Wi-Fi technology has changed dramatically the way travelers and remote workers browse the Internet, check their email, and even work on their corporate networks while away from the office. But besides providing significant advantage, Wi-Fi network is also vulnerable to security breaches. So, Protection of your data lies on your hand. Author of this article has discussed top five Wi-Fi security threats that you should be aware.
Consider for a minute that you are in charge of network security of your enterprise. You have deployed the best-in-breed firewall at the network perimeter and the latest anti-virus solutions on your end hosts. Do you think you can sleep peacefully at night? Well, unfortunately, you may not. Network Firewalls and anti-virus solutions cannot protect you from the “inside” threats based on the all-pervading Wi-Fi technology. Following (refer to Figure 1) are the 5 Wi-Fi security threats that you should be ready to deal with.
Figure 1: 5 Wi-Fi Security Threats
Rogue Access Point (AP)
A Rogue AP is an AP that is deployed without the consent of the network administrator. It may be deployed with a benign intent by an employee that seeks convenient network/Internet access. For example, somebody who prefers to work from a cozy couch lying in your office (rather than from his or her work desk). There is no guarantee that the employee has configured the Rogue AP with strong security settings. Alternately, a Rogue AP may be a part of a larger malicious scheme of attacks. For example, a former employee who has ill-feelings about your organization. In either case, a Rogue AP potentially provides a backdoor entry to access your enterprise.
Several attacks can be launched via a Rogue AP. An attacker can use tools that are freely available on the Internet to collect important pieces of information about your network via a Rogue AP. This activity (called reconnaissance) can yield crucial information such as the devices present in your network, their IP addresses and in some cases, even user names, passwords and email address of users. With this information, the attacker can cause serious damage to your enterprise. He can potentially access the confidential enterprise data stored on your network. Or, he can launch attacks such as Address Resolution Protocol (ARP) Poisoning, IP spoofing, Dynamic Host Configuration Protocol (DHCP) spoofing to disrupt the entire operation of your network. Alternately, he can (mis)use your Internet access for criminal purposes while you shall be answerable to the legal authorities (Note: Insecure Wi-Fi networks at certain educational institutions have actually been (mis)used in India to send terror emails). 1 simple (yet, effective) way to comprehend the risks associated with a Rogue AP is to visualize an enterprise Ethernet cable running into the bad, bad outside world (refer to Figure 2). I am sure you definitely do not want such an “Ethernet cable” in your enterprise!
Figure 2: Rogue AP = Extended Enterprise Ethernet Cable
Client Mis-association
If you have rolled out Wi-Fi in your enterprise, how comfortable are you in letting your Wi-Fi clients connect to (insecure) APs of your neighbors? Apart from sensitive corporate information flowing via your neighbor’s network, this can be potentially used as a channel by your employees to bypass enterprise security policies. Just by associating to a non-corporate AP, your users can bypass such policies very easily. Well, this is just one case of the client mis-association threat. There can be other instances where attackers setup phony APs (called honey-pots or Evil Twins) to lure your Wi-Fi clients into connecting to them. Once your Wi-Fi client connects to an Evil Twin, an attacker can launch a Man In The Middle (MITM) attack to steal sensitive information such as user names and passwords. Several free tools such as Ettercap are available on the Internet to launch such MITM attacks. The extent of the damage that can be done from this point is anybody’s guess. Hence, Wi-Fi client-based threats such as these render the precious corporate data on your Wi-Fi clients at risk.
Adhoc Client Connection
Wi-Fi clients can communicate directly with each other via an adhoc mode (also known as Independent Basic Service Set (IBSS) mode. Unlike the Basic Service Set (BSS) or infrastructure mode, adhoc clients do not require an AP to relay packets amongst them. Adhoc networks offer a lot of convenience in sharing information across Wi-Fi clients. Wi-Fi users are often very fond of using ad hoc networks – typically, to share audio/video content with their colleagues. In certain cases, enterprises are forced to enable adhoc mode to access network devices such as printers that operate only in adhoc mode. However, adhoc mode is inherently insecure. It usually does not support strong authentication or encryption. Hence, it can easily be used by attackers to connect to and compromise your enterprise client that is operating in adhoc mode. Hence, your enterprise Wi-Fi clients should be prevented from participating in an adhoc network.
Wireless Device Mis-configuration
Some security savvy organizations spend significant amount of time in defining Wi-Fi security policies and implementing them on their wireless LAN infrastructure. For example, they may configure their APs to use strong cryptographic security mechanisms such as IEEE 802.11i or WPA2 (Wireless Privacy Access). However, as your Wi-Fi deployment grows in complexity, ensuring that all of your APs continue to be properly configured is challenging. It may happen that one of your IT team members inadvertently changes the security setting on an AP (thus, leaving it mis-configured). A mis-configured AP can potentially expose a gaping security hole in your otherwise well-configured network. It enables an attacker to connect to your network (much the same way a Rogue AP can). Similarly, mis-configured Wi-Fi clients can be vulnerable to Evil Twin or adhoc based attacks described earlier. Therefore, there is a need to continuously monitor the configuration of your Wi-Fi devices to ensure that they adhere to your corporate security policy.
Denial of Service (DoS) Attacks
Ever since the inception of Internet, network protocols have had their share of Denial of Service (DoS) attacks. Wi-Fi is no exception: it is susceptible to several Denial of Service (DoS) attacks. Wi-Fi operates in an unlicensed band and is radio in nature. Due to the above facts, Wi-Fi networks are soft targets for DoS attacks. Adding salt to the wound is the fact that the IEEE 802.11 Medium Access Control (MAC) protocol introduces its own set of DoS vulnerabilities. Please note that the designers of the MAC protocol wanted to keep the protocol simple.
In hindsight, this could be one of the reasons for the existence of such DoS related loopholes. In any case, please realize that disrupting mission critical applications running on your wireless network is easy. On the one hand, there are spectrum jamming attacks that completely block all communication. Such attacks usually require specialized hardware and are relatively easy to notice (all communication in the spectrum breaks down). Alternately, 802.11 MAC based attacks are more targeted—they can bring down specific APs or clients. Several tools are available for free on the Internet to launch such MAC DoS attacks (e.g., AirJack). They do not require any special hardware and hence are relatively easier to launch. De-authentication flood attack is an example of MAC DoS attack. It relies on the fact that the connection between an AP and client can be broken by “spoofing” a certain “de-authentication” packet. Other examples of MAC DOS attacks include virtual jamming and association flood attacks. The good news is that IEEE is also doing its part in mitigating MAC DOS attacks—the recent 802.11w standard addresses this problem partially.
Now that you are aware of the above threats, a natural question is to how to defend against such threats. The very first thing is to define wireless security policies for your enterprise. Once the policies are defined, look for tools to implement your policies. A common tool that is available in the market today to enforce wireless security policies is Wireless Intrusion detection Prevention System (WIPS). WIPS can help you detect and automatically protect against Wi-Fi specific threats.
—By: Gopinath K N (Gopi). He is currently acting as Director, Engineering, at AirTight Networks (http://www.airtightnetworks.com ). He holds multiple patents and has written several technical papers. He is a frequent contributor to some of the highly popular wireless/security blogs and can be reached at gopinath.kn@airtightnetworks.com. |
