|
Wi-fi Security Crisis
By Marty R. Milette -
cheap
hotspot solutions
There's a storm brewing, and although we have only seen the first
signs, she's gonna be a whopper! I'm talking about what I call
the "Wi-Fi Security Crisis", and if you don't know what it is, better read on...
Q: Would you let a terrorist walk in off the street and call their
buddies in Iran or Afganistan using your phone?
Q: Would you allow a pervert to use your Internet connection to download
child pornography?
Q: If you are a hotel General Manager, would you knowingly allow a
thief to steal the data from a guest's computer?
EVERY DAY, this and much more happens at Wi-Fi hotspots around the
world, but nobody seems too concerned about it -- WHY?
Some recent examples:
1. A US Military wardriving team finds an access point installed on
the base granting open, unencrypted, unrestricted access to the internal
US Military unclassified network. The access point is accessible from
a K-Mart parking lot outside the military base.
2. A six-page, full-color article in Russia's "Hacker Magazine" describes in complete, step-by-step detail how to attack hotspots of three Moscow Marriott Hotels operated by MoscomNET.
3. Recent prosecution of a man for posession of child pornography.
His defense that "he had an open access point so it must have been someone else" failed, and he's now looking at doing some hard time playing drop-the-soap with the other inmates.
Open, insecure access points aren't the only threat, but they make
a great entry point. Just drive around with NetStumbler and see how
many access points still have the default D-Link or Linksys SSID and
even the default username and password for administrative access and
you can have a small sample of the scope of just one of the problems.
Even if the
Hotspot
has reasonable measures to protect unauthorized users from accessing
the Internet, few operators bother protecting legitimate users from
intra-site attacks. Once the attacker can associate with an access
point -- any access point -- they can begin port-scanning and attacking
any users associated with the same access point, and most often, users
associated with any access point in the entire
hotspot
-- all without needing any connectivity through the gateway.
Insecure, unpatched client computers are juicy targets for data thieves,
or anyone wishing to implant key loggers, root kits or any other malware.
Such computers are all too easily found with simple, freely downloadable
scanning and analysis tools. On the Internet, stolen identities are
bought and sold like so much coffee.
Interestingly enough, when interviewing one of the major European
authentication providers in preparation for writing another article,
when asked what his company was doing about security, his response
was, "We don't worry much about it, the only hackers are in Russia..."
For operators with these attitudes, the wake-up call may be coming
sooner than they think. Just go to Google Video and search for Wi-Fi,
war driving or wireless hacking and you will find videos with step-by-step
demonstrations on exactly how to do it and what tools to use.
Hotels represent a unique problem. Most hotel IT Managers are ill
equipped to understand let alone respond to the dangers wireless networks
present. If the hotel is relying on a third-party operator to run
their hotspot, the hotel IT Manager won't have access or control of
that network and couldn't apply additional security even if they wanted
to.
This is the case in Moscow where the three Marriott hotels rely on
third-party operator MoscomNET to operate their hotspots. What baffles
me is why virtually nothing has been done to secure the network since
August 2006, when the Hacker Magazine article was published? To this
very day, from the hacker's perspective, nothing has changed and the
same vulnerabilities are still wide open.
One major flaw in the Marriott/MoscomNET Wi-Fi system is that they
are still using MAC-address-based authentication. Such systems are
wonderful for 'ease-of-use' but a total
disaster
with regards to security. (MAC addresses are the simplest thing in
the world to harvest and spoof.)
For example, at the Moscow
Marriott Aurora hotel, I borrowed a Wi-Fi adapter for my notebook computer,
plugged it in and had instant, free access to the WiFi network. How
did that happen? Very simple, the guest who borrowed the adapter before
me returned it while time still remained on his account. The MAC address
from the adapter automatically authenticated me to the system -- no
other credentials required.
And what if I did something evil,
such as setting up a P2P server pirating music? As I had never puchased
an account, the previous user of the account would receive the blame.
As for attackers just capturing MAC addresses out of the air and spoofed
them -- they are completely untracable and can do whatever they want
with complete impunity.
Who can be held responsible and accountable?
Hotel General Managers? Hotspot operators? IT Managers? Authentication and roaming partners? There
is plenty of blame to go around, but nobody wants to take responsibility or action.
As
another example, I recently offered to give a free Hotspot security analysis, seminar and consultation to six of the five-star
hotels in the city of St. Petersburg Russia. I contacted the General Managers
directly, and got not a single reply to take me up on the offer. This tells me
loud and clear that hotel GMs either don't understand that there is a problem
or will not admit it. It seems the safety and security of the guest's computer
or any other security matters are of no concern.
Is the problem a technical
one? Not at all! Every commercial-grade access point is easily secured with WPA
or WPA-2. (Forget about WEP.) Newer commercial access points allow simultaneous
dual-mode operation -- where the user can choose to associate insecurely or securely.
This simple measure could reduce the risk of wireless eavesdropping to near zero.
Only clients whose computers were incapable of operating in the secure mode would
remain vulnerable.
So why don't Hotspot operators implement even minimal security precautions? I suspect it
could be:
1. Many WiFi operators simply lack the knowledge, skills and
experience to properly secure and monitor their networks.
Let's face it,
setting up a couple of access points to share an Internet connection isn't rocket
science -- but properly securing and managing even a small system does require
knowledge, skills and experience well beyond the capability of the local 'computer
guy'.
2. Wi-Fi hotspot operators who are more concerned about profit than security.
Secure
systems ARE harder to manage and harder to use -- which is another reason commercial
operators are less likely to implement even the most basic of security measures.
Real security would mean implementing encryption all the way from the client
to the Gateway, and secure authentication -- likely implemented through a Public
Key Infrastructure and digital certificates.
Of course I realize that
some client systems can not support certain security mechanisms, but at least
give the client the option of borrowing supporting equipment and/or notifying
them of the potential hazards they could be exposed to.
The next article
in this series will focus on specific forms of attack on Wi-Fi networks in more
detail. For a copy, simply send an email to the author (marty .at. milette.com)
with your request and you will be sent the article the moment it becomes available.
|
