Hacking Wireless 802.11b Nets

John Higgins writes "The Wall Street Journal has a great article on my greatest worries about setting up a wireless network in my home. White hatter Peter Shipley and Matt Peterson of, among other things, the Bay Area Wireless User Group, drove the reporter around the valley with some rudimentary equipment to find how many corporate networks they could "see" from the street or parking lot. (Sun Micro, check your encryption!) Call me a techie lightweight, but it looks like HPNA2 for me!"

Re:What the hell's going on around here?

I did notice this, too.

And guess what? Today, i got 5 mod points, used 'em up (careful not to overrate crap, since i noticed all the +5's), and then i got 5 more points!

Maybe the number of mod points was increased. By someone, or something.

answer

Anonymous Coward
[ Preferences ]

You have moderator access
and 49,523 points. Welcome
to the those of you just
joining: please read the
moderator guidelines for
instructions.

(updated 9.9!)

Don't make me -5 your ass

Hacking wireless networks

Hello. I might be considered an "insider" in this field. I work at a semi-large ISP where we provide wireless connectivity using BreezeCom network equiptment. Employing large (from 9-24 inch) antennas, and uni-and omni-directional antennas mounted on prominent structures, we are able to send up to 3Mb/s to hosts.

The security here is terrible. We use no authentication via radius or any other method. Anyone with a 802.11 network card, and a sufficient antenna could steal connectivity, and we could not currently tell.

There exists ways to detect this, by monitering the MAC addresses connecting to the APs on the towers, but this is not employed. Neither is each radio catalogued, and IPs, for the most part, are assigned by the DHCP server with no logging.

I do not know if this is typical of most wireless companies, but if it is, then things should be ripe for the taking. I'm posting anonymously, because my company has a history of firing and suing for less.

Sun's 'testing'

If this was at Sun's Santa Clara campus, this was definitely not testing. There are several rogue wireless stations there. These are connected to the iPlanet network rather than Sun's main network, though.

Still, Sun's network is extrememly insecure in so many ways, especially internally. Getting to be an internal user is simple, with wireless and DHCP.

The SA's are pretty much powerless to secure the network, as well. Sun's red tape binds their hands. Get fired for securing the network? You bet! Go Sun!

Forget about actively looking for them..

I have been in a situation with an aironet network where I have flushed the SSID and wep key of the card, and noticed while flicking bettween consoles that there was traffic from another network floating past. This is with a little ( quite directional ) parabolic grid antennae facing about half way bettween two of our own sites.

As these cards get cheaper and more people use them, the fixed set of frequency's that the frequency hopping cards use are going to become more and more useless with high gain aerials.

Even without the security implications, each site within 'earshot' are going to end up sharing the realistic 500k/s or so that the 11 megabit cards provide.

Big article at free2air

free2air has a long article [free2air.org] on this, with lots of links, technical information, source code, and other good stuff.

And the fact that they've found 150 open hosts in London's Docklands.

And for you 802.11b geeks, you may be vaguely interested to know that newsfilter.co.uk (below) is served wirelessly. Yehaw!

...j

Re:Hacking wireless networks

Knowing what I know, I would treat every wireless network as if ALL the traffic was being transmitted over a hostile network.

Exactly. Which is why our access point is outside the firewall and wireless guys need to use the VPN to get into the network just like the telecommuters. There is no such thing as wired equivalency.

Found on the printer

What looks like a quick paint program scrawl of the words "secure me".

Re:I like the idea, but..

I think the logical defense here is: These radio waves are passing through my body. I think I have a right to analize them as I see fit.

Re:Simple Security...

That solves half of the problem. The other half, is that wireless networks have much less bandwidth available, and anyone joining the network can take advantage of that bandwidth for their own gain. eg. using the company's internet connection, or just utilizing the access points for your own point-to-point pleasure.

The right way to do wireless

Forget WEP.

Make a wireless network, but don't put it on your private network... instead just make it an independent network that's directly connected to the Internet (with or without NAT) completely "outside" your organizational firewall. TREAT it as the Internet... wireless PUBLIC Internet access. No security. No WEP. Because there is not need.

Simple. All the laptops that want to use it are already set up for accessing the essential services their users want via the Internet anyway! Who has a laptop at work that doesn't need to access services on their work network when they are off-site, be it via modem or home DSL or riccochet or whatever? And is the laptop on a secure network any of these? No. So what do people do in those cases?

Some use VPNs, some just use Web and mail via SSL, some use Ssh, whatever. The point is, it already works.

So make all wireless networks "public internet access", you get the added benefit that visitors will be able to use it without hassle. At worst you're giving free access to some people in the suite next door or across the street.

--jurgen@botz.org

Re:Encryption

The hurdle that prevents people from using encryption and good security is time and knowledge. It took a lot of effort to get WEP turned on where I work because an understaffed IT department had to do it.

The funny part is we use 3DES hardware VPN devices for PTP T1 lines, but that is done by another department that has the time and materials to implement strong security. And they wonder why we don't trust the corporate network?

Tapping unencrypted lines is easy, one of our security people was trained in tapping fiber cables by DOD in '83. Ask how many people think that their private fiber links are truly secure?

Rather than patching together PGP/GPG, SSL, and SSH, I would strongly recommend you spend your efforts implementing IPSEC instead.

Chris

So what do we reccomend?

I've been hunting around for a while for a good access point for a home wireless lan (preferably one integrated into my gateway a la the ZyXEL [zyxel.com] Prestiege 316 [zyxel.com], D-Link [dlink.com] DI711 [dlink.com], SMC [smc.com] Barricade [smc.com] or MaxGate [maxgate.net] Ugate 3300 [maxgate.net].

While a Cisco Aironet [cisco.com] would be nice, $1400 is a bit steep.

The issue is, with all these current 802.11b security issues and the probable introduction of new security features, what are good products to use and steps take? It's one thing to point out the flaws in the system; another entirely to show how to fix (or at least avoid) them.

I detect an "Ask Slashdot" here....

Nope.

As of 10 or 15 years ago or so (I think) scanners in the us (yes, commonly called police scanners) are not permitted to scan cellular frequencies.
There are professional models you can buy, I'm sure, that may let you, but they are generally for use in labs, and cost a fortune. Of course you can modify your ratshack scanner.....

IF you look at a cool product like the winradio (www.winradio.com) you will notice that the US version has several bands blocked; the euro & Canadian versions don't.
Canada, and many other places, receiving any transmission is legal.

Decryption of private communications may be a different matter.

It's only 'testing' it seems...

It seems that the valley is full of companies in which the 'engineers' are 'testing' wireless networks, and that these 'tests' coincidentally were supposed to stop around the day an article is published about them.

yeah, right, if it wasn't for all this control, my head would be spinning right out of my neck...

AUGH!

Require SSH2 tunnels

Augh! NO! NO!

SSH is a good protocol for secure terminal sessions, but you should never, never use it for tunneling, unless you're fond of session-timeouts and stalled connections.

SSH uses TCP, which means it's the worst protocol you can use for a tunnel... TCP guarantees the reliability of the connection - so a dropped packet can wreak havok.. the tunnel will stop and re-transmit the packet - so every other TCP connection will stall - and guess what? These stalled connections think their packets have been lost, so they retransmit their 'lost' packets - resulting in LOTS of duplicat packets.. (and if the 'original' packet was lost due to congestion, you can guess that you're gonna start flooding the tunnel - a cascade failure.)

A more technical description is available at
http://sites.inka.de/sites/bigred/devel/tcp-tcp.ht ml [sites.inka.de]

Unless you can guarantee that your network will never drop a packet, you need to use an unreliable protocol for the tunnel (think GRE - that's what it was designed for - but even UDP would be a better choice.)

Airport

What, you mean people aren't using Apple's Airport with it's robust, secure 40-bit encryption scheme to protect all their traffic? Darn PC users.

(Burn, karma, burn...)

Re:Lock onto mac-addresses

Nice idea, but there's one small problem...

The authorized devices using the network are broadcasting their MAC addresses!!

This so very much reminds me of the well-known 'trick' of cloning a cell phone... sit somewhere where there are LOTS of targets, and just record the ESN/SID (or, in the case of 802.11b, the MAC address), program your own device, and off you go!

I still like the idea of VPN tunneling over the wireless segment. Yes, use the hardware safeguards, but don't trust them. Require SSH2 tunnels, perhaps using PGP-style public/private keysets to make things 'easier.' Of course, this opens up the problem of a stolen laptop compromising the network... but I never said this was a perfect world.

How secure are they really?

Has anyone ever seen a test done with someone sitting in a parking lot attacking the 802.11b encryption? We've had several articles here on /. talking about how insecure the encryption MAY be, but no one has done any real tests yet.

Now for this article. Duh. These admins should be fired. I run 802.11b at my house with full encryption and other security features on. I wouldn't let an access point in this building without securing it first. This isn't a technology problem, it's a human problem. These are probably the same people that don't patch up to the security holes and wonder why they get hacked two years later.

To make it easier, there needs to be a good key exchange mechanism. People that don't put much thought in to security don't want the "hassle" of manually entering keys on everyone's notebooks. I wonder how long before there are web pages with key listings for companies and longitude/latitude locations....

Re:What the hell's going on around here?

Well the mod points are kinda sporadic. I haven't had any in forever... Now all of a sudden I have mod points and I think.. use it or loose it.. so I use it, but I still use it somewhat wisely. I bet alot of others are thinking the same. If I knew I would get mod points on a regular basis, like an allowance I would be much more frugal. However, if they are given out and taken away at random I tend to be more of an easy sleazy moderator.. ;)

JOhn

What we do

Where I work, we have the whole building in San Jose set up for wireless. The way we approach security is that the wireless network is on the public internet outside the internal firewall (not on the DMZ, the wireless are completely outside).

So, in order to get to internal data while on wireless you must start up a VPN client or go through our portal. This isn't a perfect solution, people still get free bandwidth if they want, but at least they can't get to internal data.

Also, we have most of the wireless access points in public conference rooms, and a couple of them have been stolen!

- Twid

Re:Lock onto mac-addresses

Of course people could start guessing MAC

Umm --- a sniffer will give you these pretty easily .....

Re:I like the idea, but..

This isn't even "non-damaging probes on networks". This is networks broadcasting information to anyone in the vicinity with a laptop and a wireless network card. If you are shouting on a street corner, is it a crime for me to hear you?

Re:Simple Security...

For a network running Microsoft software, taking common steps such as ensuring Guest access is disabled and that passwords are required for all resources will do the job.

Password protecting resorces isn't going to do any good at all. If you read the article it is clear that these guys are running some king of packet sniffer.

"There -- someone just turned on an NT machine and is getting mail."

There is no way to know this unless you have are collecting and looking at packets on the network. Unless all traffic on the wireless segment is encrypted you will have NO security on that segment.

Re:The reality of clueless sysadmins

I'll bet those sysadmins would be very surprised to discover that the 802.1b access points were even on their networks. This stuff is too cheap and bone-head easy to install. Apparently a lot of consultants of various types like to pack them around with their laptops so they don't have to futz with network cables whereever they happen to be working that day.

Exactly.

What we're seeing is only the dawn of what most likely will become a very large problem... the cost of wireless Ethernet is around a few hundered bucks, and is affordable by the clueless.

I run a 1,200 node network, and never thought about this until today. This is an issue we're going to have to address in the future...

If an employee wants to run a wireless LAN, that might be okay, but they really should check with us first to make sure they "do it right"...

Information Warrior

Well, considering the amount of success those Russians had holding credit cards randsom (before the fbi nabbed them) maybe there's a market to be tapped here. Simply collect masses of information and sell it to competitors, publish it on the net, or blackmail the owners, all from a hilltop above the silicon valley.

The benefits of this would be manyfold:

• You'd make money and become famous

• Evil corporations would get what they deserve

• Patent secrets would be exposed

• Evidence of corporate corruption could be collected (See how the
• honeynet [honeynet.org] project is able to collect info without a search warrant)

Naturally you can't do all of these things at the same time or even have all of these things done by the same person, seeing as the explanation for what the hell you were doing listening in on the traffic in the first place might range from dubious to illegal.

I love MSNBC's editorial ethics...

Have you ever noticed what stories they "indepndantly" choose to run?

Hackers hacking Sun (can you say MS-massive-security-breah-damage-control?)

Any whiff of PS2 trouble.

Pro MS anti=truat case articles.

And so on and so forth.

NBC should be ashamed they have their name associated with what is clearly just another MS publicity arm.

Re:Information Warrior

There is no such thing as a "Patent Secret"
The whole point of the patent is that to get one, you have to reveal everything you know about it :)

wireless hacking

I remember sitting in my friends apartment in Seattle and being able to connect to 3 different wireless networks by simply setting the default network name to any.. The same trick worked at the airport for network access I was supposed to be paying for..My wirelss client software was complaining about the lack of encryption but it still connected and gave me an ip address..I used napster to benchmark my speed and it was good...Perhaps we should only distribute this information to a smaller group of folks..so those in the "know" can take advantage of a rouge wireless network to get free internet access, and use napster while sitting in a terminal waiting for a flight..

Tunneling over a reliable connection

You are right for conventional PPP-over-SSH-over-TCP tunneling, but there is still hope for tunneling over TCP.

If the tunneled connections don't do retransmission themselves, you can just carefully design the tunneling protocol to be very nonagressive about retransmissions. E.g., ask "did you get that" instead of retransmitting the whole packet, and using a steeper-than-TCP exponentional delay function.

And if you have to tunnel TCP over TCP, the tunneler could inspect packets, detect when the tunneled TCP is retransmitting, and simply drop the retransmission on the floor. This is just a tiny step beyond NAT. Of course, if you're tunneling arbitrary reliable protocols, you're screwed. (Although I suppose you could blindy bandwidth limit the tunneled protocol by dropping packets. If you did this agressively enough, the tunneled protocol could be convinced to sufficiently rate limit itself.)

Incidentally, I've been thinking about this because sometimes you don't have a choice about what kind of connection to use. Sometimes you are provided with an arbitrary stream-oriented, possibly reliable, connection and have to make do.

BTW, thanks for the link to the TCP-TCP web page. I can point people at that instead of explaining...

Re:Hacking wireless networks

I also work at a service provider that has opted to use 802.11b to link customers with us. However, from the beginning I realized that it was a Bad Idea (tm) not to use every single security feature available to me. As a result, we only use Gold cards (128 WEP vs. 56 WEP) on installations, and MAC-lock all the access points, so only the base stations I authorize can connect to our network. I know that probably the weakest link then becomes the password authentication on the access points themselves, which could probably be brute-forced, but at least it eliminates the more casual dangers. I'm totally aware that if a determined 31337 h4x0r wanted to get on our network, he probably could manage. btw, we keep getting all those reports about the encryption being cracked and all, but exactly how vulnerable is 128 WEP? As in, if I took every precaution available, how long (average) would it take between the initial attempt at the hack and the actual hack made?

Re:I like the idea, but..

Huh, and this is different from flying an EP-3 surveillance plane off the coast of China how?

If you're spewing stray radio waves all over the place, whose fault is that? Is it your job to control your communications or our job to keep our ears shut?

Re:Lock onto mac-addresses

Being the network admin, I've been researching this same issue. And I agree with you regarding the VPN solution. I recently found a link to a company called Colubris [colubris.com] who has a really nice AP.

I sent them an email yesterday but have not heard back. I would like to know if I can tie the VPN to authenticate from our LDAP server to allow users worldwide mobility without having the local admins create them an account.

As for the stolen laptop, if you use SecureID tokens, this would help in a case like that, which is the reason I prefer this method over digital certificates.

Sun and security

I worked at Sun fairly recently, and I have to say that their security is nothing short of pathetic. I don't want to seriously jeopardize their operations (although it's sadly obvious that they don't need me to do that), so I won't go into much detail, but:

• There is no NAT. Any connections to the outside world go through application-based proxy servers, and if one is lucky and the server is up, SOCKS. This is not in itself a problem (except for the system's hopeless obsolescence and inconvenience), but it encourages (I would almost say forces) employees to find less than official means of getting to the outside world in order to do their jobs.
• No one I met had even heard of SSH. No one. All internal connexions take place over RPC, and most people have .rhosts file with at least "+ <user>" in it.
• Everyone leaves their X server wide open. xhost + is everyone's first action ("xauth? what?"), and I was shocked to see a security manual put out by Sun say "In order to start this GUI security tool, you will need to run the command xhost +.".
• Servers were always going down, badly enough that I moved my home directory, mail, and all related files and services to my local machine. Even in instances where a proper security policy might exist, I have doubts that it would last for long.

There are other gaping holes which I feel it would be completely unfair to post in any level of detail, but suffice it to say SWAN is riddled with holes waiting to be exploited, and I hope someone decides to do something about it before a h4x0r realizes how easy it would be to own all of it.

--

I like the idea, but..

These guys in the end are doing these companies a service by exposing blatant security holes and embarrassing them. However, they're also itching for a lawsuit. I know most people on /. don't see anything wrong with non-damaging probes on networks, but a law doesn't even have to be violated to win a lawsuit. Any one of these companies (especially the bigger ones) could perhaps win a lawsuit against these guys for using (stealing) their network resources without permission.

However, I believe three major things will keep most companies from prosecuting these guys.

1.) They are embarrassed enough already, and a court case will only embarrass a computer company more (Sun with an insecure network, that looks real good).

2. A lot of Silicon Valley comapnies are running out of cash.

3. The only thing the companies have to gain is deterring others from pulling the same stunt (and tattling about it later).

This could be fun

So I'm in LA and have a clear LOS to Hollywood and the Westside (plus I'm pretty high up, so no major obstacles). Anyone interested in an OpenNAP server hosted by BMG?

Encryption

Why do people find it difficult to use encryption over the networks they use? A person should assume that any un-encrypted traffic over any network could be easily monitored by someone with the right equipment, and relying on the security of every machine along a route is dangerous.

IMHO, saying that encrypting traffic is too much effort is no longer a valid excuse, now that tools such as ssh, PGP/GPG, and SSL are in wide use. In fact, OpenSSH now supports dynamic port forwarding with socks support; which can allow transparent encryption of traffic.

So, what is the hurdle that prevents people from using the tools available to encrypt their traffic?

Peeking at unencrypted networks...

"This looks like a good place to work, oh, wait, was that a layoff list I just saw go over to HR?"

--

Broadcasting Network Names

After reading the article, it sounds to me like they're cruising around, looking for wireless LAN's that identify themselves.

By default, a wireless base station will broadcast the SSID of the wireless network of which it is part, and wireless LAN cards can join the network without already knowing the SSID of the network.

One of the simplest security practices is to turn off SSID identification broadcast at the base station. Then the wireless user has to know the name of the network in order to connect. Unfortunately, this quickly becomes a gigantic pain in the ass for the admins of the network, because who wants to go through and change the SSID every time you add a new wireless base? It's really practical only for small organizations.

Mind you, I'm sure this could be fairly easily intercepted from traffic between a user and a base station, but it's a start down the road towards hiding your wireless LAN.

WEP encryption has been proven to be an easily circumvented technology (as reported on /. once upon a time), as has this lack of SSID broadcast, but it's a start. The best bet for true security is to implement a VPN over your wireless LAN, or just treat your wireless zone as a DMZ.

Use encryption you can trust

I am currently using 802.11b a good bit, and have come up with a solution that I am happy with. I setup filtering to disallow any access from the 802.11 interface except to ssh. I then use ppp over ssh to connect. I have setup my laptop to do this when it brings the interface up. I would like to do IPsec, but I have not spent enough time to get it working.

Wireless security is an iffy proposition at best

I've now worked with wireless network equipment from Cisco, Motorola, and Nortel Networks. I've found that none perform particularly well when using the Wired Equivelency Protocol (WEP) for security, although there aren't a whole lot of other options out there at preasant. Many companies rely simply on the uniqueness of the SSID used within their wireless lan. Some restrict access by MAC address. None of these methods are particularly secure. The only one that suggests making an effort at security is use of WEP.

There was a previous discussion on Slashdot [slashdot.org] about issues with the security of WEP. The articles out there on security holes in WEP are too numerous to list here.

What scares me most is the sheer lack of concern expressed by many network engineers, with regard to wireless. I've heard many times now, variants on "It's a wireless network. It's insecure by definition so why even make an attempt to secure it." Scary.

--CTH

---

Re:Wireless security is an iffy proposition at bes

Here's the berkeley study on WEP security:
http://www.isaac.cs.berkeley.edu/isaac/wep-faq.htm l [berkeley.edu]
---

Re:The reality of clueless sysadmins

No, you can keep wireless access from happening -- it's just a pain in the ass. Most switches these days support secure ports. With the Cisco switches I use at work, you can set port security so it not only allows just one specific MAC to use the port, but if anybody unplugs the cable to plug something else in, the port is automatically disabled (although there are other settings to choose from besides automatically disabling the port). This keeps people from spoofing the MAC, because nothing will work until an admin resets the port. For more information, check out this article [sans.org].

Like a lot of security, it's a pain in the ass, but you can prevent people from plugging in unauthorized devices, wireless or otherwise. Of course, no security is unbeatable.

The reality of clueless sysadmins

Now for this article. Duh. These admins should be fired. I run 802.11b at my house with full encryption and other security features on. I wouldn't let an access point in this building without securing it first. This isn't a technology problem, it's a human problem. These are probably the same people that don't patch up to the security holes and wonder why they get hacked two years later.

I'll bet those sysadmins would be very surprised to discover that the 802.1b access points were even on their networks. This stuff is too cheap and bone-head easy to install. Apparently a lot of consultants of various types like to pack them around with their laptops so they don't have to futz with network cables whereever they happen to be working that day.

... and to think of it another way, if you were a bad guy this is a pretty awesome way to put a tap on someone's entire network without their knowledge. Sometimes it seems to me that wireless LANs were invented by either law enforcement agencies or spies. Or both -- maybe they're in cahoots.

This isn't merely a clue problem. There is a control problem as well.

It may be deliberate.

The security in 802.11b is worse than useless, it claims a degree of security it does not provide. That is why most large corporations deploying 802.11b don't rely on WEP, they use IPSEC or PTPP to add security that was not broken at birth. Go to Redmond washington and every MSFT conference room has IEEE802.11b, but they don't use WEP.

Driving arround town there are a lot of 802.11b networks that are left open on purpose. I could care less about someone sending bits over my broadband pipe. Media one might mind but that is a different matter.

If it wasn't for the fact that if I did leave the access point open someone like the author of the article would be bound to post the fact on the net as 'security expert hacked' I would have no problems leaving it open. My internal systems are all behind a firewall in any case.

Reiterations

This is old news [zdnet.com] (Wireless Insecurities) and I think on every single wireless article I seen posted here, I kind of trolled about it before.

There's slight temporary fixes for the Wireless problems dealing with security, I think someone has PKI certs for them (almost sure they have them) but PKI is not really a fix [antioffline.com] at all now is it?

I'm hoping Pat Calhoun and the folks over at Diameter [diameter.org] get on the mark soon with their protocol, since it seems RADIUS is now a dinosaur of sorts. Well for those interested in Wireless security, check out this thesis on it. "Security in Public Access Wireless Networks [antioffline.com]"

#define crypto [antioffline.com]

You would think...

A company as large and as technically inclined as Sun Microsystems might investigate this type of thing before going ahead and implementing this type of network.

Re:Hacking wireless networks

You really need to read the papers on the attacks. 128-bit encrpytion and 56-bit encryption are both just as susceptible to attacking. MAC addresses are NOT encrypted IIRC and I can steal one of those when your client is down. One potential attack is to send a packet of known content from the Internet TO your network. Then I grab the encrypted packet, and I can XOR out a piece of the cipher stream and (because the way this 802.11b works) I am able to identify future packets that use this piece of the stream and decrpyt them. Other statistical attacks allow me to, over time, build up a database that will allow me to decrypt everything on your network. The more traffic you send, the faster this happens. Knowing what I know, I would treat every wireless network as if ALL the traffic was being transmitted over a hostile network.