Skip Links

Network World chats

Wireless security foiled by new exploits

Watch out for scary new hacker tools like KARMA, plus exploits in Bluetooth and 802.11n, says Joshua Wright in this recent Network World chat.

By , Network World
February 26, 2008 03:14 PM ET
Joshua Wright

Network World - Just when you thought your wireless network was locked down, a whole new set of exploits and hacker tools hits. WPA2, PEAP, TTLS or EAP/TLS can shore up your network, if configured properly. Securing clients is a lot more difficult. These topics and more were addressed by Joshua Wright in this recent Network World chat.

Wright is famous for his irreverent security blog He is also the author of the six-day SANS Institute course, Assessing and Securing Wireless Networks. Plus, he's a popular speaker at a long list of security conferences.

Moderator-Julie: Welcome and thank you for coming. Our guest today is Joshua Wright -- famous for his irreverent security blog (although, he says, he'd really rather hack for the challenge, not for raw fish.) He is also the author of the six-day SANS Institute course, Assessing and Securing Wireless Networks. Plus he's a popular speaker at a long list of security conferences.

Josh_Wright: Welcome everyone, and thanks for coming. Hopefully you have some killer questions for me about wireless security, hacking, sushi or 1975 AMC Gremlin restoration (my first car). So, hit me up and I'll do my best to answer as many questions as we have time for.

Josh_Wright: Her name was Phoebe, by the way (the Gremlin).

Moderator-Keith: While we await the onslaught of questions for Josh, we will provide a pre-submitted question that Josh has already answered. Q: In general, how well are enterprises securing their wireless network?

Josh_Wright: Enterprises are doing ... better. We are seeing fewer open networks and more organizations moving to WPA/WPA2 from WEP. There is still more than a fair share of WEP networks, sometimes motivated by the need to support legacy wireless clients (such as VoIP phones, or Symbol scanners). A lot of the enterprises I talk to feel comfortable with the security of their WPA/WPA2 networks, but they often fail to realize that this is only one piece of a wireless security strategy. Failure to address client configuration and security issues, rogue detection and home/mobile users leaves organizations exposed to attack.

Atome: What is your point of view on overlay vs. integrated wireless IDS/IPS solutions?

Josh_Wright: Overlay vendors often have a strong product, since overlay vendors ONLY make wireless intrusion detection system (WIDS) products. Vendors that have to do WIDS and wireless transport and hardware and all the QA and testing that goes along with it have more to worry about, and may not have as sophisticated a product.That said, overlay products are vulnerable in that they don't have knowledge of the encryption keys used on the network - they can only look at Layer 1 and Layer 2. Integrated vendors have the advantage there, where they can look at all the traffic on the network, analyzing not only Layer 1 and 2 but all the way up to Layer 7 as well (but not Layer 8 and 9, which are money and politics, as we all know ;) [Note, for more information on WIDS, check out Josh's whitepaper on the topic.]

Mw: How secure is WPA-PSK or WPA2-PSK?

Josh_Wright: PSK-based authentication mechanisms are notoriously vulnerable to offline dictionary attacks. I wrote one of the first WPA/WPA2-PSK attack tools "coWPAtty." (Get it? "coW-PAtty" -- like the cow … excrement). Newer tools such as Aircrack-ng are even faster. The main problem with PSK mechanisms is that the same shared secret is stored on all devices. I was talking to a customer who was doing handheld credit card transactions with a wireless device using WPA2-PSK. They were PCI compliant (since PCI requires WPA or all kinds of hoops with WEP), but they were vulnerable in that as devices were lost, stolen or turned in for service, the PSK was disclosed and available to anyone who could get their hands on the device. Enterprises should use 802.1X instead of PSK based authentication strategies for stronger authentication and unique, per-user keys.

PeterDiamond: Does disabling file and print sharing on your computer prevent other users on the same wireless network from accessing your computer files?

Josh_Wright: To some extent yes, but not 100%. Other services such as the remote desktop protocol are still exposed. Also remember that any user can install VNC on their workstation, which is a gold mine for an attacker. When I'm doing penetration tests, and I find machines running VNC, I break out the champagne, because I know the network is pwned.

WireGuy: Are you saying that you can pwn a network with ANY version of VNC installed on the systems?

Josh_Wright: Not any, but I haven't failed yet. You could do a secure install, I'm sure, but in my experience, VNC installs are almost always done by end-users, with no account lockout, no login monitoring and weak passwords.

Moderator-Keith: Pre-submitted question: Q: How should organizations address the threat of driver vulnerabilities?

Josh_Wright: Since a driver vulnerability can expose a workstation to a remote compromise, and since the vulnerability is exploited in kernel space which bypasses local security mechanisms (such as privilege separation, intrusion prevention mechanisms, spyware and anti-virus tools, etc), it's a serious threat. Organizations should start by compiling a list of all the wireless drivers they have installed in their organization, and regularly check the vendor's websites for driver updates.

I've also written a tool to assist in enumerating installed drivers on Windows hosts that includes a vulnerability assessment component. The tool is called WiFiDEnum. A free tool available at, WiFiDEnum scans hosts over your wired (or wireless) network and enumerates all the wireless drivers that are installed, using a local database of known vulnerabilities to let you know when you are exposed to driver threats.

Alanm: Is WPA2 now considered very secure and we should feel fine using it? Or are there still attacks/vulnerabilities that it's susceptible to?

Josh_Wright: WPA2 provides strong encryption, and specifies strong authentication mechanisms such as PEAP, TTLS and EAP/TLS as well, so it is a strong strategy for organizations. The common problem with these implementations is when people misconfigure client settings for PEAP and TTLS, like I discussed with Brad Antoniewicz from Foundstone at Shmoocon a few weeks ago (slides at, the video will be up at shortly). If PEAP and TTLS aren't configured properly, an attacker can impersonate your RADIUS server and get access to the victim's inner authentication credentials, possibly disclosing the user's password, or giving the attacker access to the user's MS-CHAP challenge response, which is almost as good.

McQ: To your earlier point -- to what degree are WPA2 scanners available today, if enterprises were willing to replace their WEP-only devices? Are there abundant choices?

Josh_Wright: Newer handheld devices for manufacturers, retailers and the food/hospitality industry are available, but only within the past year or so. This is a problem for many organizations, since the amortization schedule on these devices is usually very long (7-10 years), which makes it difficult to upgrade. I would not say there are abundant choices available, but customers need to tell these vendors that they require WPA2 and to stop buying anything that doesn't support WPA2 and strong EAP types such as TTLS and PEAP or EAP/TLS.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News