LANs prey to wireless attack

Research by US security consultants, Cigital, revealed that hackers could use an old trick to attack fixed networks from a...

Research by US security consultants, Cigital, revealed that hackers could use an old trick to attack fixed networks from a wireless entry point (WEP).

Cigital's study showed that a hacker could use an attack called address resolution protocol (ARP) poisoning or spoofing to get on to the networks. The attack creates a fake network address that the network treats as a legitimate destination.

Networks use a table called an ARP cache to match IP addresses to hardware addresses. Data packets coming into a network router ask the ARP program - which is responsible for managing the ARP rules that control the cache - to find a media access control (MAC) address on the cache that matches the packet's IP address. If no match is found, the ARP program asks every machine on the network for a match to the IP address. If it finds a match, the program updates the ARP cache table of legitimate IP addresses.

A hacker could forge data packets that ask for a non-existent IP address from within the network. When the ARP program broadcasts a request for a match to the network, the hacker forges a positive response from the fake IP address. The ARP program then adds the hacker's computer to the official list of trusted computers on the network.

"ARP poisoning has been around for some time, but it hasn't been employed in this respect," said Robert Fleck, Cigital's security consultant for the study. Wireless networking is relatively new compared to landline networks, making much of the security research a matter of theory rather than experience.

Hacking into a wireline network through a wireless access point requires a hacker to have a basic knowledge of wireless technology. Using a laptop with a wireless modem in range of a wireless network, a hacker could crack a network with software available on the Internet, said Kevin Walsh, director of product management at security company Funk Software.

"The medium that you're using to get access is new, but once you get access, all the same rules apply," he said. Like WEP-cracking applications, automatic ARP poisoning applications are also readily available on the Internet.

Cigital, Funk and other security companies propose that organisations separate their wireless and wired networks with a firewall or router between every point at which the two networks touch. This approach mitigates the threat of an ARP poisoning attack, as well as other kinds of attack from an external threat.

Security groups are equally concerned about a careless attitude to wireless security among network administrators. A single unsecured wireless access point could leave the entire network vulnerable to a hacker sitting in a car park, said Allan Carey, a senior analyst at IT research firm IDC.

"In the wired world we put in safeguards like firewalls to protect the network from attack," he said. The ARP attack is well known, but "many companies think that if they have the security precautions in place in their wired network, then they're safe."

Read more on Antivirus, firewall and IDS products