[ PRINT ] [ VIEW ARCHIVE ] Wireless security or better known as (in)security has been overly focused on protection of the access point and network infrastructure behind these wireless access points. Wireless IDS, sandboxes, and various other security features of RADIUS, WPA, WPA2, MAC filtering, or what have you, have been deployed. This is all well and good, but a wise man told me not so long ago that if there is a great lock on a faulty door, take the hinges off. Security is based on opportunity, vulnerability, and ultimately willingness of the threat. If the door is closed, somewhere there is a window, backdoor, or garage door that is open.
This white paper profiles the real issues associated with Wi-Fi enabled devices and how their constant attempts to connect to an access point are a fundamental weakness that hackers now exploit to gain the data necessary to detect, identify and locate you.
Security researchers have found that recent developments in wireless hacking focus on the exploitation of the wireless clients (Phones, Netbooks, Notebooks, iPod’s) directly when they are most vulnerable; not connected to any network at all. This is a paradigm shift and is based on the complexity of security that has been focused on correcting industry-failed implementation of wireless security.
The hackers have found that it may take too long and risk too much for a direct assault on your wireless networks, so they have found another door; the device you use to connect to these ultra secure networks.
How can a device sitting in my pocket, unattached, unassociated, not communicating, be a threat? Well, the answer lies in the principle that the device is not dormant when not in use. Based on the 802.11 standards and ease of implementation, wireless clients (device sitting in my pocket) broadcast requests to determine if they are close to known networks. Have you ever noticed that if you have an AT&T® wireless enabled devices it will connect to any AT&T® WiFi Hot Spot automatically if the wireless is turned on, absent of end-user intervention? Ok, so that is convenient, how is it a threat?
The threat lies in the information that is broadcast by your wireless device, primarily, the probe list - a list of preferred networks that you have attached to is periodically transmitted in hopes of finding a known network.
A Probe List reveals “Patterns of Life”. Clients (Cell Phones, computers or any wireless enabled device) broadcast probes, thereby exposing their prior associations to wireless access points and routers that each client was previously attached to. Given this information, you are able to establish a pattern of life - where do these devices go as far as connection points for wireless?
Some names that you will see on the Probe List are very innocuous and mean very little. However, if you research each probe at site like http://www.wigle.net/ you may find that it has been logged as part of the WiGLE social experiment that started in 2001.
WiGLE is the Wireless Geolocation Logging Engine; war drivers log their findings in a globally accessible database of SSID (Device Name) and GPS locations.
After a bit of research, utilizing sources like Google & WiGLE, we can identify locations where the device has been in the past – pattern of life! With the advent of Google Maps and it’s street view functionality, taking the GPS coordinates given by WiGLE, we can further view and correlate the SSID location to the address without even being anywhere close to the physical location.
In determining the location where these devices came from, or has been, we had to be at that location to capture the packets, right? If our packet capture indicated the device was in Madrid, Spain for example, we had to be in Madrid, Spain, right? Not quite. Our capture could have theoretically been captured in an airport in JFK or on the flight from the UK. The broadcast of the probes are not geocentric; they are transmitted any time the device is turned on.
So the first of many exploits is the determination of the origin of a device, even when it is away from home. The implications of this alone exposes that your home, apartment or whatever is missing an occupant. Hmm, who to rob when no one is home?
Forgetting about the social implications of knowing where you live, more important to security professionals (nickname for Hackers) is: What can I get from you that will allow me to exploit your world? Knowing that your devices are looking for preferred networks, security professionals found the need to create applications such as airbase-ng, hotspotter and KARMA. In general, these applications all do the same thing; they answer the probe requests by reversing the message and representing that they are your previously known networks. WHAT!!! That’s right, they will create an enumerated number of networks that will lure your device to connect and acquire an IP network address. Once the IP address is assigned, the attacker is then able to distribute malicious code to the client device, without protection mechanisms that are regularly available to the client device when behind a corporate firewall. The attacker has now circumvented the lock on the door!
SRT Wireless was recently able to evaluate the effectiveness of these types of attacks on recent air travelers. Equipped with an EeePC® 1000HA Netbook and an installation of Ubuntu®, aircrack-ng v1 and a little time to travel between Florida and California; it was found that the vulnerability works very effectively.
The figure above shows the devices that responded to my device’s attack. The MAC addresses have been obscured for end-user privacy. “The devices were only permitted to associate, and they took no further actions.”
This is happening everywhere . . . On an aircraft at 30,000 feet, where transmitters are supposed to be turned off, we found that at least six (6) devices were on and looking for their home networks. The airbase-ng log in the figure above shows the probe requests that were sent from the target devices. We omitted the responses, however if you look at next figure below, our rogue AP MAC prefix 00:22:43 has associated KYTOURISTWIFI.
This activity is synonymous to opening the locked door. As we mentioned earlier, without access to any resource, an investigator can determine a pattern of life for this device suffix C5:93, avid traveler, recently in Florida and Kentucky. You will notice that three of the devices did not expose the prior associations, this could be based on someone taking the time to remove them from the preferred network list or that we just didn’t wait long enough to get the probe map.
As a result of wireless network security, security professionals are continuing to evaluate the “Open Window” approach to security, don’t go to the front door and circumvent the security completely.
As end-users, the community needs to become more aware that threats don’t only exist when you have established a known secure session, but can linger in the background, even on an aircraft as you are traveling to a vacation. The result and response to this type of attack is actually simple, as the flight attendants say, “Make sure all your cell phones and electronic devices are shut off and stowed prior to takeoff.” Establish a pattern that when you are not using the WiFi in your device, ensure that it is off.
Can these ‘skills’ be used by law enforcement? Visit www.patctech.com/srt
ABOUT SRT WIRELESS
SRT Wireless, the commercial and law-enforcement division of The SRT Group, enables global enterprises and law enforcement agencies at all levels to be more connected and efficient through powerful, affordable communications tools. Visit www.patctech.com/srt for more details.