Wi-fi Security Crisis

There's a storm brewing, and although we have only seen the first signs, she's gonna be a whopper! I'm talking about what I call the "Wi-Fi Security Crisis", and if you don't know what it is, better read on...

Q: Would you let a terrorist walk in off the street and call their buddies in Iran or Afganistan using your phone?

Q: Would you allow a pervert to use your Internet connection to download child pornography?

Q: If you are a hotel General Manager, would you knowingly allow a thief to steal the data from a guest's computer?

EVERY DAY, this and much more happens at Wi-Fi hotspots around the world, but nobody seems too concerned about it -- WHY?

Some recent examples:

1. A US Military wardriving team finds an access point installed on the base granting open, unencrypted, unrestricted access to the internal US Military unclassified network. The access point is accessible from a K-Mart parking lot outside the military base.

2. A six-page, full-color article in Russia's "Hacker Magazine" describes in complete, step-by-step detail how to attack hotspots of three Moscow Marriott Hotels operated by MoscomNET.

3. Recent prosecution of a man for posession of child pornography. His defense that "he had an open access point so it must have been someone else" failed, and he's now looking at doing some hard time playing drop-the-soap with the other inmates.

Open, insecure access points aren't the only threat, but they make a great entry point. Just drive around with NetStumbler and see how many access points still have the default D-Link or Linksys SSID and even the default username and password for administrative access and you can have a small sample of the scope of just one of the problems.

Even if the hotspot has reasonable measures to protect unauthorized users from accessing the Internet, few operators bother protecting legitimate users from intra-site attacks. Once the attacker can associate with an access point -- any access point -- they can begin port-scanning and attacking any users associated with the same access point, and most often, users associated with any access point in the entire hotspot -- all without needing any connectivity through the gateway.

Insecure, unpatched client computers are juicy targets for data thieves, or anyone wishing to implant key loggers, root kits or any other malware. Such computers are all too easily found with simple, freely downloadable scanning and analysis tools. On the Internet, stolen identities are bought and sold like so much coffee.

Interestingly enough, when interviewing one of the major European authentication providers in preparation for writing another article, when asked what his company was doing about security, his response was, "We don't worry much about it, the only hackers are in Russia..."

For operators with these attitudes, the wake-up call may be coming sooner than they think. Just go to Google Video and search for Wi-Fi, war driving or wireless hacking and you will find videos with step-by-step demonstrations on exactly how to do it and what tools to use.

Hotels represent a unique problem. Most hotel IT Managers are ill equipped to understand let alone respond to the dangers wireless networks present. If the hotel is relying on a third-party operator to run their hotspot, the hotel IT Manager won't have access or control of that network and couldn't apply additional security even if they wanted to.

This is the case in Moscow where the three Marriott hotels rely on third-party operator MoscomNET to operate their hotspots. What baffles me is why virtually nothing has been done to secure the network since August 2006, when the Hacker Magazine article was published? To this very day, from the hacker's perspective, nothing has changed and the same vulnerabilities are still wide open.

One major flaw in the Marriott/MoscomNET Wi-Fi system is that they are still using MAC-address-based authentication. Such systems are wonderful for 'ease-of-use' but a total disaster with regards to security. (MAC addresses are the simplest thing in the world to harvest and spoof.)

For example, at the Moscow Marriott Aurora hotel, I borrowed a Wi-Fi adapter for my notebook computer, plugged it in and had instant, free access to the WiFi network. How did that happen? Very simple, the guest who borrowed the adapter before me returned it while time still remained on his account. The MAC address from the adapter automatically authenticated me to the system -- no other credentials required.

And what if I did something evil, such as setting up a P2P server pirating music? As I had never puchased an account, the previous user of the account would receive the blame. As for attackers just capturing MAC addresses out of the air and spoofed them -- they are completely untracable and can do whatever they want with complete impunity.

Who can be held responsible and accountable? Hotel General Managers? Hotspot operators? IT Managers? Authentication and roaming partners? There is plenty of blame to go around, but nobody wants to take responsibility or action.

As another example, I recently offered to give a free hotspot security analysis, seminar and consultation to six of the five-star hotels in the city of St. Petersburg Russia. I contacted the General Managers directly, and got not a single reply to take me up on the offer. This tells me loud and clear that hotel GMs either don't understand that there is a problem or will not admit it. It seems the safety and security of the guest's computer or any other security matters are of no concern.

Is the problem a technical one? Not at all! Every commercial-grade access point is easily secured with WPA or WPA-2. (Forget about WEP.) Newer commercial access points allow simultaneous dual-mode operation -- where the user can choose to associate insecurely or securely. This simple measure could reduce the risk of wireless eavesdropping to near zero. Only clients whose computers were incapable of operating in the secure mode would remain vulnerable.

So why don't hotspot operators implement even minimal security precautions? I suspect it could be:

1. Many WiFi operators simply lack the knowledge, skills and experience to properly secure and monitor their networks.

Let's face it, setting up a couple of access points to share an Internet connection isn't rocket science -- but properly securing and managing even a small system does require knowledge, skills and experience well beyond the capability of the local 'computer guy'.

2. Wi-Fi hotspot operators who are more concerned about profit than security.

Secure systems ARE harder to manage and harder to use -- which is another reason commercial operators are less likely to implement even the most basic of security measures. Real security would mean implementing encryption all the way from the client to the Gateway, and secure authentication -- likely implemented through a Public Key Infrastructure and digital certificates.

Of course I realize that some client systems can not support certain security mechanisms, but at least give the client the option of borrowing supporting equipment and/or notifying them of the potential hazards they could be exposed to.

The next article in this series will focus on specific forms of attack on Wi-Fi networks in more detail. For a copy, simply send an email to the author (marty .at. milette.com) with your request and you will be sent the article the moment it becomes available.