Myth # 1 : Wi-Fi stations are vulnerable to attacks just by leaving their Wi-Fi adapters enabled. But, to communicate with another machine, Data Link connectivity (Layer 2) must be operational. So it is impossible for an attacker to gain peer-to-peer access without establishing Layer 2 connectivity first.
Myth # 2 : Isolated stations are vulnerable to “Rogue Access Points” and already associated stations are secretly hijacked by “Rogue Access Points”.
Both cases are correct partially. Specifically, unassociated stations which are controlled by client side Wi-Fi utilities and maintaining a ‘Preferred Networks List’ are vulnerable. If the attacker throws an AP (Access Point) with a non-encrypted SSID which is in station’s 'Preferred Networks List', station will connect to that attacker.
Asiri’s Experience : This Rogue Access Points topic was a hot topic during my masters’ final group project period. If I add something more to above paragraph, an already associated station is vulnerable if RAP’s (Rogue Access Point) signal strength is higher than the legitimate AP’s signal strength. And also to attack successfully, end station’s Wi-Fi adapter should be restarted and re-associated with its preferred network in the list which leads to connect with RAP. It is tested by my team (Asiri, Roger, Sharan, Prashanth, and Prasad) and the viable solution we came up with can be seen on my ‘LinkedIn’ profile for its registered users.
Other solutions for hijacking attacks.
- Removing all non-encrypted SSIDs from preferred list would work but not practical as it saves such poor configurations automatically whenever user connects with that.
- A simple but practical solution is disable wireless adaptor when it is not in use.
- User’s wireless station can be disconnected automatically when it is connected with a wired network by using applications such as “NetOaats”. It can be configured to work in other way around as well (wired --> wireless). Figure 2
Another state of the art solution is using wireless client isolation security protocols such as Cisco’s PSPF (Public Secure Packet Forwarding). It prevents accessing another machine directly when they are connected with same AP. It is recommended to implement such protocols in free public Wi-Fi hot spots.
Myth # 3 : Stations get connected with ad-hoc (peer-to-peer) Wi-Fi networks with same SSID as an Access Point
It is also partially correct. Beacon frames from APs always indicate whether it is AP based (BSS) or ad-hoc (IBSS) based. So it is impossible to connect like that.
Myth # 4 : Stations connect with any access point in vicinity if their Wi-Fi adapter is left enabled.
Some legacy client utilities had that flaw but modern utilities are smart enough to connect with SSID that are configured with secure parameters in preferred networks list.
Conclusion
Users are vulnerable if following conditions are met;
Figure 3
Miller, B & Hill, G 2006, ‘Eleven Myths about 802.11 Wi-Fi Networks’, Expert Reference Series of White Papers , 18 August, pp. 2-4, Global Knowledge Training LLC., viewed 8 August 2010
'Figure 1’ [image] in 2009, ‘The second day of the School on Low Cost Wireless’, school2009, viewed 8 Aug 2010, http://wireless.ictp.it/groups/school2009/wiki/8d8fe/Group_Two's_-_Day_Two.html
‘Figure 2’ [image] in Ironic1 2008, ‘Geek Prom - WiFi Ready?’, perfectduluthday, viewed 8 Aug 2010, http://archive.perfectduluthday.com/2008/03/
To be continued… Stay tuned with Asiri’s Blog
No comments:
Post a Comment