Friday, September 29, 2006

Wireless Security - the difference between Alfred the Optimist, Luba the Ostrich, Uninformed Max and Sacha Paranoia

Many people use wireless routers at home. It lets you use all your computers without the hassle of having cables all around the house, it's cheap, easy to install, and usually works pretty well. Very few people, however, think seriously about security issues regarding their home wireless networks. Even those who do think about it, tend to think their network is made secure by using some relatively-easy-to-hack tricks. Others, not concerned by security issues, might have half their bandwidth used up by their neighbors without them knowing it. The most shocking part of all this, is that many enterprise IT managers do the same mistakes with their enterprise wireless networks. My purpose today is to shed some light on the vulnerabilities and how they can and are being handled.

First, let's remember that a wireless network is, well - it's a network and it's wireless (duh!). Being wireless means that as long as you are in range, you can read packets sent from the access point and send packets to it. Whether you'll be able to understand the packets or whether the access point will do something with packets sent to it, is another problem. Yet remember - it's all up there in the air!

Second, let's look at the possible vulnerabilities:

  1. Bandwidth "theft"
  2. Network intrusion
  3. Denial Of Service (DOS)

Bandwidth "theft"

Refers to other people (usually neighbors) using your wireless network to access the internet. Since most ISPs charge by bandwidth, if somebody is using your internet connection at the same time as you are - then you get less bandwidth for yourself. I "stole" bandwidth several times during the war when I was staying at other people's houses (at some point I started wandering around the country with my own router to stop doing that). As far as I know, it's not really called "stealing", since the air is public domain, so you can't claim anything about packets floating around. But still, if you have someone constantly using your bandwidth, it can become pretty annoying.

Network intrusion

All browsers, firewalls, etc. use the notion of "trusted" and "untrusted" zones. The idea is that in your trusted zone you have computers you trust will not try to do you any harm, whereas the untrusted zone (everything else) can consist any computer in the world, including some that might be very mean to you, if you just give them a chance. Before the wireless era, things were pretty simple. Anything inside the company/house is trusted, anything else is not. Yet now, when you can connect to the network without being physically even inside the building, it's more complicated. You could, obviously, configure your firewall to treat your wireless network as an untrusted zone. This is good, and is actually the way to do, if you're using a publicly available wireless network service (say at the coffee shop or in the mall). However, if you are at home, and have your printer connected to one computer and want to print from another computer, it's much simpler to have all your home network as a trusted zone (and that's just one example, of course). But this means, that any computer connected to your home wireless network will be trusted, even your neighbor downstairs (unless you protect yourself, see below).

Denial Of Service (DOS)

Refers to a general way of attacking a target, such that some important resource would become unavailable. The idea is basically to perform a huge amount of communication with the target, taking up all it's resources for yourself, thus denying them from other, legitimate users of the resource. There are various means of performing DOS attacks on a wireless network, resulting in disrupting legitimate usage of the network. Actually, wireless networks are very poorly protected against such attacks. Anyway, I'll keep this issue out of the discussion for today.


OK, so we're focussing on bandwidth theft and network intrusion. How do we avoid them? Well, let me introduce you to a few friends of mine: Alfred the Optimist, Luba the Ostrich, Uninformed Max and Sacha Paranoia...

Alfred the Optimist

Alfred believes people are fundamentally good. He might not even realize there are any vulnerabilities in using a wireless network - why would anyone want to do something bad to his network? Why would someone use his bandwidth, if that person could pay for it himself? Alfred installed the router on his own, keeping the factory settings without changing anything except what was absolutely necessary to actually connect to the internet. He has been experiencing some slowness in his internet connection, especially at night, when he knows his neighbor likes to download illegal music files. But, heck, you know, that's how it goes with the internet - sometimes it's faster, sometimes is slower. Yeah, yeah, he's got occasional annoying pop-ups and he has to reboot 3 times a day otherwise it takes 7 minutes to load notepad, but who hasn't a few problems once in a while? (Note: Most Alfred's don't use any firewall for the exact same reasons, and don't understand how the salesperson managed to convince them to buy that anti-virus license...)

Luba the Ostrich

Luba is a computer programmer. She's not an expert in networking, nor in security, but she's got her BSc and understands both the problems of bandwidth theft and network intrusion. She knows there are various protection method, but she's smart enough to know everything comes with a price - if you're going to secure everything on your network, you will have to pay in performance! And Luba doesn't like to pay in performance!!! So she pokes in her router's configuration options and sees it's possible to disable broadcasting of the SSID. She searches a bit about that, maybe tries it out, and then understands that once the SSID is not broadcasted, her network cannot be found. Hey, that's cool! If nobody knows my network exists, they won't be able to connect to it - so I'm safe. Luba knows, of course, that if this was enough a solution, then there wouldn't be so many other options in the security tab of her router. But as we said, she's an ostrich, so she keeps living in denial. One day, Luba's conscience starts to bother her - maybe my network is not secure enough? So she goes back to poking around at her router's configuration settings, and then she discovers you can configure an access list - a fixed list of MAC addresses that may connect to the network. Coooool - she quickly runs "ipconfig /all" on all her computers, writes down all her wireless adapters' MAC addresses and fills the list. That's it - she can now sleep peacefully, certain she's protected against both threats.

The truth is that in most cases, Luba will be fine with either of these options (especially with both). Yes, you read correctly, in most of the cases, not all. And here is why:

  1. Not broadcasting the SSID doesn't do anything to prevent someone from connecting to the network. All routers have a default SSID name. If Luba didn't change her router's SSID, then there is a good chance that many people have networks with the same SSID as she has (all aother Luba's out there). So if I used to be connected to a network with that SSID, and I find myself in the area of Luba's house, my laptop will automatically connect to her network, although she doesn't broadcast her SSID.
  2. Even if she did change her SSID, that it is not broadcasted doesn't mean that it is not visible. Each packet Luba sends from her own PC holds her SSID (unencrypted). So if I use some kind of wireless sniffer (links at the bottom), I can easily discover any wireless network currently in work, including Luba's.
  3. Similar to the SSID, in an unsecured wireless network, the MAC addresses are also transfered unencrypted, so once I've catched a valid packet with my sniffer, I can very easily spoof the MAC address and use hers instead of mine in my packets.

We must admit - there is no real chance anyone will do much effort to run a sniffer and then spoof her MAC address just to steal some bandwidth. So as far as bandwidth theft is concerned, with both SSID broadcasting disabled and the use of an access list, Luba is practically immunized. However, is she protected against intrusions? Well, partly - if the intruders just try to enter any wireless network to create heavoc - they won't be willing to do much effort (there are too many Alfred's out there to waste their time on Luba). However, if she's concerned about people trying to get specifically into her network, then they are most likely to be ready to make the effort, and then Luba is in trouble...

Uninformed Max

Max used to be an Ostrich, like Luba. One day, when he had his head deep under the ground, a big fat bull came around. The bull was horny, and, well you know... Anyway, since then Max has become a little bit more cautious (and has some difficulties sitting down...). He uses a specific SSID, changed his default administrator password on his router, has disabled SSID broadcasting and uses a MAC access list. In addition, he wants his network to be secure. Looking at all the possibilites, he chooses the one that seems the simplest, yet secure - WEP. He feels good an cosy with his own secured wireless network.

The problem with Max, is that nobody told him that WEP is sooo not-secure that it's just a waste of time and energy. Look at this and this and please don't miss this...

Sacha Paranoia

Sacha is one of a kind. He changes his SSID once a week and uses a 127 character password for his administrator account that changes each time he logs in. Asking him whether he disabled SSID broadcasting or uses MAC access lists could cause him to rip your head off just due to the insinuation that he might have missed that. Sacha knows everything there is to know about WEP's shortcomings. Until last year he was using WPA. Now he uses WPA2. Although his network is as secure as currently possible, he's had problems sleeping at night, imagining minuscule ET's wandering around his precious network. Last week he almost had a heart-attack, when only one of his 3 firewalls succeeded in blocking an attack. Actually, it wasn't a real attack - for some reason his firewall thinks his fax is a malicious software enemy. So Sacha disconnected his router completely. Actually, he's disconnected his computer from the internet altogether. From the power source as well - to be on the safe side. He is now working in his garden, watering his flowers. His hard-disk in his back-pocket, just in case...


Interesting software

Netstumbler - For mapping active wireless networks

Airsnort - Can be used to extract the WEP encryption key

Ethereal - Network protocol analyzer

No comments: