Over the past several months there have been a host of articles written about an issue with the Windows XP’s default wireless settings. The issue discussed is the automatic search for, and connection to, computer-to-computer wireless networks without user intervention.
In this post, I take a quick look at why this happens, the potential risks, and the Microsoft patch that can fix the problem.
How it works
Windows XP wireless is configured to connect to either an infrastructure wireless node or an ad hoc node. An infrastructure node is an access point (AP) connected to a wired network. Ad hoc nodes are computers with wireless capabilities to which other computers can connect.
When a laptop with wireless auto configuration enabled is powered up, it first looks for the presence of an infrastructure network in its preferred wireless network list. If it fails to locate one, it attempts to connect to the first ad hoc connection in the list. Failing to locate a known ad hoc network, XP begins sending probe packets looking for available wireless networks. Anyone observing packets flowing through RF in a coffee shop, airplane, or lounge can establish a connection with the probing computer.
When a laptop establishes an ad hoc network with an unknown device, it typically enters the network into its list as “Free Public Wi-Fi”. Once on the list, it becomes one of the networks on the laptop’s preferred list. These ad hoc network entries have spread across enough laptops that it isn’t uncommon to connect to an ad hoc network in a public place that includes several devices—whether or not the connection is known to the computers’ owners.
Laptops connected to ad hoc networks can potentially communicate with systems that are infected by malware. This can allow the spread of a worm, for example, across most or all laptops in the local café.
Another vulnerability is created when a malicious user of an ad hoc network node uses the available connections to crack into member systems. This can result in data leakage or data destruction.
Another challenge is related to how an XP-based laptop “flips” between wireless connections. With wireless auto configuration enabled, XP may drop a connection to one access point to move to another with a stronger signal. This may be a serious problem if the second AP is not part of the user’s network.
The best solution is a patch for Windows XP SP2 that helps secure wireless auto configuration, including turning off the probe packets. It also forces a user to select a wireless network from a list via a dialog box. This patch is not included in SP2 or in any auto-updates. You have to manually download it from the Microsoft site. This Wireless Client Update can be downloaded here.
Regardless of whether you install this patch, you need to ensure your wireless laptops are configured to attach to infrastructure networks only. Instructions to set this configuration with Windows XP are available at GRC.COM. These instructions at Steve Gibson’s web site also include turning off broadcasting for wireless networks in the preferred list, as discussed in a Security Now podcast episode. And as always, laptops should run updated anti-malware and personal firewall software.
Windows Vista reportedly does not have this problem.
Tom is a security researcher for the InfoSec Institute and an IT professional with over 30 years of experience. He has written three books, Just Enough Security, Microsoft Virtualization, and Enterprise Security: A Practitioner's Guide (to be published in Q1/2013). Before joining the private sector, he served 10 years in the United States Army Military Police with four years as a military police investigator. He has an MBA and CISSP certification. He is also an online instructor for the University of Phoenix.