Wi-Fi Predators Attack Hot Spots Businesses Don`t Know They Have

BOSTON—Any company could have wireless networks nobody knows about—along with the network security holes those networks bring.

That was one point raised by Amit Sinha, chief technology officer of wireless security vendor AirDefense, in his March 26 presentation, "War of the Airwaves: Next-Generation Risks and Defenses—What Hackers Know That You Don't" at the SecureWorld Expo here.

"A contractor or auditor might set up their own Access point, without any security, providing backdoor access to the network that bypasses any firewall or other edge security you have in place," Sinha pointed out.

Wired networks have always had a secure perimeter, that is, some form of physical security where the internal network connected to the external network, Sinha said. But when with the introduction of wireless networking, the notion of a physical perimeter goes away, he said, since RF (the wireless radio frequency signal) can be picked up outside the premises.

Also, Sinha said, access points can leak information. Many multicast and broadcast protocols were designed to operate within a trusted network environment. Even if the networks are encrypted, a lot of information can still leak out, "especially if you implement your wireless networks as transparent bridges," he said.

In his presentation, Sinha showed the audience some of the types of wireless attacks that have been seen over the past several years, and talked about what midmarket and enterprise companies can do to mitigate some of these wireless threats.

To illustrate the availability of unsecured 802.11 wireless networks, Sinha brought up a mashup of the Wireless Geographic Logging Engine, or Wigle.net, which gives GPS coordinates for over 13 million wireless networks, and a Google Earth map for a location in Washington where he had recently been that, at least in theory, had no wireless, he said. The resulting display showed many wireless networks in the vicinity, including many without security.

The world's most popular hot spots are Linksys boxes running default settings—channel 6—with no WEP (Wired Equivalent Privacy), Sinha said. Another popular hot spot is HPSETUP, for printers. While many banks, for example, think they have no wireless networks, their printers are in fact wireless, meaning that wireless eavesdroppers could download "entire PostScript buffer[s]" of documents that have been printed, he said.

Another interesting network found with the Wigle.net/Google Earth mashup is Tsunami, the default SSID (service set identifier)—meaning the ID for the particular 802.11 wireless LAN to which a user wants to attach—for a Cisco device, Sinha said. "And since home users don't buy enterprise access points, these are companies [using these networks]. You can log in and change the Admin password and make sure you get optimal QOS [quality of service] as an intruder."

Sinha also challenged the myth that Wi-Fi is local. Tests show that Wi-Fi signals can often be picked up several blocks away, especially if line of sight is available, he said. "You have to start thinking about your network—not just about the cables but also the airspace," he said.

Today's network attackers have access to hundreds of tools, readily available from Web sites, in bootable format, complete with a GUI. "These tools are all free, you don't have to be an expert to use them and all you need is a wireless device, nothing special, unless trying to attack cellular networks," Sinha said.

Another common attack, he said, is to use SoftAP software to convert a laptop to an AP. "At an airport, give it a bogus name, like 'Free Airline Wi-Fi,' and people will connect to you, since there's no authentication. Or run Karma, which responds to signals looking for known networks, like 'Home Network.' Or a hacker can have two Wi-Fi cards—one pretends to be the access point, one pretends to be the station... this can break SSH [Secure Shell] or HTTPS [HTTP Secure], and get passwords in clear text. Wireless makes man-in-the-middle attacks easy."

Companies shouldn't count on the security that comes with Wi-Fi devices, either, Sinha cautioned. WEP, for one, is dead, he said, with 23 known attacks against the encryption protocol. Cracking tools can break 128-bit WEP in less than a few minutes, he said. WPA Pre-Shared Keys, with short dictionary phrases, can be easily cracked. And the use of 802.1x with 802.11 is vulnerable to session hijacking or man-in-the-middle attacks.

Sensors—listen-only APs—from companies like AirDefense let companies monitor for rogue APs and other network threats.

A typical sensor might cover 20,000 to 50,000 square feet of space. For companies on tight budgets or just getting started, AirDefense has starter kits with five sensors and a lightweight server.