Mobility Loop


Originally published by Mobility Loop.

Reposted with permission.

Copyright © 2006 Core Competence Inc.

All rights reserved.



Donít Talk To (Wireless) Strangers




Tuesday, January 24, 2006

Written by Lisa Phifer   

PhiferAs a child, my parents warned me to exercise caution when talking to strangers. This sage advice also applies to users who promiscuously connect to any wireless device. This rather obvious best practice came to mind when reading NMRC's mid-January security advisory, "Windows Silent Ad hoc Network Advertisement." It seems that poorly-configured Windows PCs will not only connect to any AP with a given network name (SSID) -- they'll connect to any ad hoc peer as well.

Old Problem, New Twist

This NMRC advisory shouldn't really be news to anyone that's been paying attention to wireless risks and applied the most basic security knobs in Windows XP. For years, XP users have been warned about Wireless Zero Configuration promiscuity. By default, XP connects to any AP or ad hoc peer.The advisory raised eyebrows because some folks didn't realize that a well-known wireless attack, SSID spoofing (WVE-2005-008), could be launched by an ad hoc peer. As proof, the advisory's author conducted in-flight and airport field tests, counting the users willing to participate in ad hoc connections and those actually vulnerable to compromise over those connections. Results primarily illustrate that plenty of users are too lazy to disable unused wireless adapters, much less set wireless parameters or enable personal firewalls.

But the advisory does makes it painfully clear that SSID spoofing doesn't necessarily require infrastructure mode and a soft AP. To lure naive wireless clients into connecting, just configure a laptop to use a common SSID like "linksys" in ad hoc mode.

To deter this, start by opening your Network Connection properties, click the Wireless Networks / Advanced button, and uncheck "Automatically connect to non-preferred networks." To avoid the ad hoc anomaly described by NMRC, also select "Access point (infrastructure mode) networks only." This will stop WZC from connecting to an ad hoc peer advertising the same SSID as one of your preferred networks.

Then Do More

Clicking those two little boxes is an excellent start, but insufficient to protect you from infrastructure mode SSID spoofing. For plug-and-play simplicity, XP's Available Wireless Networks does not differentiate between individual APs (or stations) advertising a given SSID. Without further measures, a client configured to connect only to preferred infrastructure networks named "tmobile" can still be tricked into associating with an attacker's AP sitting right next to you or in the hotel room next door. Once connected, that "Evil Twin" AP can run man-in-the-middle attacks, like using fake web pages to solicit your credit card number or trying to crack your VPN password.

That's the bad news. The good news is that there are steps you can take to further deter such attacks. For example:

                  Run a host-resident wireless IDS agent like AirDefense Personal (see News), AirTight SpectraGuard SAFE, or Network Chemistry RFprotect Endpoint. Such programs will warn you about unexpected, potentially dangerous wireless associations, in some cases taking automated action to block them.

                  Use a third-party program to manage wireless connections with more granularity than XP. Some clients let you permit not just SSIDs, but APs, identified by MAC address. That raises the bar, but MAC addresses can also be spoofed. An attacker sitting next to you at Starbucks can easily find the MAC of the real "tmobile" AP, but he may not know the MAC of the "linksys" AP you use at home.

                  When possible, use WLANs with 802.1X and EAP-TLS, EAP-TTLS, or PEAP to verify the server's certificate. This makes it very difficult for a spoofed AP to behave like a legitimate AP. Hotspot users can tap 802.1X at some locations -- for example, T-Mobile's Enhanced WPA Network "tmobile1x." Home and small business users may consider an 802.1X service like Witopia SecureMyWiFi or McAfee Wireless Security for Small Business.

                  Pay attention to unusual behavior -- while hardly foolproof, there's still value in exercising common sense and sound judgment. For example, don't accept that new, unknown SSL certificate or SSH public key mysteriously presented by the same server you visited yesterday.

                  Finally, never use wireless without a personal firewall -- at least turn on the XP SP2 firewall. Assume that you're sharing every wireless network with other users that you shouldn't blindly trust, must less respond to and share data with.

In the end, whether you're connected over 802.11 wireless by ad hoc or infrastructure mode, your mother was right: for safety's sake, don't talk to strangers.