Security Laboratory

Security Laboratory

Security Laboratory: Wireless Security

This series covers wireless security. We will post papers on the latest threats as well as fundamental tutorial information you need to design and pen test a wireless network.

Other Related Articles in Security Laboratory: Wireless Security

Five Wireless Threats You May Not Know

Joshua Wright
Over the past several years, the wireless security market has maturedsignificantly. However, many organizations remain vulnerable in theirwireless network deployments, sometimes exposing sensitive informationthat is valuable to criminals.

Consider the case of the TJX company: In December 2006, TJX notifiedlaw enforcement officials that attackers had access to more than 46million customer records complete with payment card data, for a periodof not less than 18 months [1]. In May 2007, the Wall Street Journaldisclosed that anonymous sources fingered the wireless point-of-salesystems protected solely by the widely flawed WEP protocol as thesecurity weakness that enabled thieves to compromise the retailer at adepartment store in St. Paul, Minnesota [2]. In May 2007, TJX disclosedin quarterly earning reports that the compromise has cost the companyover 17 million dollars in investigation and legal fees, with a groupof banks filing suit against TJX for the replacement cost ofcompromised payment cards, as much as $25 per replacement card.

Fortunately, organizations have alternatives for securing theirwireless networks, with improved encryption and authenticationmechanisms that defeat the attacks used against TJX. Encryptionmechanisms defined in the IEEE 802.11i specification and authenticationprotocols such as PEAP and EAP/TLS significantly improve the securityof wireless technology.

Not to be dissuaded however, attackers have found new avenues to takeadvantage of weaknesses in wireless networks that, in most cases, haveyet to be addressed by organizations. This short whitepaper willexamine five significant threats affecting wireless networks thatrepresent the changing attack landscape targeting wireless networks.

Hidden Rogue APs
The threat of a rogue AP is significant for any network, effectivelyoffering an attacker the equivalent of a RJ45 jack in the parking lot(or across the street, or in the high-rise building next door).Standards bodies such as the Payment Card Industry Data SecurityStandard (PCI DSS) require that organizations regularly assess theirnetworks for these rogue AP threats, and many vendors have implementedproducts designed to address this threat. Despite the attention to thisthreat, many organizations remain vulnerable, and many analysismechanisms provide an inadequate defense against rogue AP devices:

  • WKnock WKnock is a softwarepackage for commonaccess points such as the Linksys WRT. Using WKnock, an attackeror an insider can plug-in a rogue access point which will lay dormant,silent to analysis systems. This often defeats quarterly or monthlymonitoring systems, since the device is silent until it is used by anattacker, after which it returns to its dormant state.[3]
  • IEEE 802.11n GreenField ModeMany organizationsare planning to deploy IEEE 802.11n technology, but even without theadoption of this new platform, organizations are exposed to 802.11nrogue APs operating in GreenField mode. GreenField mode is anoperating mechanism to maximize the speed of 802.11n technology byusing a new technology that effectively renders these networksinvisible to existing 802.11a/b/g wireless cards. As a result, rogue APanalysis systems are unable to identify these GreenField APs, includingall commercially sold wireless IDS products today.[4,5]
  • Bluetooth Rogue AP Bluetoothtechnology is makingits way into all kinds of devices, and is especially attractive due toits low cost and minimal resource requirements. Devices such asBluetooth APs are available that provide similar connectivity and rangeas their 802.11 counterparts, but escape analysis mechanisms sinceBluetooth operates using Frequency Hopping Spread Spectrum instead oftraditional 802.11 transmission mechanisms.[6]
Bluetooth Attacks
Bluetooth technology is growing and being adopted at an amazing rate,surpassing one billion Bluetooth devices shipped in 2006! Withincreased prevalence in adoption and use comes increased scrutiny fromattackers, who have uncovered significant security vulnerabilities inBluetooth technology. Attacks including unauthorized access,information disclosure, remote eavesdropping, device manipulation andfull host compromise are all possible against Bluetooth technology inuse today. Due to the ad-hoc and decentralized nature of Bluetoothtechnology, administrators are often unaware of the amount of Bluetoothtechnology in use, and their exposure to Bluetooth attacks. While manyorganizations disregard Bluetooth threats, thinking the technology islimited to short-range communication, the reality is that tests haveshown it is possible for an attacker to communicate to a short-rangeBluetooth device from over a mile away!

Recently, a colleague was working on a wireless assessment thatincluded a Bluetooth analysis. Below is an extract from a discussion wehad following his tests:
Joshua Wright: What didyou turn up in the BT audit?
Colleague: Besides walking into the CEO's N95?
Joshua Wright: Sweet! How did you get into it?
Colleague: Btscanner -> got the BT MAC plus the device ID;connected to it using the standard OBEX transfer; it was wide open;sent a few .sisx files; you can imagine the rest
Joshua Wright: :)
Colleague: I just used iSync; after OBEXing over the Apple "high-speediSync app"

In this example, a recent Nokia Communicator phone was vulnerable tounauthorized access, allowing the attacker to upload arbitrary malwareto the phone, and to retrieve potentially sensitive informationincluding contacts, calendar information and notes files.

PEAP and TTLS Configuration Weaknesses

Many organizations have turned to stronger authentication protocolssuch as PEAP and TTLS to authenticate wireless users and protect accessto the wireless network. When deploying PEAP and TTLS networks,the configuration of client systems is a critical component of theoverall security of the wireless network. Often, PEAP and TTLSnetworks are poorly configured on client systems, exposing them tonetwork impersonation attacks.

In a network impersonation attack, the adversary adopts the enterpriseSSID, and provides enough of a realistic network environment tosimulate the legitimate network while attempting to steal networkcredentials, or to attack client systems directly.

Figure 1: Attacker impersonates a legitimate AP and RADIUSServer

Mobile Device Weaknesses
Mobile devices such as PDAs, smart-phones, communicators such as theNokia 800 and even point-of-sale devices, all require wirelessconnectivity to be effective. Often, these embedded device platformsare well behind what is generally considered to be modern securityoptions for wireless networks, with operating systems that do notreceive regular patch updates for application flaws. In many cases,organizations cannot upgrade the operating system or applications onmobile devices until the patches are certified by application vendors,leaving the device vulnerable to attacks for an extended period of time.

Wireless Driver Attacks
The next generation of attacks against wireless networks aren'ttargeting the wireless network itself; rather, these attacks aretargeting client vulnerabilities directly. Exploitablevulnerabilities in wireless drivers have been discovered in all majorwireless card manufacturers, with working exploits readily availablethrough tools such as the Metasploit Framework.

Figure 2: Sample Metasploit attack targeting a flaw inBroadcom wireless drivers

Targeting wireless vulnerabilities, an attacker can exploit vulnerablesystems even if the user isn't connected to a wirelessnetwork! It's trivial for an attacker to exploit vulnerablesystems on anairplane, for example, even when there is no wireless networkavailable. Further, since these attacks exploit deficiencies at layer2, traditional firewall, HIPS and NAC systems provide little to nodefense against these attacks.

The wireless security market has matured significantly in the pastseveral years, but still many organizations remain vulnerable toattacks, either through legacy protocols with well-publisheddeficiencies, or through new threats that are not adequately addressed.In the SANS Institute Assessingand Securing Wireless Networks course,[7] we examine the threats discussed in this whitepaper and examinecountermeasures and defenses that can be applied to mitigate well-knownand emerging wireless attacks.

About the Author
Joshua Wright is the author of the SANS Institute AssessingandSecuring Wireless Networks and the author of severalopen-source toolsdesigned to assess and demonstrate the flaws in common wirelessnetworks. He can be reached via email at

1. The TJX Effect,
2. How Credit-Card Data Went Out Wireless Door,