Republished with permission from WatchGuard Technologies, Inc.

WatchGuard


Hot Spot or Hot Zone?

Understanding the Hazards of Public WiFi LANs

By David Piscitello, President, Core Competence

Its presence is spreading. Order a cup of coffee, or a burger, then use WiFi to surf the 'net. Waiting for a delayed flight? Use WiFi to surf the 'net. Relaxing poolside in a luxury hotel when seized by the urge to IM your buddy? Use WiFi to surf the 'net.

Internet access via a public Wireless LAN, also known as a hotspot, is available nearly everywhere, and it's easy to access. Most hotspots are reasonably priced: many are free, or free with other purchase from the franchising merchant. Some hotspot operators (Boingo, for example) even provide client software that identifies WiFi signals of locations that offer their Hotspot services. The catch? WiFi hotspots can be hot zones for unsuspecting end users and unprotected laptops and handheld devices.

How a Hotspot can become a Hot Zone

A hot zone is a danger area due to biological, chemical, or nuclear contamination. Areas like Chernobyl and Love Canal became hot zones because safeguards against contamination were inadequate or non-existent. A wireless hotspot, too, may offer no or inadequate safeguards to protect users against:

  • Viruses and other malware
  • Denial of service attacks
  • Attacks against services you run (e.g., Microsoft file sharing, Web, ftp, Instant and even Short Messaging Services)
  • ARP poisoning, and
  • Various hijacking and phishing attacks.

First rule of thumb for safer public WiFi use: treat a hotspot as an untrusted network. Protect your laptop or handheld from attack by installing and maintaining antivirus and personal firewall software. Otherwise, viruses may be transmitted to an open file share over a hotspot network, maliciously or benignly, and then to you. You also risk infection if the hotspot operator doesn't prevent station-to-station connections: certain viruses and blended threats try to propagate using network and file sharing services.

Personal firewalls are especially important if the WiFi service you use assigns you a public IP address (as opposed to a private IP address). A public IP address exposes your laptop to attacks from the Internet at large, whether you are using WiFi, dialup, cable modem, DSL, or hotel business center (wired) Ethernet connections. If you were to monitor activity at hotspots using an Ethereal LAN analyzer, you would see attempts to connect to file shares on your system, as well as port scans and OS fingerprinting traffic coming into the wireless LAN from all over the Internet.

Attacking Hotspots

Public wireless networks heighten the risks of some exploits -- for example, eavesdropping is quite common at hotspots. An attacker doesn't need to be associated with a hotspot Access Point to monitor and capture traffic (it's radio!). By deploying a rogue AP, an attacker can perform numerous "man in the middle" attacks against a user. "Man in the middle" refers to a wide range of techniques where an attacker sits invisibly between two legitimate parties, intercepts their transmissions, and can passively spy, or actively modify the passing data without the legit parties realizing it. Classic "man in the middle" attacks include modifying data (changing "don't authorize" to "authorize"), injection (changing "pay $10.00" to "pay $10,000.00"), and replay (capturing passwords or authentication strings from a legitimate sign-on, then replaying them later to impersonate a valid user). Thus, rule number two for Hotspot users: use VPN to your workplace, and be certain to use SSL if you visit e-merchant, e-financial, or other sites where you may access and transmit sensitive or personal information. Attackers can still see your sessions, but since your data are encrypted, unless the attacker intends to target you specifically he will move on to the easier unencrypted victims.

Denial of Hotspot Service

My partner, Lisa Phifer, and I know of and have seen all sorts of denial of service attacks specifically designed for WLANs. For example, at the radio level, an attacker may try to jam a wireless network by injecting strong interfering radio signals at the network to overwhelm intended signals (but some countermeasures are possible, as described here). At the MAC level, attackers try to exploit the IEEE 802.11 medium arbitration algorithm (DCF) that is intended to prevent stations from transmitting at the same time. It's also possible to flood or airjack an access point with 802.11 Associate or Disassociate frames attacks, or attack an authentication system using a variety of IEEE 802.1x DoS attacks. Aruba Networks describes these and more DOS attacks here.

Phishing for logins and credit cards

One form of phishing specifically targets unsuspecting WiFi hotspot users. An attacker finds a location near a hotspot and operates a rogue AP (with a tool such as AirSNARF) to attract would-be customers of that hotspot. Anyone who associates with the rogue AP is directed to the attacker's Web site, which is designed to look like the sign-on or login portal of the hotspot operator. The duped user then submits access (account) credentials, personal and credit card information to the Web forms of the phony login. Attackers can sustain the attack beyond identity theft by eavesdropping traffic, or resolving DNS queries so that the user connects to the attacker's servers; for example, he might run bogus email servers in hopes of obtaining account information. Some organizations and ISPs support a single user account for mail, telnet, ftp and other intranet services. With a valid account and (quite possibly) server domain names in his pocket, the attacker can now attack the user's organization or an ISP.

It is possible to monitor the Extended Service Set Identification (ESSID), AP and default gateway MAC addresses of a wireless network. You can watch for radical signal strength fluctuations to detect a rogue AP. But this kind of activity is way beyond the typical user. Thus, education is your best weapon: explain phishing to employees and family members, show them examples of phishing sites, and list ways they can distinguish phony sites from the real deals. If your company pays for your hotspot account, consider using a hotspot roaming service that automates secure end-to-end authentication so that you don't have to log into the hotspot's Web portal (e.g., iPass).

Be prepared

Don't be afraid to use hotspots, but do pay attention to security. If you are already protecting your laptop or handheld with antivirus and personal firewall software, and use a VPN or SSL for sessions where sensitive information is exchanged, you have effectively protected yourself against many threats and exploits. You can't do much about DoS attacks, so don't worry about them. But do have a back-up access plan if getting on-line is a business necessity. You can protect yourself against identity theft by studying the attack and, most of all, paying attention to what you're clicking on or responding to.

Public wireless access is a wonderful tool, but you must use it wisely. Next time you sit in a hotspot with your wireless device, keep your guard up -- and let the wireless Hamburglars move on to the next victim. ##

Resources:

The Register's "WiFi in the Real World"

Securing Wireless Access to Mobile Apps

Understanding WLAN Vulnerabilities

Past LiveSecurity articles about wireless security

Signs of WLAN Intrusion
(requires free registration with SearchNetworking.com)

The "World Wide War Drive"


Copyright© 2004, WatchGuard Technologies, Inc. All rights reserved. WatchGuard, LiveSecurity, Firebox and ServerLock are trademarks or registered trademarks of WatchGuard Technologies, Inc. in the United States and other countries.



Copyright © 1996 - 2004 WatchGuard Technologies, Inc. All rights reserved.