Your CEO is sitting in the cafe before your next meeting using instant messenger to talk to his vice-president of marketing while sending an e-mail to the financial director asking about next month's results. The guy in the corner sipping his coffee and staring intently at his laptop is not reading the news, he is reading your CEO's conversation. And when he is finished, he is going to install a trojan program on his laptop. How? And what should IT managers do to stop things like this happening?
Wi-Fi security is both a client and a server-side issue, and many businesses, especially small ones, may be leaving themselves and their networks unprotected. An internal wireless local area network (Lan) can be a great productivity tool, as can wireless laptops. They create the potential for everything from hotdesking, to wireless voice over IP (VoIP) phones. But they can also create some serious security loopholes. Given the move toward targeted attacks, the threat is becoming a practical one. Reports indicate that TJX Group, the retail giant which for months ran software planted by criminals on its network, was initially compromised via a wireless network. "TJX is of the view that the intruder initially gained access to the system via the wireless local area networks (WLans) at two stores in the United States," said a report from the Canadian Privacy Commissioner.
Even if a company's own servers are sufficiently protected against attack, allowing anyone access to its wireless network creates the opportunity for crimes perpetrated against others using its infrastructure. If criminals use a firm's network to send spam or hack other people's computers and the owner of the network becomes implicated, it could create headaches, says Guy Bunker, chief scientist at Symantec. "A lot these things come down to reputation. It is not the sort of thing where you want to have to argue whether you were at fault, if you can prevent that from happening in the first place," he says.
The options for protecting systems were more limited in the early days of wireless Lans than today. The Wireless Equivalent Privacy (WEP) protocol encrypted transmissions happening over the air, but Bruce Potter, CTO of security company Ponte Technologies, says that it was fundamentally flawed. "The concept behind WEP was not bad, but the implementation was poor, which is what led to the weaknesses in it," he says. Someone leaving a computer running with some open source wireless network sniffing software for a few days or less would eventually be able to crack a WEP-enabled network.
WEP was replaced by WPA, an updated version that used similar concepts but executed them more effectively, Potter says. Unfortunately, rival standardisation efforts led to an alphabet soup of different acronyms - WPA2, WPA PSK, and WPA Enterprise. This led to such confusion, says Potter, that many companies simply fall back to using WEP, in spite of the fact that it has now been deprecated. Consequently, many networks - where encrypted at all - can be cracked relatively easily using publicly available software.
When implemented properly, another technology called 802.1x helps to lock down a network still further. The standard was introduced to help separate the authentication of computers from the encryption of the data that they exchange using the wireless network. An 802.1x network requires a computer to authenticate itself before joining a network. The computer sends its credentials to an access point, which then checks with the network's authentication server. If the computer passes the test, it is allowed onto the network.
The problem is that many companies do not implement 802.1x properly, Potter says. It should be implemented on both wired and wireless infrastructures. Otherwise it becomes possible for an attacker to walk into a building and simply install a Wi-Fi access point on an open Ethernet port, enabling them to break into the network from a safe location next door at their leisure. He says that a large proportion of companies do not have 802.1x installled on both networks. "I could easily walk past the security guard in a building and install a rogue access point," says Emma Leith, an analyst at security consultancy Comsec Consulting.
Potter provides an even more worrying scenario: exploitation of wireless clients that are already attached to a corporate network. Generally, laptops will try to connect to wireless networks using a service set identifier (SSID - the public name of a wireless network) that they have already connected to. Broadcasting a common SSID such as "default", "linksys" or "T-Mobile" will often cause wireless clients to connect to you. If those clients are inside a building, and attached to a corporate network, it provides a way to infect them with malware across the air and use them as vectors to compromise large parts of the network that they are attached to, he says.
If misconfigured networks and wireless clients inside companies can cause wireless security loopholes, mishandling of client computers in public wireless situations can be even more damaging, says Ken Munro, managing director of security consultancy and penetration testing firm SecureTest. For example, one mistake that users often make is to log into web-based services on public Wi-Fi networks, he says.
Many web mail systems use secure, encrypted SSL sessions for exchanging passwords. However, as soon as the user is authorised to access the web service, the communication session drops back into clear text again. An employee divulging sensitive information via web mail or even plain text Simple Mail Transfer Protocol (SMTP) e-mail is likely to be giving it away to anyone with a wireless network sniffer in the area, and this software is readily available online.
"You will not know whether you were hacked over Wi-Fi or via some other transactions that you were doing somewhere else. Wi-Fi hacking has bought hacking from an expert sport into an amateur sport. There are freely downloadable sniffer programs that you can use to sniff information being sent to and from a hotspot," says David Blumenfeld, senior vice-president of marketing at JiWire, a company specialising in Wi-Fi-based advertising. "It is not just e-mail. It is things like instant messenger, which is used for a lot of corporate communication these days. You put a sniffer in place, and there you go - it is easy to see the contents of that e-mail," he says.
One answer to this is to surf across wireless networks using a virtual private network (VPN) system, which tunnels back from the laptop to the back-end server in an encrypted state. JiWire also offers an encryption service for small businesses with no VPN setup of their own, which encrypts information sent back to its servers from a Wi-Fi connected client, acting as a proxy to the internet. Other techniques to mitigate the problem include using an SSL-encrypted e-mail service, and relying on encrypted corporate versions of popular instant messaging programs. But neither of those things alone will stop people watching where your CEO surfs when he is using a public Wi-Fi hotspot.
Other potential attacks on wireless clients include the "evil twin" method, in which an attacker simply sets up a fake Wi-Fi hotspot using their own laptop and some special software. Users in an airport that see the fake SSID (usually something like Free Public Wi-Fi) connect to it, which then gives the attacker intimate access to their network traffic and file system.
Some evil twin attacks can be even more aggressive, says Munro. An attacker finds a public Wi-Fi hotspot, and uses a tool to knock wireless clients off the network by sending a "disassociate" packet that forces them to disconnect. The attacker uses his own software to replicate the wireless access point, impersonating it with his laptop. Making sure that the signal from their own laptop is stronger (perhaps simply by sitting closer to the victim than the access point is) causes the victim's computer to reconnect to the attacker's laptop.
In addition to using a VPN, much of the protection against such attacks comes down to common sense. Warning employees not to connect to an unknown Wi-Fi access point, or to watch for duplicate SSID, will help to minimise the likelihood of such attacks succeeding. Auditing the Wi-Fi access points within your company and installling 802.1x authentication on both the wired and wireless infrastructures (or at least monitoring devices connected to Ethernet ports) will help to avoid the rogue access point problem. Using strong passwords or pass phrases will minimise the chance of the encrypted networks being cracked.
Where a company does feel the need to run a public Wi-Fi system, such as for visitors or contactors, putting it in a demilitarised zone separate to the main corporate network is imperative, and some traffic analysis hardware on that network to stop, say, repeated suspicious traffic or large amounts of data being sent on ports traditionally served for SMTP e-mail might help to prevent people using it for nefarious purposes.
With a little common sense and best practice in design, wireless networks can be a boon for a company. But get it wrong, and the same firm could find its data hanging in the wind. In this situation, it is more important than ever that security professionals and users are on the same wavelength.
This was first published in February 2008