The dangers of network threats emanating from behind the firewall is hardly a new topic to TechRepublic members. With the increasing popularity of wireless networks, however, I believe that this threat vector is one that certainly deserves more attention.
With this in mind, I posed some questions to Thomas Wilhelm, who demonstrated hacking a wireless network using the Apple iPod Touch at the Defcon17 conference earlier this month. My questions and Wilhelm's answers appear below along with my additional comments.
Feel free to post your comments and thoughts in the discussion area below.Q: The mainstream news reports of your demonstration do not elaborate on the steps to break in to a wireless network using the iPod Touch. What are they, and what applications did you use to achieve it? Wilhelm: Unfortunately, the iPod Touch wireless chip cannot be put into promiscuous mode yet, so attacks against WEP and WPA are not possible with the Touch, unless you simply try to brute force the password during the initial connection request. However, if the Touch can connect to a network that requires the user to sign up for connectivity to the Internet, such as those found in coffee shops, airports, or hotels, the Touch can spoof its Media Access Control (MAC) address to be the same as a valid user on the network or worse -- the network gateway.
If the Touch is used to spoof the network gateway, all network traffic can be collected with a program called pirni and analyzed later for sensitive data, such as usernames and passwords, using a program such as Wireshark. For real-time collection, the iPod Touch can be installed with the dsniff application, which allows the attacker to respond to findings more quickly.Mah: The danger of an iPod Touch against a properly secured enterprise wireless network is still limited. However, the danger from the use of wireless access points from outside the company, which might be used by executives to connect to the corporate network, is real. As such, an encrypted VPN connection should be considered as the bare minimum, and executives must be made aware of this. Q: Why use the iPod Touch? Wilhelm: From a technical point, the iPod Touch is an inexpensive device that can be deployed covertly, such as in a drawer, behind a coffeemaker, or under a table. In addition, it uses a Unix-compatible operating system, meaning I can compile and install network and system penetration tools directly on the device. Hard drive size was also another consideration; for its size and capability, the iPod Touch provides a very solid platform for conducting both local and remote attacks.
From a social engineering perspective, the iPod Touch looks just like the iPhone; if I walk into a building and start conducting an attack, people [will] simply assume I am texting, listening to music, or something just as innocent. Public opinions surrounding a laptop may not always be as positive, depending on the location.Mah: One thing for sure, the increasing capabilities of smartphone and hand-held gadgets are changing the parameters of what constitute threats and what devices to watch out for. Network administrators need to be aware and keep up-to-date with the latest attack vectors on the network. Q: Would you consider it even possible to adequately secure a wireless network? Wilhelm: We have all heard the mantra that given enough time, resources, and motivation, any system or network can be broken in to. So from that perspective, it is not possible to secure a network to prevent an intrusion. From a practical perspective, the more advanced security protocols can provide adequate defenses against attack, as long as they are properly deployed ... however, most people deploying security devices never get past the configuration GUI, leaving their defenses susceptible to attack. Mah: While there are measures and security protocols that are considered "adequate" against various wireless attacks, the weakness here is that administrators often do not go past the basic options available on the GUI. When it comes to wireless networks though, administrators need be intimately aware of the weaknesses and considerations of the various configuration options in order to put up a robust defense.
Thomas Wilhelm is an associate professor at Colorado Technical University, teaching at both the graduate and undergraduate levels. Wilhelm is also employed at a Fortune 20 company, performing penetration testing and risk assessments, and has spent over 15 years in the Information Systems field.
Paul Mah is a writer and blogger who lives in Singapore, where he has worked for a number of years in various capacities within the IT industry. Paul enjoys tinkering with tech gadgets, smartphones, and networking devices.