WIRELESS VULNERABILITY

Fast-forward a few years. 802.11 net-working is nearly ubiquitous at homeand the office. The major operatingsystems have native support for 802.11networking. Wireless LAN radios areintegrated into most modern laptopsand are even popping up in entertain-ment devices like Sony’s PSP portablegame platform. And access points canbe purchased for a tenth of the costthree years ago.

From an enterprise security perspec-tive, this trend paints a bleak picture.Even though the wireless security stan-dards have improved dramatically -from primitive WEP-based security to802.11i with bi-directional certificateauthentication and AES encryption -there are now more wireless devices tocontend with than ever. Wireless entrypoints can be anywhere on your net-work and may be a gateway for attack-ers into the ‘soft middle’ of your enter-prise. So, discovering unauthorizedwireless devices and shutting themdown is a top priority for many ITshops.

Tools of the tradeThe act of auditing for wireless devicescan take many forms. Some organiza-tions choose to run spot audits examin-ing their spaces for unauthorized wire-less devices. These spot audits basicallyboil down to war-driving your ownfacilities. The tools used in this type ofactivity are nearly indistinguishablefrom a standard war-driving toolkit; apiece of software like the open source

Kismet1, a low gain omni directionalantenna, a wireless card with externalantenna connector, a GPS, and theproper cables to hook it all together.

Tools like Kismet are very effective atfinding 802.11 devices. Both accesspoints and wireless clients can be foundby Kismet, though active scanners suchas Netstumber will miss some of themore stealthy devices. There are com-mercially available 802.11 auditing toolslike Network General’s Sniffer Portable.These commercial tools are basicallyfunctionally equivalent to Kismet how-ever they tend to have a friendliergraphical interface and actual vendorsupport.

Periodic audits are only as good astheir frequency. If a facility is auditedevery three months, there is potentialfor a rogue wireless device to be con-nected to the network for quite a whilebefore it is discovered and shut down.To combat that, some organizations aredeveloping sensor networks that moni-tor facilities constantly for wirelessdevices.

Kismet has the ability to be deployedin a sensor/server architecture, withmany sensors constantly reporting ondevices near them. However, theKismet interface is not designed forongoing operations as it is difficult towhite list, black list, or otherwise main-tain state on discovered devices. Toolslike Air Defense,2 a wireless IDS solu-tion, actually make a great tool forkeeping tabs on what wireless devicesare near your enterprise. While it is

overtly an intrusion detection tool, itsUI allows for rapid analysis of discov-ered wireless devices and provides longterm persistence of information.

The vulnerabilitiesThere are three major types of vulnera-bilities to be aware of:

• Unauthorized access points.• Poorly configured access points.• Rogue clients.

Unauthorized access points (one typeof “rogue” access point) are access pointsplugged directly into the internal net-work and not allowed to be there.These types of access points are ofteninstalled by non-IT employees to addtheir own personal wireless access to a

building. Before wireless security wasreally well-publicized, this was a com-mon problem. Unauthorized accesspoints provide a gateway to the internalnetwork and are outside of an enterpriseIT staff ’s control. But as the dangers ofwireless networking have gained moreand more press coverage, many employ-ees have had the ‘fear of God’ put inthem about using wireless, and fewer ofthem are willing to bring their own

Network Security June 200514

Wireless vulnerabilityassessmentBruce Potter

Only a few years ago, wireless networking was still a magical art.Special wireless cards had to be bought and plugged into existingcomputers. Drivers had to be downloaded from vendors regularlybecause they were buggy and under constant development. Homeuse access points cost more than $300 and enterprise access pointsdid not really exist.

“The attacker

can attempt to

subvert the

host via the

normal attack

mechanisms.”

Tools for auditing• Kismet.• Netstumber.• Network General’s sniffer portable.• Airdefense

WIRELESS VULNERABILITY

access point (and security vulnerability)to work.

When looking for wireless devices, anauditor may find legitimate accesspoints that are poorly configured.Default SSID’s, no WEP or 802.11isecurity, and default management pass-words are common problems. Thesepoorly configured access points are asinviting to an attacker as an unautho-rized access point and should be foundand fixed immediately. Hopefully, inmost organizations, there are standardbest practices that keep mis-configuredaccess points from actually beingdeployed.

Most modern enterprises are plaguedby rogue wireless clients. As more andmore laptops are being built with inte-grated wireless, more users are takingtheir laptops to places such as theirhomes, Starbucks, and even conferences.When on the road, users may tell theirlaptops to automatically attempt toassociate to any of their known networks.

In most modern operating systems,including Windows XP and OS X, thiscauses a security vulnerability. Whenthe host first turns on or can’t find awireless network, it sends probes look-ing for any previously known wirelessnetwork. For instance, if a user normal-ly uses networks named “Starbucks”,“HomeNet”, and “Work”, their laptopwill send probes for each of those net-work names over and over again until itfinds one of them.

This is dangerous because attackersonly need to stand up their own attackaccess point with the name of one ofthese trusted networks in order to estab-lish a connection with the laptop. Oncethat connection has been created, theattacker can attempt to subvert the hostvia the normal attack mechanisms (try-ing guest users, exploiting known vul-nerabilities, etc.). In a recent penetra-tion class I taught, each of the 24 classmembers brought their own laptop touse in the class and most of them hadintegrated wireless. When I fired upKismet, I found the laptops probing formore than 120 different networks.

Even though we did not have a legiti-mate wireless network, I was able tocompromise several hosts by pretendingto be a trusted wireless network.

Finding the devicesSo once a device is found with a pieceof scanning software, it must be physi-cally found, examined, and shut off.This is sometimes easier said than done.The initial reaction to this problem maybe to break out a directional antennaand slowly spin in a circle until you findthe direction the strongest signal is com-ing from. The idea would then be tofollow that signal in that direction untilthe device in question is found.

The problem with this approach is itgenerally doesn’t work when there aremany buildings or inside a building.Signal reflections and attenuation fromthings like trees can lead you on wildgoose chases. Often times you will findyourself chasing a reflected signal andactually moving away from the devicein question.

GPS mapping software (like GPSmapthat comes with Kismet) is a much bet-ter starting point. Using the outputfrom a GPS and maps of your area, youcan narrow down what access points arein your physical boundaries and whichbelong to your neighbours.Furthermore, you will be able to at leastget a feel for what section of a buildingthe device is in.

Once inside a building, the job gets abit more difficult. One of the bestmethods for finding devices inside is

using a very low gain antenna with avariable attenuator. The variable attenu-ator basically works to reduce the gainof the external antenna. As you getcloser to the device, you will get astronger and stronger signal. Byincreasing the attenuation, you canreduce the signal again allowing you tobetter home in on the device.Eventually, with some patience, you willbe able to find the device in questionand potentially remove it from service.

Specialized software like AirDefenseMobile has built-in direction findingcapability. However, tools likeAirDefense Mobile rely on their station-ary sensors to triangulate the location ofrogue devices and relay that informationto the mobile station. This method isgood for a practical resolution of about12 foot indoors. However, in a cubicalfarm, a 12 foot radius circle may still bevery difficult to check.

Parting shotWireless auditing and vulnerabilityassessment has become a critical task foran IT security organization. The con-tinued integration of 802.11 with lap-tops, game consoles, and entertainmentdevices is making a once simple jobmore complicated. It is now no longergood enough to look periodically forrogue access points connected to a net-work. A wireless audit must analyzehundreds of devices on or near thephysical boundaries of an enterprise innear real-time to counter the risks creat-ed by rogue devices. Furthermore, thesedevices must be physically located anddealt with on a case by case basis.Thankfully the tools at our disposalhave become more robust and userfriendly. So while wireless auditing isstill not a simple task, at least it is anachievable one.

References1www.kismetwireless.net2www.airdefense.net

About the authorBruce Potter is currently a senior securityconsultant at Booz Allen Hamilton.

June 2005 Network Security15

“The tools at our

disposal have

become more

robust and user

friendly.”