Beware the rogue Wi-Fi access point in Windows 7

* SoftAP feature in the new OS could threaten enterprise security

The consumerization of IT is alive, well and causing all sorts of enterprise security challenges in the mobile arena. But highly visible issues, such as the consumer-centric Apple iPhone, represent only the tip of the vulnerability iceberg. Microsoft Windows 7, for example, contains software that allows a user's laptop to do double-duty as a rogue Wi-Fi access point that masks the entry of unauthorized users onto the corporate network.

Seven things to love, hate about Windows 7

So far, it looks like the Windows 7 OS is a winner. As of January --– barely three months after its late-October 2009 release -- NetMarketShare pegged it as already having garnered between 7% and 8% of the OS market. Many enterprises that skipped the much-maligned Vista version of Windows are likely to upgrade to Windows 7.

Windows 7, though, contains a "SoftAP" feature, also called "virtual Wi-Fi," that allows a single PC to function simultaneously as a Wi-Fi client and as an AP to which other Wi-Fi-capable devices can connect. The capability is handy when users are wearing their consumer hats and want to share music and play interactive games during their off hours. But it also can allow on-site visitors and parking-lot hackers to piggyback onto the user's laptop and "ghost ride" into the corporate network unnoticed.

So says Gopinath KN, director of engineering at AirTight Networks, a wireless intrusion-prevention system (WIPS) and service company that has analyzed the SoftAP capability. He says a Windows 7 device performs Port Address Translation, allowing a single public IP address to be used by many LAN devices (and exposing only certain Layer 4 port numbers). So devices that associate with the Windows 7's virtual AP will be bridged into the wired network unseen because they will be hidden behind the "master" IP address.

The issue is more dangerous than Wi-Fi's peer-to-peer, or ad hoc, mode, says AirTight Vice President of Product Management Sri Sundarilingam. In peer-to-peer mode, the only data exposed are the local files and applications on participating users' laptops -- not the whole corporate network.

AirTight, of course, has a vested interest in discussing the SoftAP vulnerability. WIPS products such as AirTight's and those from competitors such as AirMagnet and Motorola AirDefense scan the airwaves for unauthorized devices in the airspace -- such as a Windows 7 SoftAP -- and flag them as rogues that clients are not permitted to associate with.

So using WIPS is one protective option. Another is to provision the laptop with the SoftAP capability turned off and deny all Windows 7 users system administration rights so that they can't turn it back on.

Still another is to install mobile device management and/or security agent software on the laptop that enforces centralized policies such as disabling soft APs and ad-hoc Wi-Fi modes. Such software is available from a quickly growing number of companies in the mobile device management space. And AirTight, in addition to offering WIPS, also has such a client agent it calls SpectraGuard SAFE, which the company says can be used on any Wi-Fi, Bluetooth, 3G, infrared or WiMAX network.

Join the discussion
Be the first to comment on this article. Our Commenting Policies