Wireless security considerations

Brad Haines is chief researcher of Renderlab.net and a noted expert in the field of wireless security. Brad has spoken at many international conferences and taught several classes on free wireless assessment tools. He is also author of Seven Deadliest Wireless Technologies Attacks and a contributor to RFID Security and Kismet Hacking. In this interview he discusses wardriving, client attacks, WPA encryption, RFID technology and his latest book.

Given your experience as a wardriver, can you tell us what is the most common mistake those who set up wireless networks make?
After wardriving for 8 years and close to a quarter million access points with GPS locations added to wigle.net, I’ve seen a lot. Originally the common mistake was that people would not enable security at all.

The original ratio was 70/30 with 70% open, and 30% secured. That ratio has now flipped to 30/70 with 70% using some level of encryption, and 30% open and of those, many may be using 3rd party tools or security techniques not apparent froma passive scan.

Today the most common error seems to be with legacy devices and WEP. Game consoles and other technology that do not support WPA forcing the network to the lowest common denominator. This combined with a percentage of users still not doing anything to secure their networks means that there is always going to be a soft underbelly on every block.

What are the wireless client attacks favored lately by hackers?
Client man-in-the-middle attacks like Karma are a great deal of fun. Karma essentially turns your laptop into an access point that responds to any network probed by nearby clients. “I’m looking for XYZ network”, “Yup thats me”. “I’m looking for network FOO”, “Yup, that’s me too”. Combined with Metasploit to become Karmetasploit and you now have a to capture, exploit and generally control everything going into and out of the client. Apply this to target rich areas like airports and hotels and one can imagine the sort of chaos that can be created.

More advanced stuff that is getting to be fun is what Dragorn (of Kismet fame) and I have been playing with for a while. Using Airpwn to inject, not just images, but malicious Javascript. By injecting on open networks and setting up the script to cache forever, we can inject and replace common website scripts that execute our own content whenever the target pages are accessed again. This means that even back in the secure network of the office, our script is running.

The common logic is that to be exploited with your web browser, you have to visit some evil site. With this attack, we can inject the JavaScript exploit onto any site visited, meaning the most innocent site is an exploit vector.

Do you think that the pros of using RFID technology outweigh the cons?
Most of the cons of RFID are overblown by people who have little understanding of the technology or subscribe to conspiracy theories about its capabilities. The most common is that they can be read from space or other great distances. There are implementations that work over a few feet, but most are only a few inches.

At it’s heart, it’s all about an identification token and little more. Most tags, when queried, just spit out a number. This number then corresponds to a record in a database somewhere. The contents of the record are not stored on the chip. In the instance of he Verichip and it’s use as an identifier for medical records, it is just a simple ID number on the tag, not the whole records. The pro of being able to quickly identify the identity medical history of vulnerable people (i.e. the elderly, dementia patients, etc), easily outweigh any real risks associated with a simple ID number being able to be queried at a few inches.

Expanded further, there are many instances of schools embedding RFID tags into school uniforms for waypoint logging (I.e. getting off the bus) and attendance. Using a simple ID number which only means something to the backend database (and ignoring the potential for cloning or falsifying attendance). The argument against this is often that child predators will use these tags to identify targets. Well unless the system is bulky, expensive and high powered, the tags will only work from a few inches to a few feet, which by the time the predator is already close enough to tell everything they need to know about the child anyways. As long as the identifier is random and only correlates to a record on a secured backend, it’s not bad technology.

The biggest risk in RFID is people not understanding it’s capabilities and proper applications and implementing them incorrectly or unnecessarily creating false a false sense of features that will come back to haunt them.

Do you think it is time to think of an alternative to WPA encryption?
WPA2 is a pretty decent system. WPA v1 was an interim solution that could utilize the limited capability of WEP devices without causing a mass obsolescence. WPA2 was more thought out and takes advantage of modern algorithms and processing power. However, that is not to say it is without it’s issues.

The biggest issue is that no matter how great the security system, it’s hard to engineer away stupidity. People are predictable and often will choose simple, easy to guess passwords. The 802.11i specification mentions that with WPA2-PSK, anything less than 20 characters should not be considered a strong passphrase. How many people want or can remember a 20 character, pseudo-random alphanumeric passphrase with symbols? It usually ends up being the minimum length allowed in the standard; 8 characters, and is often their dogs name or something silly. This is not to say that there are not those who do it right, but there are still a vast majority of networks with passphrases like ‘fuzzyboots’.

I think that the only improvement I would make to WPA is to make it easier for small businesses and home users to utilize WPA2-Radius instead of WPA-PSK in addition to network segmentation. Why we do not see manufacturers stepping up and integrating radius servers on SOHO AP’s or even providing a small server program one could load on a spare PC is a great surprise to me. Yes, you could roll your own FreeRadius server and such, but it’s a fairly painful process and for a small company. Large enterprise solutions rarely scale down to very small companies who could benefit the most.

In terms of network segmentation, my Xbox does not need local LAN access, neither do my guests with their iPhones or other gadgets. Why not just have a separate network for it and any guests to my home? Apple and others are starting to do this with some of their late model routers, but why we are not seeing it go further, with separate networks for guests, gaming, the kids and the home office and appropriate QoS for each. There is something to the argument that most consumers would not use such a thing, but have we given them the choice before? Not really, so we don’t know if they’d use it.

What tips can you offer to security officers in an enterprise whose employees increasingly use wireless devices to do their job?
If your employees use wireless outside of the office, such as hotels or conferences, VPNs are a must. Force everything through the corporate network over a secure connection, don’t even let them use the local hotel network for a quick Google search.

While this may seem rather harsh, it extends the amount of control you have over content and allows you to utilize investments like Anti-Virus and NAC solutions even outside the office.

There are other solutions too. Wireless companies like Aruba networks offer the option of remote APs that the user can plug into the connection at the hotel and it will automatically create a tunnel back to the office, extending the corporate wireless network to their hotel room including their corporate authentication and the previously mentioned NAC and AV solutions, as well as any web filters and rules you specify for company assets.

At the very least, explaining to users that the wireless at a hotel is like a creepy van with ‘Free Candy’ painted on the side. You may think it’s safe, but you don’t know what’s inside. That access point available at the hotel may look tempting, but you never know whats actually going on inside until it’s too late.

Tell us about your book – Seven Deadliest Wireless Technologies Attacks. How long did the writing process take, any major difficulties?
The book was written for the user who needs to know where the sharp corners are, and how to avoid common security mistakes. The book is not just on wireless networks either, I made sure to cover things like Bluetooth, RFID and other technologies we use every day. It’s very much the “what do I need to know now?” kind of book. I answered a lot of the questions I get asked fairly frequently.

The writing went fairly fast, it’s a topic I work with day in and day out, so it was already on the tip of the tongue. In all I was started in October and finished before the end of December. I found myself doing a lot of the writing of chapters 4 and 5 over the North Atlantic on my way to Poland for a conference. Timezones and local connectivity issues made it difficult to get timely work done with my editor. I also found myself fighting deadlines because some content was developing as I wrote about it, and just not developing fast enough to meet the deadline. I pushed hard to get extensions so that the book had the most up to date information it could.