The State Of WiFi Security

Fri, 21 Mar 2008 07:10:23 GMT

One of the fundamental rules, which you wont read about in any security book and you can learn only through experience is that everything is in symbiosis. This means that the security models of the individual components in a system are co-dependent. For example, the security of a server is dependent on the security of the individual clients connected to it and the the security of the clients depend on the security of the servers they are interacting with. If you know how to take advantage of this rule you can hack/break into anything. Let's see how this rule applies to WiFi networks and especially those found in London as I find the situation rather concerning.

When we talk about WiFi security we usually stumble across things such as encryption, WPA and WPA2, 802.11 authentication, client-side certificates, network segmentation, vlanning, captive portals, etc, etc, etc. Yet, none of these technologies provide security but rather things such as privacy and identity verification and authorization. These are the basic components of a secure WiFi network but by no means a one-stop solution to all problems. Even when properly deployed/configured, problems in WiFi networks occur in much deeper or higher level and it requires a bit more creativity, intelligence and strategy to identify them. So here, I would like to briefly outline a couple of scenarios, some of which you might be familiar with, that led to full compromise of the organizations we were asked to legally break into. All these scenarios are possible due to the "symbiosis paradigm", which I discussed at the begging of this post.

Physical Breakins And WiFi Security

This is one of the oldest tricks available to the mankind. It is like the Trojan Horse in ancient Greece. The strategy is very simple. If one finds a way to get a physical access to the building he/she can deploy an wireless access point which later will be used to break into that organization. Now, how hard is to obtain that access? Easier then you think! Keep in mind that companies do business. Their buildings are not impenetrable fortresses. If you show your stuff they are willing to show theirs. Many times a physical breakin is almost as simple as walking into the lobby and finding an unprotected network adapter to put your access point there. Sometimes it requires things such as walking through the backdoor into the common/dinning area. Even knowing an insider's smoking pattern proves to be very, very helpful.

Once inside, hardly anyone asks you what you are doing there. Not to mention that people are not used to question your authority if you politely explain to them that you are performing a security penetration test which aims to break into their networks. The truth is that humans can detect suspicious activities by following your body language. The more you lie the the more negative messages you are sending to the people around you and of course the higher is the chance to get caught. So, being honest is actually a plus rather then a minus.

Even having access to a conference area is quite easy as you can arrange supposedly important meeting with someone from inside. Usually you find the network jacks underneath the table where you can connect whatever needs to be connected.

Now, if you've been in the wireless security business long enough you will probably argue that you can detect rogue access points and that you can turn on or off ports of the switch in order to guarantee some kind of security. However, only a few will admit that this system hardly works as they are often hundreds of neighboring wireless networks around the premises and often ports are left on due to the fact that it is extremely hard to keep track of what people do. Your best friend is probably your network architecture. The more segmented network you have the lower the chances for the attacker to obtain further access. Security in depth does work but keep in mind that you have to take into consideration the "symbiosis paradigm" and this is hard and it works against the security in depth practices.

Stepping Stone Attacks/Hacks

Hacking/breaking into a network is often easily done through already trusted clients. Evil Tween attacks work 100%. Ok, ok, nothing new here but it is time for people to take a sip from the kool-aid called reality. Breaking into a client first and then breaking into the target network is what we call stepping stone attacks. Even if the WiFi network employs the most strict security policies clients are meant to work. John Johnson from 3rd flour needs to access information from that database or save/read files from that and that location. Breaking into John's laptop is easier.

Stupid tricks work the best. When someone needs to get the job done they often forget about security and take all sorts of risks. "Oh, wifi network is not working, right, let's check my list. Here it is. This is my network! Connect" However, the victim fails to comprehend that that that network is not his/her network as it is "open". The only similarity between the two networks is that they have the same name. However, most users are not technically savvy to understand that and this of course works against the organizations who employ them.

Again, everyone who has been in the WiFi security business for long enough will argue that everybody should have a good client-side security policies. That the firewall needs to be always on and that each system needs to be patched with the latest fixes. Rules should be applied to guarantee that when wired ports are on, wifi is off and vice versa. End-point security must be enforced and users should run from unprivileged accounts. However, only those that have hands-on experience will say that this is hardly enough. The client's firewall is a minor issue. If the attacker controls the network they control the underlaying clients - a classic example of the "symbiosis" thing we've talked about. Your best strategy is be prepared for eventual breakins. This is where we get out of the geek/tech side of the problem and we dive into much more important things such as what will be the impact if data is stolen. You need crisis management plans, combined with BPR (Black Public Relations) counter plans. A fellow and much wiser college of mine once said that only fools thing that they can solve security problems by employing security solutions. Think about Visa Net. They have a rough estimate how much money will be stolen per month but this number has been already covered so that the loss is so small that it is almost insignificant.

Guest WiFi Networks And The "thinking in 3rd person" Strategy

We promote tiger teams operations rather then standard tests most, if not all, companies in the security market provide. Having a test with not clear objectives is almost like spending your money for nothing. Don't think tech. Think impact! Think about objectives. What your business depends on? Do not ask anyone to identify vulnerabilities. Ask them to do something specific like: "I want you to find ways to steal money.", or "I want you to find ways get to that type of data.". This is much more valuable then a report full of useless bugs you know that you cannot fix in the next year. Where is the value?

This is something to think about as I will show you that your wireless security is dependent on the security of every single sub-system you are interacting with. Here is how it goes. Your WiFi network is probably secure but what's the security of your business partners' WiFi networks? Typically, and by saying "typically" I really mean all the time, companies have unprotected WiFi networks that are specifically designed for guests only. These networks are entirely open and have something like BlueSocket or something else that acts as a captive portal. The guest enters their password of the day and they are in. Unfortunately their entire traffic travels clean an clear in the air as well as their POP3 credentials and their HTTP sessions.

When we were once asked to break into some organizations, which names we cannot disclose, we went exactly the opposite way of the expected. We researched the company and found all other companies they work with. Then we went onsite and discovered that some of these companies run open wifi networks for guests. It did not take us long to obtain access to sensitive mail, through leaked POP3 credentials which also got us a VPN access and other goodies.

The next time someone starts bragging about how 1337 memory corruption bugs exploits are and how with their invisible linux rootkit they can hide their activities, shut them up but showing them this article. Hacking is a survival trick and the act to outsmart others. There are no rules. Use your head not your ego and be creative as much as you can. I would suggest to develop creativity rather then technical knowledge as the second can be obtained very rapidly. The first one requires a life style not many can keep up with.

By no means these are all tricks/realizations of the trade but we keep the best ones for ourselves.

red teams/tiger teams should be the standard, as should be the threat modeling based on objective/assets. but we have a big problem here. users (so clients) where educated technology centric, and are vastly unaware of real world attackers practice. why would i spend time on exploiting your network when i can get the password i need to access your assets with a drunk manager at a local bar ? or in the trash ? i hope that by offering this kind of services to my clients, some of them will become aware of how easily vital IP can be stolen/destroyed, but the contacts i had proves me wrong for the moment, people still wants NAC, automated nessus scan, and many other pretty useless energy consumption.
well, that business model will change soon.
Thanks :)
Well, Wi-Fi security might be after all just a bad answer in a flawed security model. Instead of trying at all cost to prevent people from entering the network by securing layer 2, maybe we should think more of securing layer 3. And bye bye 802.1x, WPA, NAC and similar expensive stuff... In the end, an open Wi-Fi network with an IPSEC gateway might be easier to deploy.
Geoffrey LeeGeoffrey Lee
I think another way to say it is that your security is only as strong as the weakest link, and human behavior is part of that link.
Geoffrey, exactly :)
"...but we keep the best ones for ourselves"...
Many enterprise start discussing training, training, training, but I'm pretty sure you are all aware of how well that is going. If human behavior is part of that link (and will probably be the weakest part the majority of the time), how do we cope with human error?
mike, easy. we promote brain augmentation via nano robots which are connected to a security management console :)
But what if the attackers deploy nanopirates against your nanorobots...
To increase security for user log in, increase the required authorization factors. For our secure internal network, you must use a smartcard (PKI of course) along with a pass-phrase (something you have and something you know). You can always add fingerprint scan to give you, "something you are". Although nothing is fool proof, a hacker will most likely move on to an easier target. With WiFi, there are plenty of them. -Aod-
Aod, I agree although I could add that attackers will move to an easier target but probably still within the scope of their goals. Probably, hacking into a network where employs are connecting to, hoping to get control over their computers and use them as a stepping stone to access the secure network, as I explained in the post. But as you said, nothing is fool proof. thanks
sebastian nielsensebastian nielsen
Client side security is inneccesary, and can always be bypassed. For example using a linux cd to boot up the computer and access every file on the computer. Its always good to adhere to the following rule: "If you have physical access to a computer, nothing prevents you to read or access the data stored on it". read or access means in some way downloading or reading data. The data may be unreadable (encrypted) but then you take the data with you and do a offline attack. So the best is to place all security as centrally as possible. A good idea is to never store anything on the laptop. But instead store everything on central servers. These servers can then verify user in some way. But keep in mind that user can still copy data that he gets from the server to a USB memory, or just take photos of screen and then OCR them. So use a VERY strict need-to-know policy, and make sure that if the system is in doubt of if a people is really needing a specific information, make it go through approval by manager before allowing the employer access. So this means a worker who is working on a software part is only need access to that part of software. This means that EVEN if a attacker gets physical posession of his laptop, or gets hold of a employer's authorization card or gets access to a logged-in computer, the attacker cannot access more than the employer is able to access.. Let the users be administrators on their clients, and control access to documents, files and data by storing them at a central server.
frank kernfrank kern
Now I get cleared my doubts in WiFi security,thank you very much.