Wi-fi Security Crisis By Marty R. Milette - There's a storm brewing, and although we have only seen the first signs, she's gonna be a whopper! I'm talking about what I call the "Wi-Fi Security Crisis", and if you don't know what it is, better read on...
Q: Would you let a terrorist walk in off the street and call their buddies in Iran or Afganistan using your phone?
Q: Would you allow a pervert to use your Internet connection to download child pornography?
Q: If you are a hotel General Manager, would you knowingly allow a thief to steal the data from a guest's computer?
EVERY DAY, this and much more happens at Wi-Fi hotspots around the world, but nobody seems too concerned about it -- WHY?
Some recent examples:
1. A US Military wardriving team finds an access point installed on the base granting open, unencrypted, unrestricted access to the internal US Military unclassified network. The access point is accessible from a K-Mart parking lot outside the military base.
2. A six-page, full-color article in Russia's "Hacker Magazine" describes in complete, step-by-step detail how to attack hotspots of three Moscow Marriott Hotels operated by MoscomNET.
3. Recent prosecution of a man for posession of child pornography. His defense that "he had an open access point so it must have been someone else" failed, and he's now looking at doing some hard time playing drop-the-soap with the other inmates.
Open, insecure access points aren't the only threat, but they make a great entry point. Just drive around with NetStumbler and see how many access points still have the default D-Link or Linksys SSID and even the default username and password for administrative access and you can have a small sample of the scope of just one of the problems.
Even if the hotspot has reasonable measures to protect unauthorized users from accessing the Internet, few operators bother protecting legitimate users from intra-site attacks. Once the attacker can associate with an access point -- any access point -- they can begin port-scanning and attacking any users associated with the same access point, and most often, users associated with any access point in the entire hotspot -- all without needing any connectivity through the gateway.
Insecure, unpatched client computers are juicy targets for data thieves, or anyone wishing to implant key loggers, root kits or any other malware. Such computers are all too easily found with simple, freely downloadable scanning and analysis tools. On the Internet, stolen identities are bought and sold like so much coffee.
Interestingly enough, when interviewing one of the major European authentication providers in preparation for writing another article, when asked what his company was doing about security, his response was, "We don't worry much about it, the only hackers are in Russia..."
For operators with these attitudes, the wake-up call may be coming sooner than they think. Just go to Google Video and search for Wi-Fi, war driving or wireless hacking and you will find videos with step-by-step demonstrations on exactly how to do it and what tools to use.
Hotels represent a unique problem. Most hotel IT Managers are ill equipped to understand let alone respond to the dangers wireless networks present. If the hotel is relying on a third-party operator to run their hotspot, the hotel IT Manager won't have access or control of that network and couldn't apply additional security even if they wanted to.
This is the case in Moscow where the three Marriott hotels rely on third-party operator MoscomNET to operate their hotspots. What baffles me is why virtually nothing has been done to secure the network since August 2006, when the Hacker Magazine article was published? To this very day, from the hacker's perspective, nothing has changed and the same vulnerabilities are still wide open.
One major flaw in the Marriott/MoscomNET Wi-Fi system is that they are still using MAC-address-based authentication. Such systems are wonderful for 'ease-of-use' but a total
disaster
with regards to security. (MAC addresses are the simplest thing in
the world to harvest and spoof.)
For example, at the Moscow
Marriott Aurora hotel, I borrowed a Wi-Fi adapter for my notebook computer,
plugged it in and had instant, free access to the WiFi network. How did that happen? Very simple, the guest who borrowed the
adapter before me returned it while time still remained on his account. The MAC
address from the adapter automatically authenticated me to the system -- no other
credentials required.
And what if I did something evil, such as setting
up a P2P server pirating music? As I had never puchased an account, the previous
user of the account would receive the blame. As for attackers just capturing
MAC addresses out of the air and spoofed them -- they are completely untracable
and can do whatever they want with complete impunity.
Who can be held
responsible and accountable? Hotel General Managers? Hotspot operators? IT Managers?
Authentication and roaming partners? There is plenty of blame to go around, but
nobody wants to take responsibility or action.
As another example, I recently
offered to give a free hotspot security analysis, seminar and consultation to
six of the five-star hotels in the city of St. Petersburg Russia. I contacted
the General Managers directly, and got not a single reply to take me up on the
offer. This tells me loud and clear that hotel GMs either don't understand that
there is a problem or will not admit it. It seems the safety and security of
the guest's computer or any other security matters are of no concern.
Is
the problem a technical one? Not at all! Every commercial-grade access point
is easily secured with WPA or WPA-2. (Forget about WEP.) Newer commercial access
points allow simultaneous dual-mode operation -- where the user can choose to
associate insecurely or securely. This simple measure could reduce the risk of
wireless eavesdropping to near zero. Only clients whose computers were incapable
of operating in the secure mode would remain vulnerable.
So why don't
hotspot operators implement even minimal security precautions? I suspect it could
be:
1. Many WiFi operators simply lack the knowledge, skills and experience to properly
secure and monitor their networks.
Let's face it, setting up a couple
of access points to share an Internet connection isn't rocket science -- but
properly securing and managing even a small system does require knowledge, skills
and experience well beyond the capability of the local 'computer guy'.
2.
Wi-Fi hotspot operators who are more concerned about profit than security.
Secure
systems ARE harder to manage and harder to use -- which is another reason commercial
operators are less likely to implement even the most basic of security measures.
Real security would mean implementing encryption all the way from the client
to the Gateway, and secure authentication -- likely implemented through a Public
Key Infrastructure and digital certificates.
Of course I realize that
some client systems can not support certain security mechanisms, but at least
give the client the option of borrowing supporting equipment and/or notifying
them of the potential hazards they could be exposed to.
The next article
in this series will focus on specific forms of attack on Wi-Fi networks in more
detail. For a copy, simply send an email to the author (marty .at. milette.com)
with your request and you will be sent the article the moment it becomes available. |