RSA 2010 – Wireless security monitoring results
Motorola AirDefense performed its traditional wireless security monitoring at the RSA 2010 conference. The monitoring was conducted from Day 1 through Day 2 of the conference (March 2-3, 2010), and what follows is a summary of the findings:
Total of wireless clients detected: 2444.
293 Access Points were discovered, the majority of which (86%) were using some form of encryption (WEP, TKIP, AES/CCMP, etc.). Unfortunately, the majority (62%) of encrypted APs used encryption types known to be vulnerable to attack – WEP has been cracked for years, and TKIP is becoming increasingly vulnerable due to ongoing proof of concept research over the last 2 years – The recommended encryption is AES/CCMP.
An alarming number of ad-hoc (peer-to-peer) networks (315) were also discovered, which allow an attacker to impersonate a common SSID and potentially gain connectivity to the wireless station.
116 wireless clients were found to be associated to these ad-hoc networks using common Service Set Identifiers such as “Free Public WiFi,” “Free Internet Access”, “UCSB wireless web”, “Hotel WIFI”, and “lounge”.
A good percentage (55%) of the wireless networks were using WPA-PSK (pre-shared key) authentication. WPA-PSK is known to be vulnerable to dictionary attacks. Use of 802.11n enabled access points still appears to be low, but 802.11a appears to be more common this year, perhaps due to wider availability.
Wireless Client Activity and Maliciousness
More than half of the 2,444 wireless clients were found to be probing for multiple Service Set Identifiers (SSIDs), or the name of the wireless LAN. This makes these stations vulnerable to evil twin, hotspotter, and Man in the Middle attacks. These included laptops, PDAs, and phones with WiFi support. In fact, 1034 of the devices were Apple, and 206 were RIMM devices.
For those devices using Microsoft Windows, it’s recommended that administrators push out policies to desktop/laptops that disable Ad-Hoc support and disable “Automatically connect to non-preferred networks”. Similar settings can be found in other operating systems.
On the open networks, web-based email conversations were discovered, amongst other infrastructure data. Many web-based email sites provide for a secure login, but once logged in the email application is clear text. Numerous web-based emails from hotmail, gmail, and Yahoo! were discovered. These vulnerabilities expose web applications, web-based email, and critical infrastructure devices. Encryption should be used whenever possible.
Identity theft by Media Access Control (MAC) spoofing was observed from some wireless clients. This can sometimes be an indication of malicious users impersonating a legitimate access point or station with the goal of performing Man in the Middle attacks or bypassing access point security mechanisms. This was evidenced by the number of Ad-Hoc networks and Soft APs discovered at the show.
One of the more recent wireless attack vectors was also discovered. SSID SQL Injection attacks were identified coming from 4 different sources at the show. By injecting this into the SSID portion of a frame, one can potentially exploit vulnerable Access Points. This can then allow a backdoor into the Access Point and allow the attacker to change the Access Point configuration, thus allowing them open access to the network.
A variety of wired traffic was found to be leaking from the wireless networks as well, including: NetBIOS, STP, IPX, and IGMP. The unencrypted routing protocols reveal the inner workings of the network and are visible to anyone sniffing the traffic, also known as a form of Extrusion. This is a clear indication that firewall or filtering mechanisms are inappropriately configured and allowing undesirable traffic to leak from the wired networks. This information could be used by a hacker to enumerate the wired network and read information clear-text. Numerous Windows system names and usernames were enumerated during the analysis. All of this traffic should be properly blocked by a firewall by blocking not only incoming traffic (wireless to wired), but also outgoing traffic (wired to wireless).