Maintaining security is the irresolvable angst that all network—wired and wireless—administrators feel. So why focus on Wi-Fi security? To explain, I wanted to highlight a very interesting chat transcript about wireless security on NetworkWorld. The chat features an electronic hero/mentor of mine and renowned wireless security expert, Joshua Wright. The fact that he authored a SANS course “Assessing and Securing Wireless Networks” provides insight into his abilities. I would like to think that I share his unique sense of humor and fondness for sushi as professed in the name of his website: “willhackforsushi.com”.
The chat entertained many great questions and the NetworkWorld moderators; in particular Julie Bort did an admirable job fielding the questions and presenting them to Joshua. Since the session was quite long I thought I might highlight several of the questions that hopefully will be of particular interest to the members.
Question: How secure is WPA-PSK or WPA2-PSK? Joshua Wright: PSK-based authentication mechanisms are notoriously vulnerable to offline dictionary attacks. I wrote one of the first WPA/WPA2-PSK attack tools "coWPAtty." (Get it? "coW-PAtty" -- like the cow … excrement). Newer tools such as Aircrack-ng are even faster. The main problem with PSK mechanisms is that the same shared secret is stored on all devices. I was talking to a customer who was doing handheld credit card transactions with a wireless device using WPA2-PSK. They were PCI compliant (since PCI requires WPA or all kinds of hoops with WEP), but they were vulnerable in that as devices were lost, stolen or turned in for service, the PSK was disclosed and available to anyone who could get their hands on the device. Enterprises should use 802.1X instead of PSK based authentication strategies for stronger authentication and unique, per-user keys.
Question: How should organizations address the threat of driver vulnerabilities? Joshua Wright: Since a driver vulnerability can expose a workstation to a remote compromise, and since the vulnerability is exploited in kernel space which bypasses local security mechanisms (such as privilege separation, intrusion prevention mechanisms, spyware and anti-virus tools, etc), it's a serious threat. Organizations should start by compiling a list of all the wireless drivers they have installed in their organization, and regularly check the vendor's websites for driver updates.
I've also written a tool to assist in enumerating installed drivers on Windows hosts that includes a vulnerability assessment component. The tool is called WiFiDEnum. A free tool available at http://labs.arubanetworks.com/wifidenum, WiFiDEnum scans hosts over your wired (or wireless) network and enumerates all the wireless drivers that are installed, using a local database of known vulnerabilities to let you know when you are exposed to driver threats.
I would like to add that WiFiDEnum is a very useful tool and does exactly as advertised.
Question: Is WPA2 now considered very secure and we should feel fine using it? Or are there still attacks/vulnerabilities that it's susceptible to? Joshua Wright: WPA2 provides strong encryption, and specifies strong authentication mechanisms such as PEAP, TTLS and EAP/TLS as well, so it is a strong strategy for organizations. The common problem with these implementations is when people misconfigure client settings for PEAP and TTLS, like I discussed with Brad Antoniewicz from Foundstone at Shmoocon a few weeks ago (slides at www.willhackforsushi.com, the video will be up at shmoocon.org shortly). If PEAP and TTLS aren't configured properly, an attacker can impersonate your RADIUS server and get access to the victim's inner authentication credentials, possibly disclosing the user's password, or giving the attacker access to the user's MS-CHAP challenge response, which is almost as good.
Question: Joshua, please let me know your thoughts on disabling broadcasting your router's SSID. Joshua Wright: It's a bad idea. I know the PCI specification requires you to do this, and I've told them they need to remove this requirement from the specification. Imagine you are a government base and you don't tell your agents where you are located. They have to walk around and keep asking "Are you the government base?" to everyone the meet. Eventually, some wily hacker or bad guy will say "Heck YEAH I'm your base, come on in and share your secrets with me." This is essentially what happens with SSID cloaking, where you have to ask every AP you meet if their desired SSID is available, allowing an attacker to impersonate your SSID at the airport, coffee shop, in the airplane, etc. In short, don't cloak your SSID, but don't make your SSID something like "sexyhackertargethere" either.
I especially wanted to highlight this question and answer after having several rather lengthy discussions on the forum about this very subject. In addition to the increased management overhead and control problems that “not advertising the SSID” causes, the additional vulnerability mentioned by Joshua is a new twist that adds even more ammunition to my debate arsenal.
Question: What new risks do you see regarding Bluetooth access points? Joshua Wright: Bluetooth APs are problematic for organizations because they can offer the same range of 802.11b/g APs, but cannot be detected by 802.11 WIDS systems. This allows an attacker to introduce a rogue to your network, and escape detection by the WIDS system. This is something I used at a hospital a while back, where I faked "stomach pain" and plugged a Bluetooth AP into the waiting room electrical and RF45 LAN jack. I used it to hack the hospital for a few weeks from the parking lot across the street until my connection disappeared. At the penetration test wrap-up, I asked for my Bluetooth AP back, and I got blank stares from the security team. Them: "What AP?" Me: "The AP I hid in the waiting room." Them: "We never found an AP." Yeah, SOMEONE STOLE MY AP!
I can personally attest to the effectiveness of this attack venue and how far “under the radar” this pen method is.
Question: Can you explain some of the exploits available that can attack wireless mice and keyboards? Joshua Wright: At the Blackhat Federal conference last week, Max Moser demonstrated attacks against 27 MHz keyboards and mice, where he is able to remotely capture and "decrypt" keystrokes and mouse positions. I use the phrase "decrypt" lightly, since as Max discovered, these devices often use only an XOR mechanism to protect data with a 16-bit "key." With this capability, it is possible to create a remote, undetectable keystroke logger, which can record every keystroke entered by the user. Further, it appears possible to inject arbitrary keystrokes as well. Max points out that WinKey + R (opening the Run dialog box) could be particularly useful for an attacker trying to compromise a system.
This shows once again how “thinking outside of the box” is able to create a new attack avenue.
Question: If KARMA was the scariest wireless attack of 2006/2007, what's scariest for 2008 and beyond? Joshua Wright: Well, I think attacking PEAP networks is pretty scary, but I'm a little biased. I am nervous about wireless driver attacks, and I think we're only starting to see the beginning of this attack trend (best noted by commercial vendors selling products for LOTS of money to test your drivers for you).
Question: What makes attacking PEAP networks so scary? Joshua Wright: If I compromise your authentication credentials from PEAP, then I have your username and password, likely, your MS Windows domain username and password. That also gives me access to your domain servers, Outlook, file servers, MS SQL, Sharepoint, etc. I think that's kinda scary, don't you?Final thoughts
I hopefully pointed out some of the more interesting comments. If at all predisposed, please read the entire transcript. It is well worth the time required.
Michael Kassner is currently a systems manager for an international company. Together with his son, he runs MKassner Net, a small IT publication consultancy.