Security Laboratory
- Security Laboratory: Wireless Security
This series covers wireless security. We will post papers on the latest threats as well as fundamental tutorial information you need to design and pen test a wireless network.
Hardware Hacking: Linksys WRT54G - December 28th, 2007
An Interview with Joshua Wright - September 25th, 2007
Dispelling Common Bluetooth Misconceptions - September 19th, 2007
Wireless Security Training and Pen Testing Tutorial - Framing Part 1 - September 6th, 2007
Wireless Security Training and Pen Testing Tutorial: Infrastructure - August 31st, 2007
Five Wireless Threats You May Not Know - Updated September 5th, 2007
Five Wireless Threats You May Not Know
September 5th, 2007
By Joshua Wright
Over the past several years, the wireless security market has matured significantly. However, many organizations remain vulnerable in their wireless network deployments, sometimes exposing sensitive information that is valuable to criminals.
Consider the case of the TJX company: In December 2006, TJX notified law enforcement officials that attackers had access to more than 46 million customer records complete with payment card data, for a period of not less than 18 months [1]. In May 2007, the Wall Street Journal disclosed that anonymous sources fingered the wireless point-of-sale systems protected solely by the widely flawed WEP protocol as the security weakness that enabled thieves to compromise the retailer at a department store in St. Paul, Minnesota [2]. In May 2007, TJX disclosed in quarterly earning reports that the compromise has cost the company over 17 million dollars in investigation and legal fees, with a group of banks filing suit against TJX for the replacement cost of compromised payment cards, as much as $25 per replacement card.
Fortunately, organizations have alternatives for securing their wireless networks, with improved encryption and authentication mechanisms that defeat the attacks used against TJX. Encryption mechanisms defined in the IEEE 802.11i specification and authentication protocols such as PEAP and EAP/TLS significantly improve the security of wireless technology.
Not to be dissuaded however, attackers have found new avenues to take advantage of weaknesses in wireless networks that, in most cases, have yet to be addressed by organizations. This short whitepaper will examine five significant threats affecting wireless networks that represent the changing attack landscape targeting wireless networks.
Hidden Rogue APs
The threat of a rogue AP is significant for any network, effectively offering an attacker the equivalent of a RJ45 jack in the parking lot (or across the street, or in the high-rise building next door). Standards bodies such as the Payment Card Industry Data Security Standard (PCI DSS) require that organizations regularly assess their networks for these rogue AP threats, and many vendors have implemented products designed to address this threat. Despite the attention to this threat, many organizations remain vulnerable, and many analysis mechanisms provide an inadequate defense against rogue AP devices:
- WKnock WKnock is a software package for common access points such as the Linksys WRT. Using WKnock, an attacker or an insider can plug-in a rogue access point which will lay dormant, silent to analysis systems. This often defeats quarterly or monthly monitoring systems, since the device is silent until it is used by an attacker, after which it returns to its dormant state.[3]
- IEEE 802.11n GreenField Mode Many organizations are planning to deploy IEEE 802.11n technology, but even without the adoption of this new platform, organizations are exposed to 802.11n rogue APs operating in GreenField mode. GreenField mode is an operating mechanism to maximize the speed of 802.11n technology by using a new technology that effectively renders these networks invisible to existing 802.11a/b/g wireless cards. As a result, rogue AP analysis systems are unable to identify these GreenField APs, including all commercially sold wireless IDS products today.[4,5]
- Bluetooth Rogue AP Bluetooth technology is making its way into all kinds of devices, and is especially attractive due to its low cost and minimal resource requirements. Devices such as Bluetooth APs are available that provide similar connectivity and range as their 802.11 counterparts, but escape analysis mechanisms since Bluetooth operates using Frequency Hopping Spread Spectrum instead of traditional 802.11 transmission mechanisms.[6]
Bluetooth technology is growing and being adopted at an amazing rate, surpassing one billion Bluetooth devices shipped in 2006! With increased prevalence in adoption and use comes increased scrutiny from attackers, who have uncovered significant security vulnerabilities in Bluetooth technology. Attacks including unauthorized access, information disclosure, remote eavesdropping, device manipulation and full host compromise are all possible against Bluetooth technology in use today. Due to the ad-hoc and decentralized nature of Bluetooth technology, administrators are often unaware of the amount of Bluetooth technology in use, and their exposure to Bluetooth attacks. While many organizations disregard Bluetooth threats, thinking the technology is limited to short-range communication, the reality is that tests have shown it is possible for an attacker to communicate to a short-range Bluetooth device from over a mile away!
Recently, a colleague was working on a wireless assessment that included a Bluetooth analysis. Below is an extract from a discussion we had following his tests:
Joshua Wright: What did
you turn up in the BT audit?
Colleague: Besides walking into the CEO's N95?
Joshua Wright: Sweet! How did you get into it?
Colleague: Btscanner -> got the BT MAC plus the device ID; connected to it using the standard OBEX transfer; it was wide open; sent a few .sisx files; you can imagine the rest
Joshua Wright: :)
Colleague: I just used iSync; after OBEXing over the Apple "high-speed iSync app"
Colleague: Besides walking into the CEO's N95?
Joshua Wright: Sweet! How did you get into it?
Colleague: Btscanner -> got the BT MAC plus the device ID; connected to it using the standard OBEX transfer; it was wide open; sent a few .sisx files; you can imagine the rest
Joshua Wright: :)
Colleague: I just used iSync; after OBEXing over the Apple "high-speed iSync app"
In this example, a recent Nokia Communicator phone was vulnerable to unauthorized access, allowing the attacker to upload arbitrary malware to the phone, and to retrieve potentially sensitive information including contacts, calendar information and notes files.
PEAP and TTLS Configuration Weaknesses
Many organizations have turned to stronger authentication protocols such as PEAP and TTLS to authenticate wireless users and protect access to the wireless network. When deploying PEAP and TTLS networks, the configuration of client systems is a critical component of the overall security of the wireless network. Often, PEAP and TTLS networks are poorly configured on client systems, exposing them to network impersonation attacks.
In a network impersonation attack, the adversary adopts the enterprise SSID, and provides enough of a realistic network environment to simulate the legitimate network while attempting to steal network credentials, or to attack client systems directly.
Figure 1: Attacker impersonates a legitimate AP and RADIUS Server
Mobile Device Weaknesses
Mobile devices such as PDAs, smart-phones, communicators such as the Nokia 800 and even point-of-sale devices, all require wireless connectivity to be effective. Often, these embedded device platforms are well behind what is generally considered to be modern security options for wireless networks, with operating systems that do not receive regular patch updates for application flaws. In many cases, organizations cannot upgrade the operating system or applications on mobile devices until the patches are certified by application vendors, leaving the device vulnerable to attacks for an extended period of time.
Wireless Driver Attacks
The next generation of attacks against wireless networks aren't targeting the wireless network itself; rather, these attacks are targeting client vulnerabilities directly. Exploitable vulnerabilities in wireless drivers have been discovered in all major wireless card manufacturers, with working exploits readily available through tools such as the Metasploit Framework.
Figure 2: Sample Metasploit attack targeting a flaw in Broadcom wireless drivers
Targeting wireless vulnerabilities, an attacker can exploit vulnerable systems even if the user isn't connected to a wireless network! It's trivial for an attacker to exploit vulnerable systems on an airplane, for example, even when there is no wireless network available. Further, since these attacks exploit deficiencies at layer 2, traditional firewall, HIPS and NAC systems provide little to no defense against these attacks.
The wireless security market has matured significantly in the past several years, but still many organizations remain vulnerable to attacks, either through legacy protocols with well-published deficiencies, or through new threats that are not adequately addressed. In the SANS Institute Assessing and Securing Wireless Networks course,[7] we examine the threats discussed in this whitepaper and examine countermeasures and defenses that can be applied to mitigate well-known and emerging wireless attacks.
===
About the Author
Joshua Wright is the author of the SANS Institute Assessing and Securing Wireless Networks and the author of several open-source tools designed to assess and demonstrate the flaws in common wireless networks. He can be reached via email at jwright@hasborg.com
===
1. The TJX Effect, http://www.informationweek.com/shared/printableArticle.jhtml?articleID=201400171
2. How Credit-Card Data Went Out Wireless Door, http://online.wsj.com/article_email/article_print/SB117824446226991797-lMyQjAxMDE3NzA4NDIwNDQ0Wj.html
3. http://www.rstack.org/oudot/wknock/
4. http://www.broadcom.com/docs/WLAN/802_11n-WP100-R.pdf
5. http://en.wikipedia.org/wiki/Greenfield_project
6. http://www.blackhat.com/presentations/bh-federal-03/bh-fed-03-beetle/bh-fed-03-beetle-up.pdf
7. http://www.sans.org/training/description.php?mid=3&