Wireless Security
First Published: X-Force Monthly Magazine

As the number of wireless access points dotted along the high-street and within airport terminals around the world continue to grow and propagate a “connect-anywhere-anytime” philosophy, similar to that of the mobile phone phenomenon in the early ‘90’s, organizations are struggling to understand the latest security implications for their mobile workforce.

Whilst most organizations are familiar with the security flaws associated with the original Wireless Encryption Protocol (WEP) built in to IEEE 802.11b and have tried mandating best use practices for their employees, they have encountered difficulties as they seek a better balance between connectivity and data integrity without sacrificing usability.

For today’s mobile workforce, the ability to connect to the Internet and exchange e-mails while traveling has become critical.  Any technical issue that prevents the worker from achieving network access in a timely manner can quickly result in frenzied calls to the helpdesk, or the worker “tinkering” with their network settings – seeking any network connection they can.

Ask any salesman when it comes to crunch-time, when they really need to e-mail that multi-million dollar invoice to the customer on the last day of the month, it doesn’t matter where they are or how often they’ve been told that security is important, they’ll turn on or off anything and connect to any network they can in order to send that critical e-mail – security will always play second fiddle to business continuity.

There are additional problems associated with wireless networks that corporate security teams now need to contend with as well.  While e-mail is certainly a concern, they now have to deal with secure access to intranet applications (e.g. inventory databases and timesheets) and voice communications such as Voice over IP (VoIP).  Each additional networked service represents additional security threats and opportunities for users to “adjust” settings.

From an attacker’s perspective (or even a casual eavesdropper), wireless networks are fantastic.  Consider a few of the more common methods being used by attackers around the world:

  • Deployment of rogue wireless access points with fraudulent or misleading names.  For example, it takes no skill at all to set up a wireless access point and give it the name of a local provider and transparently proxy all data through it to the real network.  By doing so, the attacker gains access to all the users’ original authentication credentials as well as observing all their unencrypted communications.
  • Use of wireless access points with power outputs hundreds of times greater than normal. The increased output drowns out all other access points at that location.  Users are thereby forced to connect to the network owned by the attacker.
  • Employing high-gain antennas to eavesdrop on data communications from long distances and hacking peer-to-peer networks.
  • Configuring rogue wireless access points to provide least-cost routing of VoIP traffic at low rates to ensure that all traffic passes though the attacker’s device.
  • Or, simplest of all, adding a rogue access point in a busy area (e.g. high street) using a name such as ‘Default’ without requiring any encryption or authentication.  Users will often just connect to this “free” internet connection and carry on as usual – while the attacker sniffs all the traffic.

When you combine these newer wireless attack vectors with an already security-agnostic mobile work force (consider the annual security studies in which employees will tell strangers their email password in exchange for a chocolate bar), the situation is ripe for both opportunistic and organized electronic crime.

While there have been various studies relating to war-driving (i.e. driving around a city and cataloging wireless access points) and the use of wireless at various technology or security tradeshows, there has been very few public studies about the current exploitation trends that target the end user wireless device.  Certainly the talk on the underground, and within the various hacking communities, is buzzing with new techniques and hacking success stories.  Since these attacks are targeted at individual hosts, and the success of the attack may not be immediately apparent, it is often the case that the victims have no idea that their security failed and the consequences may not appear for several days or weeks.

The ability to protect the mobile workforce from the threats they will encounter when using wireless access points or hotspots around the world is incredibly important, and legacy protection technologies such as firewalls and anti-virus are largely irrelevant.  In order to provide good security, the mobile workstation or laptop has to be made secure against both an external attacker and the user themselves.

 The technologies and techniques most relevant to protecting the mobile workforce include the following:

  • Desktop security that includes a host-based intrusion protection system (HIDS) capable of identifying the latest network attacks and exploits, and blocking them by default.  For example, many of the hosts that join legitimate wireless networks are already infected by some worm or bot and will automatically try to infect each new host that joins the network.
  • It is vital that VPN technologies be used to create secure tunnels between the mobile host and the corporate network.  Just because the wireless network supports WEP (or WPA), it doesn’t mean that communications are secure – it just means that people who aren’t already part of the wireless network can’t easily eavesdrop.  In fact, most people do not realize that once you are part of a wireless network – even if wireless encryption is enabled – all other hosts on the network can potentially connect to your host.
  • The biggest threat to mobile security is the user themselves.  Steps must be taken to harden the mobile device to prevent the user from modifying settings and disabling security technologies when out in the field.
  • The threat from web-browser based attacks has increased substantially and all mobile users must be forced to use a corporate proxy server for their web access, which in turn can only be accessed over the VPN.  This ensures that all traffic is encrypted and, with the aid of content filtering, can be used to block unauthorized communication channels such as web-mail.

Like most areas of security, common sense plays a vital role in ensuring corporate communication integrity, however user education is vital if an organization is to be successful in raising its mobile security status.  It is important that users be educated in the methods attackers use to compromise wireless networks so that they are capable of spotting rogue installations and do not fall for the most common social engineering vectors.  In addition, an understanding of what security mechanisms have been installed on their mobile devices is important and what steps they must undertake in order to connect securely to the corporate network or send emails is vital.  Quarterly or half-yearly refreshers are to be recommended.

 At the end of the day, if that salesman needs to send that critical invoice out at the end of month, even completely blocking access to the corporate network may not be enough.  There’s a high probability that he will just send it to the customer from their free Hotmail account.

    Copyright 2001-2007 © Gunter Ollmann