The Hacker's Wireless Toolbox Part 1

Computerworld - As 802.11 wireless LANs are becoming the next generation of IT networking, they are also the new playgrounds for hackers. While industry struggles with ways to provide effective encryption and authentication security measures for WLANs, hackers already possess easy-to-use tools that can launch increasingly sophisticated attacks that put your information assets at risk. Although my intent isn't to scare enterprises away from deploying WLANs, I do believe it's important to know what's in the hacker's toolbox, so you can better protect yourself and your assets. All the information contained in this piece is already readily available on the Web to anyone who wants to read it, so I'm not providing hackers with information they don't already have.

What's at Risk?

WLANs not only face all of the security challenges of any wired network, but also have the new risks introduced by the wireless medium that connects stations and access points. Any wireless access point attached to a wired network essentially broadcasts an Ethernet connection and an on-ramp to the entire enterprise network. Layers 1 and 2 of a network are typically protected by the Category 5 wire within a building in a traditional wired network but are exposed in a WLAN.

The satellite photograph on this page shows how radio signals from a single access point can travel several city blocks outside of a building. Without proper security measures for authentication and encryption, any laptop with a wireless card can connect with the network or eavesdrop on all network traffic across that access point from any area within the colored areas on the map.

Some enterprises make the mistake of believing that they don't have to worry about wireless security if they are running non-mission-critical systems with nonsensitive information across their WLANs. However, few networks operate as islands of automation. Most connect with the enterprise backbone at some point, and hackers can use the WLAN as a launching pad to the entire network. Thus, every entry point to that network should be secured.

In the summer of 2002, a retail chain was reported to be running its WLAN without any form of encryption. The retailer responded by saying that its WLAN handled only its inventory application, so encryption wasn't needed. However, an open connection invites hackers to snoop around on the network to possibly get into confidential customer records or sensitive corporate information.

Internal Vulnerabilities

Because security risks for WLANs can come from both hackers and employees with the best of intentions, threats to WLAN security can be broken into internal vulnerabilities and external threats.

Internal vulnerabilities consist of rogue deployments, insecure configurations and accidental associations to neighboring WLANs.

• 
  
• Rogue WLANs Rogue access points are a well-documented problem. In September 2002, Gartner Inc. projected that "through year-end 2004, employees' ability to install unmanaged access points will result in more than 50% of enterprises exposing sensitive information through WLANs." Employees can easily hide their rogue access points to wired-side sniffers by simply setting the access point to duplicate the Media Access Control (MAC) address of the laptop—an easy and often mandatory configuration for a consumer-grade access point when installed to a home cable or digital subscriber line modem. Other rogue deployments or unauthorized uses of WLANs can include ad hoc networks. These peer-to-peer connections among devices with WLAN cards don't require an access point or any form of authentication from other stations they're connected to. Ad hoc networks can be a convenient feature for users to transfer files between stations or connect to shared network printers, but they present an inherent security risk where a station in ad hoc mode opens itself to a direct attack from a hacker who can download files from the victim's station or use the authorized station as a conduit to the entire network.
  
  
  
• Insecure Network Configurations Many organizations secure their WLANs with virtual private networks (VPN) and then mistakenly believe that the networks are bulletproof. Although it takes a highly sophisticated hacker to break a VPN, such a network can be like an iron door on a grass hut if the network isn't properly configured. Why would a thief try to pick the lock of the iron door if he could easily break through the thin walls of the hut? All security holes—big and small—can be exploited. Insecure configurations represent a significant concern. Default settings that include default passwords, open broadcasts of Service Set Identifications (SSID), weak or no encryption, and lack of authentication can turn an access point into a gateway to the greater network. Properly configured access points can be reconfigured by employees seeking greater operability or are often reset to default settings upon a power surge or system failure.
  
  
  
• Accidental Associations Accidental associations between a station and a neighboring WLAN are just now being recognized as a security concern as enterprises confront the issue of overlapping networks. Accidental associations are created when a neighboring company across the street or on adjacent floors of the building operates a WLAN that emanates a strong radio-frequency signal that bleeds over into your building space. The WLAN-friendly Windows XP operating system enables your wireless users to automatically associate and connect to the neighbor's network without their knowledge. A station connecting to a neighboring WLAN can divulge passwords or sensitive documents to anyone on the neighboring network. Accidental associations can even link the two companies' networks together through this end user station, because it bypasses all internal security and controls.
  

The internal vulnerabilities previously described open the door for intruders and hackers to pose more serious threats. However, the most secure WLANs aren't 100% safe from the continuously evolving external threats that include espionage, identity theft and other attacks, such as denial-of-service and man-in-the-middle attacks.

• 
  
• Eavesdropping and Espionage Because wireless communications are broadcast over radio waves, eavesdroppers who merely listen to the airwaves can easily pick up unencrypted messages. Additionally, messages encrypted with the Wired Equivalent Privacy security protocol can be decrypted with a little time and easily available hacking tools. These intruders put businesses at risk of exposing sensitive information to corporate espionage.
  
  
  
• Identity Theft The theft of an authorized user's identity poses a serious threat. SSIDs that act as crude passwords and MAC addresses that act as personal identification numbers are often used to verify that clients are authorized to connect with an access point. Because existing encryption standards aren't foolproof, knowledgeable intruders can pick off authorized SSIDs and MAC addresses to connect to a WLAN as an authorized user with the ability to steal bandwidth, corrupt or download files and wreak havoc on the entire network.
  
  
  
• Evolving Attacks More sophisticated attacks, such as denial-of-service and man-in-the-middle attacks, can shut down networks and compromise security of VPNs. Part 2 of this series next week will go into greater detail describing how these attacks occur in the section, "Emerging Attacks on WLANs."