Jason Hiner, executive editor of TechRepublic, recently wrote a well-timed and well-received post titled, “Study shows viral SSIDs could be creating a massive wireless botnet.” In a nutshell, it is about potentially malicious ad hoc networks and how easy it is for unsuspecting mobile notebook users to accidentally associate with them. This easily over-looked yet potentially serious security issue happens because the malicious ad hoc networks are broadcasting what most would consider a safe and friendly SSID.Why even use ad hoc networks?
Ad hoc mode allows computers to communicate in a peer-to-peer fashion. An example would be of two people wanting to share a file, but could not come up with a USB flash drive or writable CD between them. So they just set up their computers to use ad hoc networking and move the file from one computer to a shared folder on the other computer. The availability of USB flash drives these days usually trumps this process as setting up an ad hoc network can be an involved and time consuming process. This is a good thing, as can be seen in Mr. Hiner’s post. Still, even just having ad hoc association enabled on a computer is inviting any computer similarly configured and within range to associate, including people who wish to do harm.
It becomes pretty obvious that there is very little need to have ad hoc association enabled and there are some very viable reasons not to have it enabled. So why not just turn it off? Mr. Hiner asked me to write a post on how to do just that and I think it’s a great idea. Especially since disabling and enabling the ability to associate with ad hoc networks is a very simple process.
One last important topic is Microsoft Windows Zero Configuration (WZC), which is the wireless client application that is integrated with Microsoft operating systems. WZC is set up to make it very simple for the user to associate with a wireless network. That simplicity also creates problems, like WZC easily attaching to malicious infrastructure or ad hoc networks without any user intervention. I typically recommend using the wireless client application that was specifically developed for the hardware. In most cases it works better and is configured to avoid this issue. In some situations that is not possible, particularly in the corporate world where Microsoft Active Directory (AD) networks are used. There are indications that not using WZC on AD networks leads to some rather unusual complications. Using WZC is not a problem in that case though, as system administrators are able to push group policies out to the notebook that mimic the same configurations that I am going to describe next.Simple solution
To start, the WZC wireless network connection window needs to be open. The following figure depicts a portion of this window and the next step would be to click on Change Advanced Settings.
That will open a window similar to the one seen below after clicking on the Wireless Networks tab. The next step would be to click on the Advanced button that I have pointed out in the figure below.
Finally that opens a small pop-out window where three choices are displayed. The first choice allows WZC to try and connect to ad hoc networks and infrastructure networks with preference given to networks using access points. The second choice is where WZC is only allowed to connect to access point controlled networks. The third choice is used to initiate an ad hoc network. I once again have circled the choice of Access Point (infrastructure) Network Only. By selecting this button, the ability to connect to an ad hoc networks is removed, which eliminates the chance of possibly associating with a malicious ad hoc network.
Also I recommend that the Automatically Connect To Non-Preferred Networks box be unchecked. I personally do not see any advantage to allowing this, and it introduces many complications. This is especially relevant when the computer is in a location that has multiple wireless networks of equal strength. In those circumstances, WZC kind of wigs out trying to decide which network to associate with.
Just making this simple change eliminates several attack venues. Besides most users will not notice the difference and in reality may not have even known that this was an option for them. I also wanted to give credit to “Simple Nomad” who first detailed this anomaly so aptly named, “Microsoft Windows Silent Ad hoc Network Advertisement.”
Michael Kassner is currently a systems manager for an international company. Together with his son, he runs MKassner Net, a small IT publication consultancy.