"Wireless is bad. Wireless is insecure. Wireless is the tool of hackers and spammers."
For the last few years, one message has been pretty clear: WiFi, while incredibly useful, is not the easiest technology to secure. Most wireless access points ship with no security enabled by default. And even the security that is there may not be that great. Wired Equivalent Privacy (WEP), the first attempt to secure WiFi, has been repeatedly proven to have problems. There are many tools to attack WEP; in just a few minutes these tools can compromise the key used to protect the network.
Even the next generation of security techniques still have problems. The newest wireless security spec, 802.11i, allows for many types of network authentication, including simple passwords and other breakable authentication mechanisms. But 802.11i does provide some quite robust ways to secure your network. Using bidirectional certificate-based authentication with AES-based encryption, modern WiFi networks can be a formidable obstacle for even determined attackers. But how do you know your network is secure once you’ve deployed it?
To determine the security of your network, you must first discover the WiFi devices on (and near) your network. The core concepts of WiFi device discovery are relatively well understood. Tools such as NetStumbler have been around for more than four years and have allowed users to find WiFi access points using inexpensive hardware with relative ease. However, the wireless security landscape has changed dramatically since the introduction of the first version of NetStumbler, and it’s worth reexamining WiFi device discovery and how to leverage discovered devices into attack vectors.
Understanding the Risks
When you’re looking for wireless devices, it’s important to understand the risks against your infrastructure first. One of the most obvious risks is the threat to the traffic on the wireless network itself. An attacker may be interested in sniffing data from the network, accessing the network, or even modifying data being sent across the network. If you have access points that aren’t encrypting for some reason, sniffing traffic or accessing the networks is a trivial activity. But even for WEP-encrypted networks, the barrier for an attacker to gain access to traffic is relatively low. When doing an assessment of a network, unencrypted and weakly encrypted networks are the low-hanging fruit you need to be worried about immediately. Luckily, WiFi has been around long enough that, in an enterprise of a reasonable size, unprotected access points are few and far between. Home and small office networks, however, are a whole other issue. They are often still totally unprotected.
Another risk to your network is rogue access points connected to your wired networks. These rogue access points may have been installed by employees or attackers, but serve basically as a subversion of whatever wireless security mechanisms are in place. For instance, a developer may want wireless access in a nearby conference room, buy an access point from an electronics store, plug it into the Ethernet jack in her cubicle, and make her own "private" network. The problem with this technique is that there’s no real guarantee that the access point is secured in the least, and it may serve as a gateway into your enterprise’s network. The media has helped to address this issue, as most of the public now knows that doing something like plugging in their own access points to a corporate network is a bad idea.
One of the biggest risks to modern WiFi networks is the wireless clients themselves. Even if your network is configured correctly, your clients can give up everything anyway. Rather than attacking the network directly, an attacker may choose to go after the client and then leverage the client to access the rest of the network traffic or the network itself.
One common way to accomplish this goal is by looking for clients that are probing for other networks. For instance, some operating systems (such as Windows XP and OS X) automatically look for any known wireless network when they first come online or when they lose communication with the previous network to which the operating system was attached. When the host looks for a network, it sends a probe packet with the name of the network it’s trying to find. An attacker (and user as well) can sniff for that probe to determine what networks a given client trusts. Then the attacker can create a rogue access point that pretends to be one of the trusted networks, and attempt to force the client to associate to the new rogue. If successful in tricking the client, the attacker then has an IP-level connection to the client and can try to break into the host OS through known vulnerabilities. Once the attacker has compromised the OS, he has total access to that system, the data on it, and networks to which it connects. Not a good situation. So being aware of your clients and what they’re probing for is crucial.