Motorola AirDefense performed wireless monitoring at the RSA conference. The monitoring was conducted from Day 1 through Day 2 of the conference (April 21-22, 2009). The following is a summary of the findings from the two days.
During the monitoring sessions a total of 203 Acess Points have been discovered, 24 (10%) were Ad-hoc (peer-to-peer) networks. A total of 36 (18%) were open with no encryption, the rest was as follows:
- WEP: 18 (9%)
- WPA-PSK: 94 (46%)
- WPA2 Enterprise (AES-CCMP): 31 (15%)
This means that 85% of the APs present at the conference are vulnerable to attack, including encryption and password dictionary attacks.
A significant amount of co-channel interference was present due to the huge quantity of access points within the proximity: 21 number of APs were on Channel 6 and 26 were on Channel 11.
AirDefense detected 1023 total stations (laptops, PDAs, phones and vendor PCs):
- 85 (8.3%) devices were participating in Ad-Hoc networks using common SSID’s (Service Set Identifiers) such as “Free Public WiFi,” “Free Internet Access”, “Linksys”, “NETGEAR”, “attwifi”, “hhonors”, and “LAS Free Airport Access”. This is typically the result of an unpatched laptop or default laptop settings allowing users to associate to Ad-Hoc networks.
- From all of the laptops and other devices in the airwaves, AirDefense discovered 23 of these had altered their MAC addresses. This is done to either blend into the environment or hide the true identity of the device.
- 14 contained an unknown OUI (manufacturer/company ID) MAC address not registered with IEEE, further indication of a user-defined MAC, and malicious intent.
- 645 stations were found to be probing for multiple SSIDs
- 21 stations were vulnerable to hotspotter attacks.
The security performance of the exposition floor was extremely poor as one out of three (37%) packets had to be retransmitted due to the congestion in the airwaves.
The spectrum analysis revealed almost full saturation on the 2.4GHz band with an average of 85% saturated, and points during the day at which the 5GHz band was 75% saturated.
Detected vulnerabilities and attacks
Identify theft by MAC spoofing (duplicate MAC addresses) were observed from stations such as laptops, PDAs, phones and vendor PCs. This can sometimes be an indication of malicious users impersonating other users in order to perform MITM (Man in the Middle) attacks or bypass Access Point security mechanisms.
In addition, Access Points and Stations were also found with duplicate MAC addresses. Many of these were determined to be Ad-hoc networks and SoftAP imposters, transmitting SSIDs found at the conference. These impersonation attacks lead to users unknowingly connect to malicious access points such as SoftAPs.
Wired traffic leaking from wireless – A variety of wired traffic was found to be leaking from the wireless networks including: NetBIOS, IPX, STP, and IGMP. This is a clear indication that firewall or filtering mechanisms are inappropriately configured and allowing undesirable traffic to leak from the wired networks. This information could be used by a hacker to enumerate the wired network and read information clear-text.
Additional attacks were observed including: CTS (Clear to Send) flooding and deauthentication attacks. The intent of these types of attacks is to disrupt the network through DoS (Denial of Service) attacks.
Finally, a Honeypot AP (sometimes called a Honeyspot) was detected advertising 7 SSIDs, probably a tool like Karma or hotspotter. Some of the SSIDs observed were “hhonors”, “EMC”, and “Linksys”. These tools will respond to any SSID probed and the tool will respond as the Access Point.