Wireless LAN attacks grow in sophistication

It was a chilling moment: Jim Bowen, a security expert with Internet Security Systems of Atlanta, had tracked down an unidentified radio signal outside the building of a client.

Someone had set up an 802.11b access point near enough to be able to receive communications from wireless clients inside the building. Posing as an official access point on the corporate wireless LAN, this decoy could accept traffic that revealed key data, network names and media access control (MAC) addresses. In other words, a wealth of corporate information that, if passed onto a wireless laptop and a set of freeware tools, could let an outsider access resources on the wired LAN.

"This shows an increased level of sophistication in wireless threats," says Patrick Wheeler, an ISS product manager, who oversees software called Wireless Scanner, which can detect such decoys. "You have to work hard to set up something like this that close to the corporate environment."

During the past year, wireless LAN security threats have multiplied, according to users, vendors and consultants. There are more attack applications available, the applications are more sophisticated and highly automated and the weaknesses of various wireless hardware and software products are documented more extensively and precisely.

Attackers are continually updating freeware utilities and other programs for such things as automatically unscrambling the Wired Equivalent Privacy (WEP) encryption keys, which form the basic, although flawed, 802.11b security layer. These programs include WEPcrack and Airsnort. Other programs, such as kismet, pick up an access point's Service Set Identifier, which acts like a kind of password for clients to join the wireless LAN,

"It's definitely getting to the point where we need to move to [a VPN] for our wireless LAN," says Dennis Moul, director of IS for CoManage, a Wexford, Pa., carrier software vendor. A VPN would require each wireless user to authenticate, for example, via a Remote Authentication Dial-In User Service server, and then would encrypt or scramble the data moved between the wireless devices and the access point.

But even a VPN can be exploited in the wireless world. The decoy mentioned earlier is a variant of the so-called "man in the middle" attack, which lets an intruder glean network information about access points or client adapters, such as MAC addresses, and use this to impersonate already authenticated wireless LAN devices. One university network manager at a southeastern university recently invited an intrusion-detection vendor to demonstrate its product on campus. Within minutes, the manager witnessed two attempts at identity theft - using someone else's authenticated identity.

During the past year there has been an upsurge in Web sites, such as www.wigle.net (for Wireless Geographic Logging Engine), where anyone can upload readings from wireless detection programs such as NetStumbler, along with coordinates from a satellite-based geographic positioning system.

"You can find the exact longitude and latitude of an access point," says Fred Tanzella, chief security officer for AirDefense, which makes handheld software for detecting and finding wireless intrusions. "You can then map directions to the site through MapQuest and even get an aerial photo of the location."

Such sites have made last year's phenomenon of "war driving" - cruising around in a car with a laptop fitted with a wireless adapter card and sensitive, or high-gain, antenna to find unprotected corporate access points - already passe

"The real hackers today don't even have to do any driving," he says.

War spamming

Another recently developed threat is war spamming. Spammers use the same tools and lists to enter a corporate network through an unsecured access point, then hack to the corporate e-mail or Simple Mail Transfer Protocol server. Once there, they use the corporate facilities to send out a blizzard of e-mails promoting services, political beliefs or general chaos. "For the company that's hacked, their ISP may suddenly block their site to shut down the spammer," Wheeler says. "And it's often hard to get unblocked. That means no one can get to your corporate e-mail [from outside]."

Sometimes the the growing sophistication of your own employees creates the problem, according to Jay Chaudhry, CEO of AirDefense. Chaudhry recently met with a large systems integrator where network executives, concerned about wireless security, had banned wireless LANs. To enforce the ban, IT staff routinely made the rounds of the site with NetStumbler loaded on wireless laptops, searching for any "rogue" access points. They didn't find any.

Chaudhry found out why. "Whenever the 'IP police' go around with NetStumbler, the users simply unplug their access points, hide them in a drawer or cupboard, and set them up again after the sweep is over," he says.

Hacking is in large part a repetitive, trial-and-error process. Like all such processes, it lends itself well to software automation.

"What I have seen [in the past year] is how automated and easy it is for even low-level attacks to be carried out," says Al Lang, COO for Fidelis Security, a vendor of intrusion-detection systems based on a modified version of the open source program Snort. The software scans network packets, searching for patterns, which it compares with a database to detect surreptitious attacks. "Hackers automate their attacks on a range of TCIP/IP addresses," Lang says. "You can find thousands and thousands of such attempts in the space of a week."

Hackers can find Web sites that have file after file of sample attacks. "These can be downloaded, automated, and they just sit there [on the attacker's computer] and run and run and run," Lang says. "There are a lot of people who've automated the process of continually attacking [the network]."

Countermeasures

In wireless LANs, as in wired networks, security is a multilayered task. Increased wireless LAN use and the growing skill of attackers underline the urgency of developing countermeasures.

Some of these countermeasures can be found in new software and hardware tools. These include security servers such as those offered by Bluesocket, Cranite and Vernier. Intrusion-detection software from companies such as AirDefense and Fidelis, which is doing initial testing of its pattern-matching software with select customers, are the latest new thing.

But many countermeasures are basic, proven network security architectures, policies and procedures that need to be fine-tuned for wireless networks. This work starts by knowing that the assumption that no one can physically access my network doesn't apply when the network medium is a radio wave.

CancerCare of Manitoba, which does cancer screening and treatment for the entire province, is installing Cranite Systems' security controllers to protect wireless LANs at three main sites in Winnipeg and at 17 other rural sites. At the same time, network administrators constantly monitor the firewall and wireless LANs for any attacks, and regularly run internal security audits, says Mark Kuchnicki, CancerCare's director of IS.

CoManage's Moul continually evaluates the wireless risk to his company's data. He weighs not only the expertise level of potential attackers, but also what could be called the information status of CoManage. "What is the perceived risk to this company at this time?" he asks. "Right now, we're not a publicly traded company. If we were, or were a household name, that risk would be different." 

Wireless threats

Attacks against wireless LANs are evolving: They are becoming more automated, more sophisticated and target more weak points. Here are a few:
Threat What it does Countermeasures
Decoy access points Wireless LAN clients assume the decoy is a valid access point and connect. Mutual authentication.
Access point maps Web sites record precise location of any unsecure access points and directions to it. Security architecture; smart deploy-ment; authentication; encryption.
Invisible access points Radios embedded in shipping, receiving and other systems create open back door. Security policies; intrusion detection.
Automated low-level attacks on WEP keys, passwords, addresses Programs run repeatedly to ferret out and crack an array of weaknesses. Intrusion detection; security architec-ture; access point configuration management.
From CSO: 7 security mistakes people make with their mobile device
Join the discussion
Be the first to comment on this article. Our Commenting Policies