The State of WiFi security
One of the fundamental rules, which you wont read about in any security book and you can learn only through experience is that everything is in symbiosis. This means that the security models of the individual components in a system are co-dependent. For example, the security of a server is dependent on the security of the individual clients connected to it and the the security of the clients depend on the security of the servers they are interacting with. If you know how to take advantage of this rule you can hack/break into anything. Let’s see how this rule applies to WiFi networks and especially those found in London as I find the situation rather concerning.
When we talk about WiFi security we usually stumble across things such as encryption, WPA and WPA2, 802.11 authentication, client-side certificates, network segmentation, vlanning, captive portals, etc, etc, etc. Yet, none of these technologies provide security but rather things such as privacy and identity verification and authorization. These are the basic components of a secure WiFi network but by no means a one-stop solution to all problems. Even when properly deployed/configured, problems in WiFi networks occur in much deeper or higher level and it requires a bit more creativity, intelligence and strategy to identify them. So here, I would like to briefly outline a couple of scenarios, some of which you might be familiar with, that led to full compromise of the organizations we were asked to legally break into. All these scenarios are possible due to the
symbiosis paradigm, which I discussed at the begging of this post.
Physical breakins and WiFi security
This is one of the oldest tricks available to the mankind. It is like the Trojan Horse in ancient Greece. The strategy is very simple. If one finds a way to get a physical access to the building he/she can deploy an wireless access point which later will be used to break into that organization. Now, how hard is to obtain that access? Easier then you think! Keep in mind that companies do business. Their buildings are not impenetrable fortresses. If you show your stuff they are willing to show theirs. Many times a physical breakin is almost as simple as walking into the lobby and finding an unprotected network adapter to put your access point there. Sometimes it requires things such as walking through the backdoor into the common/dinning area. Even knowing an insider’s smoking pattern proves to be very, very helpful.
Once inside, hardly anyone asks you what you are doing there. Not to mention that people are not used to question your authority if you politely explain to them that you are performing a security penetration test which aims to break into their networks. The truth is that humans can detect suspicious activities by following your body language. The more you lie the the more negative messages you are sending to the people around you and of course the higher is the chance to get caught. So, being honest is actually a plus rather then a minus.
Even having access to a conference area is quite easy as you can arrange supposedly important meeting with someone from inside. Usually you find the network jacks underneath the table where you can connect whatever needs to be connected.
Now, if you’ve been in the wireless security business long enough you will probably argue that you can detect rogue access points and that you can turn on or off ports of the switch in order to guarantee some kind of security. However, only a few will admit that this system hardly works as they are often hundreds of neighboring wireless networks around the premises and often ports are left on due to the fact that it is extremely hard to keep track of what people do. Your best friend is probably your network architecture. The more segmented network you have the lower the chances for the attacker to obtain further access. Security in depth does work but keep in mind that you have to take into consideration the
symbiosis paradigm and this is hard and it works against the security in depth practices.
Stepping stone attacks/hacks
Hacking/breaking into a network is often easily done through already trusted clients. Evil Tween attacks work 100%. Ok, ok, nothing new here but it is time for people to take a sip from the kool-aid called reality. Breaking into a client first and then breaking into the target network is what we call stepping stone attacks. Even if the WiFi network employs the most strict security policies clients are meant to work. John Johnson from 3rd flour needs to access information from that database or save/read files from that and that location. Breaking into John’s laptop is easier.
Stupid tricks work the best. When someone needs to get the job done they often forget about security and take all sorts of risks.
Oh, wifi network is not working, right, let’s check my list. Here it is. This is my network! Connect However, the victim fails to comprehend that that that network is not his/her network as it is
open. The only similarity between the two networks is that they have the same name. However, most users are not technically savvy to understand that and this of course works against the organizations who employ them.
Again, everyone who has been in the WiFi security business for long enough will argue that everybody should have a good client-side security policies. That the firewall needs to be always on and that each system needs to be patched with the latest fixes. Rules should be applied to guarantee that when wired ports are on, wifi is off and vice versa. End-point security must be enforced and users should run from unprivileged accounts. However, only those that have hands-on experience will say that this is hardly enough. The client’s firewall is a minor issue. If the attacker controls the network they control the underlaying clients – a classic example of the
symbiosis thing we’ve talked about. Your best strategy is be prepared for eventual breakins. This is where we get out of the geek/tech side of the problem and we dive into much more important things such as what will be the impact if data is stolen. You need crisis management plans, combined with BPR (Black Public Relations) counter plans. A fellow and much wiser college of mine once said that only fools thing that they can solve security problems by employing security solutions. Think about Visa Net. They have a rough estimate how much money will be stolen per month but this number has been already covered so that the loss is so small that it is almost insignificant.
Guest WiFi networks and the
thinking in 3rd person strategy
We promote tiger teams operations rather then standard tests most, if not all, companies in the security market provide. Having a test with not clear objectives is almost like spending your money for nothing. Don’t think tech. Think impact! Think about objectives. What your business depends on? Do not ask anyone to identify vulnerabilities. Ask them to do something specific like:
I want you to find ways to steal money., or
I want you to find ways get to that type of data.. This is much more valuable then a report full of useless bugs you know that you cannot fix in the next year. Where is the value?
This is something to think about as I will show you that your wireless security is dependent on the security of every single sub-system you are interacting with. Here is how it goes. Your WiFi network is probably secure but what’s the security of your business partners’ WiFi networks? Typically, and by saying
typically I really mean all the time, companies have unprotected WiFi networks that are specifically designed for guests only. These networks are entirely open and have something like BlueSocket or something else that acts as a captive portal. The guest enters their password of the day and they are in. Unfortunately their entire traffic travels clean an clear in the air as well as their POP3 credentials and their HTTP sessions.
When we were once asked to break into some organizations, which names we cannot disclose, we went exactly the opposite way of the expected. We researched the company and found all other companies they work with. Then we went onsite and discovered that some of these companies run open wifi networks for guests. It did not take us long to obtain access to sensitive mail, through leaked POP3 credentials which also got us a VPN access and other goodies.
The next time someone starts bragging about how 1337 memory corruption bugs exploits are and how with their invisible linux rootkit they can hide their activities, shut them up but showing them this article. Hacking is a survival trick and the act to outsmart others. There are no rules. Use your head not your ego and be creative as much as you can. I would suggest to develop creativity rather then technical knowledge as the second can be obtained very rapidly. The first one requires a life style not many can keep up with.
By no means these are all tricks/realizations of the trade but we keep the best ones for ourselves.