appropriate
candidate would need at least more than general knowledge about wireless networks, and
would also need to have worked or work in the public healthcare field at the time of the
interview.
The second non-probabilistic sampling method used in the study is the snowball
method, where a subject that had been interviewed recommended a new candidate they
deemed suitable for the interview. This added great value in the sampling process since
13candidates were difficult to find. Having a target group working within the public health-
care field was a practical constraint in itself, since finding suitable subjects for the inter-
view was made difficult not only because such positions are not publicly advertised but
also because of the development of the covid-19 pandemic in the country. The majority
of the subjects were either not found, responded negatively to the interview request or did
not respond at all.
2.2.4 Data Interpretation
When it comes to analysing the results of qualitative interviews, there are several ap-
proaches available that can aid in identifying essential meanings and deeper implications.
Among these methods, we can find thematic analysis also known as content analysis,
narrative analysis, and grounded theory. Thematic analysis is defined as a data analysis
method for identifying themes and patterns of meaning within a dataset in relation to a
certain research question [35]. The narrative analysis method, on the other hand, focuses
on the stories told by respondents during an interview and helps in working out their plots
and structures, an approach well suited to studies based on identity and subjectivity [35].
Since narrative analysis may lead to a highly subjective view over key issues in the inter-
views and thus lead to a false generalisation of the results this method was not considered
appropriate for this study.
Furthermore, grounded theory is an inductive methodology where systematically col-
lected and comparatively analysed data is used to construct a theory about a certain topic
when significant research in that topic is insufficient [37]. In order for a researcher to
create new theories, they cannot base their results on previous research which can lead to
the generated theory being contaminated by the researcher’s bias, a limitation which led
to this analysis method being discarded as an alternative for this study.
Thematic analysis is not dependant on a specific theoretical framework, making it
flexible and easy to use. Moreover, thematic analysis is not only useful highlighting sim-
ilarities and differences between interviews, but also in generating unanticipated insights
making it a suitable method for this study where there is little previous research available.
After examining the aforementioned scientific data analysis methods, it was concluded
that thematic analysis was most appropriate for interpreting the interviews performed
during this study.
Thematic analysis can be divided into several steps as described below [38]:
1. Familiarising oneself with the data is done by transcribing the recorded inter-
views.
2. Generating initial codes is done by systematically identifying items of interest in
the transcriptions.
3. Searching for the themes is performed by collecting the identified codes into a
potential theme.
4. Involved reviewing of the themes implies checking how the themes work in rela-
tion to the coded extracts.
5. Defining and naming themes is a step where the identified themes are refined and,
if necessary, renamed.
146. Producing the report is the final step where a discussion of the results of the
thematic analysis is performed while relating back to the initial research question
and related work.
The thematic analysis process performed in this study has been visually illustrated
using a flowchart which can be seen in Figure 2.4. The process started with the transcrip-
tions of the recorded interviews. The next step was reading the transcripts and identifying
items of interest, which were afterwards matched to codes. These two steps were repeated
until all codes were identified. Afterwards, the codes were sorted into relevant themes and
the occurrence of each theme was examined by re-reading the transcripts. The last step
involved defining and illustrating each theme found.
Figure 2.4: Step-by-step illustration of the thematic analysis process
2.3 Reliability and Validity
In order to ensure the reliability of the study, well-known research methods were used that
are peer-reviewed and documented, namely, literature reviews and qualitative interviews.
Details are provided about which sources of data were used to collect data for the literature
reviews, as well as which keywords were used when searching for research material.
This helps other researchers replicate the literature study performed in this research and
therefore ensures reliability.
Furthermore, all interviews performed during this study were recorded on a smart-
phone with the consent of the participants and digitally transcribed afterwards. By doing
so, the reliability of data collection is ensured since other researchers can get access to
and analyse the same recordings. The interviews were scheduled prior to execution and in
two of the cases a quiet room was used for the interviews so as to prevent any distractions
that could affect the quality of the interview. The third interview was performed digitally
due to the geographical distance between the interviewee and the interviewer.
15When performing the literature study, only academic research and officially verified
documentation such as that from the Wi-Fi Alliance was taken into consideration, so that
valid results can be obtained. The validity of the interviews was ensured by constructing
the interview guide based on Bryman [31] and Kvale’s [35] methodology for qualita-
tive interviews. Furthermore, since the expected results of this study are a set or list of
challenges and how these can be solved, construct validity of the results is ensured by ex-
plaining each resulting challenge in detail and avoiding ambiguous definitions. Although
the results are based on the context of the healthcare domain, the results could be modified
to suit other fields as well therefore increasing their reliability.
One may argue that the sample size is too small, which could possibly lead to a gen-
eralization of the findings being hard to achieve and therefore threaten the reliability of
the study. However, the sample size is not regulated by statistical power analysis but by
data saturation [39]. The concept of saturation can be described as follows. The sample
size of a qualitative study is deemed sufficient when enough data has been obtained in
order to address the research questions of the study. Saturation is then achieved when
expanding the number of participants in the study does not lead to any significant changes
in the research findings [40]. In the context of this study, saturation was achieved after
three interviews, each approximately 30 minutes long, amounting to over 9800 words of
transcribed text.
Moreover, the interview participants were chosen from different backgrounds and dif-
ferent institutions so as to avoid bias. As a further precaution against subjectivity, no
questions about the institutions themselves were asked, and the focus of the interviews
was aimed at getting the perspective of a network professional rather than the perspec-
tive of an institution. Statements of the interviewees were also verified against academic
sources before analysed in the context of this study in order to filter out statements that
are purely subjective.
2.4 Ethical considerations
Due to the results in this study being constructed in the context of the healthcare field,
ethical considerations must be made before the results are applied. Given the circum-
stances where results from this study might be used as deciding factors in any changes in
a healthcare organisation, the well-being of the patients must always be prioritized. The
ethical question arises in the case where necessary measures to improve the wireless se-
curity of networks in a hospital can negatively impact the treatment quality of a patient.
In other words, if upgrading the wireless security of a medical device means a patient
has to experience suffering while waiting for the upgrade then other solutions should be
considered.
During the qualitative interviews data about the participants was collected in order
to ensure the validity of the interviews. This data includes the names, age, work role
and recordings with the voices of the participants. In order to ensure the integrity and
anonymity of the interviewees all names have been removed from the gathered data. Fur-
thermore, in order to prevent any violation of the privacy of the interview participants,
all recordings were transferred to a computer after being recorded on a mobile phone.
Afterwards, each file was digitally signed with OpenPGP and encrypted using AES-256,
in this way ensuring both the integrity and confidentiality of the gathered data.
163 Current State of Wireless Security
In this chapter, a description of the WPA2 standard is presented, including details about
the authentication process and vulnerabilities. The chapter continues with an overview of
the WPA3 standard and the types of attacks the standard is vulnerable to.
Currently, the Wi-Fi Protected Access 2 (WPA2) wireless security standard is consid-
ered the most secure [41] when aiming to protect both personal and enterprise wireless
networks. Soon, however, WPA2 will be replaced by a new wireless security standard
called Wi-Fi Protected Access 3 (WPA3). Since the two wireless security standards are
built on the same foundation, it is important to review both standards in order to make an
assessment of the current state of wireless security.
3.1 Wi-Fi Protected Access 2
The WPA2 standard has two different modes of operation, Pre-Shared Key (PSK) mode
for personal networks and enterprise mode for larger corporate networks. In WPA2-PSK
an access point authenticates a client based on a password that is shared in advance,
whereas the authentication in enterprise mode is performed via the Extensible Authen-
tication Protocol (EAP) in 802.1x architecture [42]. IEEE 802.1X is the standard that
defines port-based access control.
In the case of large enterprise networks, there is a dedicated server that manages the
authentication of users as well as handling of key agreements. Such a dedicated server
is a Remote Authentication Dial-In User Service (RADIUS) server, that provides users
and devices with unique credentials. RADIUS is used to query an external user database,
such as an Active Directory (AD).
3.1.1 WPA2 Authentication
Both WPA2-PSK and WPA2 enterprise begin the authentication process in a similar fash-
ion [21]. In the first stage, the discovery phase, the client associates to the access point
by advertising its security capabilities and negotiating its cypher suites. In the next phase
both the client and the access point agree on a Master Key (MK). This MK is based on
the pre-shared key in WPA2-PSK, whereas in WPA2-enterprise, the MK is generated by
an authentication server that sends the MK to both the access point and client using the
RADIUS server and 802.1X. The MK is afterwards used to generate the Pairwise Master
Key (PMK).
The PMK is then shared between the client and the access point, advancing to phase
three, the Key Management Phase. Here, the client and the access point individually
derive their own Pairwise Temporal Keys (PTK) using the PMK and two random numbers
at each new association. Lastly, both parties confirm the possession of the same PTK by
using the 4-way handshake. Currently, the highest wireless security level in a network
is achieved by using WPA2 enterprise in combination with digital security certificates
together with the EAP-TLS or the EAP-TTLS protocol. The EAP-TLS/TTLS protocols
use the Public Key Infrastructure (PKI) to exchange data between a client and a RADIUS
server [43].
173.1.2 WPA2 Vulnerabilities
Some research papers have a more general approach to presenting the vulnerabilities,
stating that the security issues in WPA2 make it prone to Denial of Service (DoS) attacks,
Brute-Force attacks, Dictionary Attacks or Man-In-The-Middle attacks [7]. Three specific
attacks that WPA2 was found vulnerable against stood out during the literature review:
• Hole 196 [7] - This vulnerability enables an attack where an insider can rewrite
non-public information of other users and inject malicious network traffic into the
compromised wireless network. This vulnerability was discovered by a wireless
security company named AirTight in 2010.
• Key Reinstallation AttaCK (KRACK) [42] - This attack is based on exploiting a
vulnerability in the 4-way handshake of the WPA2 standard, enabling attackers to
replay a previously captured wireless encryption key.
During the authentication process in WPA2, new Pairwise Keys are generated us-
ing random incremental packet transmission numbers known as Nonces. The ac-
cess point generates the ANonce while the client generates the SNonce. During the
first and second message of the handshake, Nonces are encrypted with the Pairwise
Master Key while they are being exchanged between the access point and the client.
Next, during the third handshake message, both parties use their Pairwise Temporal
Key to encrypt data frames using AES or a different data confidentiality protocol.
What attackers take advantage of in this case is the fact that access points are de-
signed to retransmit the third message in case of packet loss, so intruders can collect
and retransmit the encrypted third message of the handshake causing the client to
reinstall the same session key, resetting the Nonce values as well as the receive reply
counters.
• Kr00k [30] - This vulnerability was found in 2019 by a company called ESET,
who discovered that certain devices including clients, access points or routers con-
tain a vulnerability in their Wi-Fi chips that causes these devices to use an all-zero
encryption key to encrypt sequences of a user’s communication. This allows mali-
cious intruders to decrypt some wireless network packets that are transmitted by a
device affected by this vulnerability.
3.2 Wi-Fi Protected Access 3
Similarly to its predecessor, WPA3 also comes in two modes, WPA3-Personal and WPA3-
Enterprise. The new personal version of the Wi-Fi security standard now uses Simul-
taneous Authentication of Equals (SAE), a secure key exchange protocol between peers
designed to replace WPA2-PSK based authentication. According to the Wi-Fi Alliance,
the SAE protocol uses a Dragonfly handshake [44], although the terminology is described
differently in different research papers.
Certain researchers state that the Dragonfly protocol is synonymous to SAE, meaning
that both terms refer to the same concept [21]. Whereas others state that Dragonfly is just
one component of many in the SAE protocol [45]. The IEEE 802.11 standard from 2016
[46], however, defines SAE as a variant of the Dragonfly, a password-authenticated key
exchange based on a zero-knowledge proof. This paper uses the terms SAE and Dragonfly
interchangeably.
18You can also read
