Wireless (In)Security: 5 WiFi Client (Mis)Uses

Wireless (In)Security: 5 WiFi Client (Mis)Uses

By CWNP On 08/03/2009 - 15 Comments

My previous post (WiFi Rogue AP: 5 Ways to “Use” it) talked about the (mis)uses of a Rogue AP. This post looks at the other challenge – security issues with WiFi clients. WiFi clients come from different vendors and are available in several flavors. They are embedded in today’s notebooks which often carry sensitive enterprise and personal data. By their very nature, such clients are highly dynamic. I am sure that network administrators managing even moderate sized enterprises can relate to the following two issues. First, the hassle of maintaining an accurate list of enterprise WiFi clients and second, controlling the WiFi profile of a client (WiFi profile of a client determines its mode of operation, wireless networks it will try to connect to and its security settings). Although controller based wireless LAN (WLAN) infrastructure can mitigate the first issue, it may not be of much help in controlling the WiFi profile of enterprise clients. Hence, every enterprise can potentially have such “mis-configured” WiFi clients. They can be exploited by an attacker in the following 5 ways.

1. Passive Sniffing WiFi clients probe the medium at regular intervals. An attacker can just turn on his favorite sniffer to reconstruct the WiFi profile configured on a client. This can reveal whether the client can connect to open APs, which SSIDs are programmed into it and whether it accepts adhoc connections. Such leakages cannot be prevented even if your enterprise WLAN uses the best available cryptographic security (WPA2, 802.1x, CCMP) for 802.11 data packets. Further, a client can potentially “seep” out other valuable tidbits about your enterprise network (e.g., DNS server, IP subnet, active services on a client).  This can happen if your enterprise WLAN does not encrypt 802.11 broadcast communications.

2. (Wi)Phishing If an enterprise client is probing for networks that are vulnerable, a “honey pot” can be set up to lure the client. The exact nature of the honey pot will depend on the WiFi profile of the client. If a client is probing for a hotspot SSID or a metro WiFi SSID, setting up an AP with that specific SSID is useful. Alternately, setting up an “Evil twin” of an authorized AP can sometimes succeed in luring clients. Once an attacker is able to get a connection to the client, he can launch man-in-the-middle (MITM) attacks and virtually do anything (e.g., get passwords, access files, propagate worms and trojans). Several public domain tools are available to launch this attack – e.g., Karma, DeleGate, Hotspotter, AirJack. An advanced form of this attack is a “Multipot”, where multiple APs are used as honey pots. They can easily evade some of the popular intrusion prevention techniques used in wireless intrusion detection and prevention systems (WIPS)

3. Adhoc connections WiFi Adhoc networks (802.11 IBSS connections) are very convenient in sharing data amongst WiFi clients. WiFi users are often very fond of using adhoc networks. It can be driven by the fact they are not able to share their favorite video with a colleague via the enterprise WLAN (yes, I am talking of Cisco PSPF). Or, they want to access a network printer that supports only adhoc connections. Or, simply because there is an enterprise policy that forbids the use of adhoc networks! Whatever be the reason, adhoc networks are inherently insecure and can provide a very easy entry point into your enterprise network. Apart from the compromising the particular machine, an attacker can use the connection as a launch pad for accessing rest of enterprise network.

4. Fuzzing Based on the WiFi profile of a client, certain random packets can be crafted and injected to the client. This activity (called Fuzzing) will help to discover any potential security holes in the client implementations. Fuzzing can be tried with packets which are not conformant to the 802.11 standard or with packets which exploit common implementation issues (say, buffer overflows).  An attacker can potentially crash a client machine by injecting such packets. If the attacker happens to be blessed (read as, if the client implementation sucks), he may even end up getting a root or admin access on the client.

5. WiFi client Bridging and Internet Connection Sharing (ICS) We are familiar with “soft AP” using which a Windows based client notebook can be converted into an AP. This requires certain specific WiFi cards and specialized drivers on the notebook. However, here is a much easier way of achieving similar effects: configure a windows client to act as a bridge between wired and wireless interfaces. A well meaning employee may inadvertently enable this bridging or, a “guest” user who visits your premises can deliberately do this. In any case, you are potentially allowing layer 2 access to your enterprise network from the parking lot. Comparable access can be achieved via ICS which is a NAT like functionality provided by Windows. Note that all of this can be done without sneaking in a Rogue AP!

I would love to hear about your experiences in tackling WiFi client (in)security in your enterprise. Thanks, Gopi (Follow me on twitter: @gopinathkn)

Blog Disclaimer: The opinions expressed within these blog posts are solely the author’s and do not reflect the opinions and beliefs of the Certitrek, CWNP or its affiliates.