Information Security Analytics Team
Wireless networks are a key part of corporate infrastructure for most modern businesses. Wi-Fi is convenient for employees, who can connect from anywhere in an office using a variety of devices, and for customers, who enjoy the convenience of high-speed Internet access. It is also a major cost-saver for companies: networks can be quickly and easily deployed without laying cable.
But administration flaws and insecure use of these networks pose a security threat. An intruder can hack a Wi-Fi network to intercept sensitive information, attack wireless network users, and gain access to a company's internal network. Attacks against wireless networks are diverse. Creating rogue access points, accessing internal resources from a guest wireless network, and exploiting vulnerabilities in authentication protocols are a mere sliver of the possibilities. Since these networks are so popular with businesses, such attacks can cause enormous damage to businesses and individual users.
This article provides an overview of the most common vulnerabilities detected during security testing of wireless networks carried out by Positive Technologies in 2016. Our clients represented many industries, but we found that regardless of industry, Wi-Fi security was low or extremely low across the board in our 2016 testing.
In addition to describing popular attack scenarios involving Wi-Fi networks, security recommendations are provided. The demonstrated scenarios are far from being the only possible ones, but they enable tracing the main thrust of an attacker's activities. Note also that the scenarios are not mutually exclusive and may occur simultaneously on the same system: an open guest wireless network can be "supplemented" by a rogue access point, and passwords are often bruteforced on networks whose signal is accessible outside of restricted areas.
EXCESSIVE NETWORK COVERAGE
Attackers targeting corporate infrastructure require both skill and specialized tools. Their toolkits may include powerful Wi-Fi adapters supporting various frequency ranges, omnidirectional antennas, microcomputers to create a rogue access point, equipment to perform stealthy reconnaissance of wireless networks, and software of all kinds for active security analysis.
At the initial stage, the attacker's focus will go to information about the encryption algorithms and security/authentication mechanisms in use. This information is useful for subsequent attacks on corporate infrastructure. But these attempts are successful only if there has been a failure to contain the Wi-Fi signal within a restricted area.
Secure use of Wi-Fi networks requires that a network can be seen only by employees who are within the restricted area (such as the client's office). If there are no restrictions on the router's signal strength, access to wireless networks can be achieved from a neighboring building or public parking lot. During security testing, Positive Technologies experts regularly detect corporate wireless access points whose signal reaches far outside of client buildings.
Attackers can then conduct various attacks on the LAN from outside the restricted area, taking the opportunity to perform time-consuming attacks such as brute forcing network passwords at a distance, without having to worry about being discovered. They also can use a rogue access point that pretends to be part of the network: since the attacker's router has a stronger signal, staff devices will switch to it (access point spoofing attacks are detailed in the following section).
To prevent such situations, restrict the availability of corporate wireless networks from outside the restricted area. We recommend adjusting the router settings to reduce the signal strength accordingly. If current routers do not support this ability, consider purchasing routers that do. Alternatively, adjust the placement of routers so that their signal does not go outside the restricted area.
ROGUE ACCESS POINT
Cell phones, tablets, and laptops automatically remember the names of the networks they connect to (in technical parlance, this is called the network's SSID). Users often enable the insecure option to automatically connect to known Wi-Fi networks. But the problem is that this option relies on the SSID. Any time the device is within the coverage area of another Wi-Fi network that has the same SSID, the device will attempt to connect.
Attackers can create a rogue access point with the same SSID so that employee devices near the rogue access point will automatically send requests for authentication. Use of the PEAPv0/EAPMsCHAPv2 protocol, combined with non-existent or faulty validation of the access point certificate, allows attackers to obtain the Challenge–Response values used in authentication. Armed with this data, the attacker can bruteforce the password hash for the legitimate network bearing the same SSID. Employees may not even suspect that they have been attacked.
Despite the seeming complexity and effort involved, such attacks occur regularly in the real world. In 75 percent of Wi-Fi security tests, Positive Technologies was able to intercept authentication data using similar attacks.
One way to leverage this technique is to perform a "watering hole" attack targeting places where staff of the target company are likely to congregate. This could be the entrance of a business center, restaurant, or the nearest bus stop: an employee's device will try to connect to an attacker's network as soon as it sees a familiar SSID. This is both simple and effective, since an attacker can obtain authentication data with little effort from a large number of devices without ever setting foot in the client's building.
After intercepting the Challenge–Response pair, an attacker can use a supercomputer to bruteforce 256 keys based on the DES and SHA1 algorithms, and get a hash of the password (which is enough for logging in to the wireless network). This brute-force method has a 100-percent chance of success. In addition, attackers can use third-party decryption services (costing about $200 online) or else conduct a head-on brute-force attack themselves using the power of modern graphics cards, although success cannot be guaranteed.
If the wireless network is connected to the LAN and a domain account is used for access, then a successful brute-force attack means that an attack on the internal network is possible and attackers can get access to critical resources such as email accounts.
What can security-conscious companies do? Use secure authentication methods, such as EAP-TLS, featuring a client certificate and mandatory validation of the server certificate. The EAP-TLS protocol requires installation of a client certificate on each wireless device. In case of an access point spoofing attack, certificate validation will fail and attackers will not receive any authentication data.
FROM A GUEST NETWORK TO CORPORATE
At most companies, guest Wi-Fi access is simple to obtain. Customer convenience is often priority #1, but this convenience may come at the expense of security. As security analysis shows, access to other network segments, including LAN resources, can often be obtained after connecting to a guest network. Our testers have succeeded in accessing Windows log-in prompts, printer administration consoles, and router settings from the guest wireless network at target companies, as seen above (Figure 4).
What's more, company employees themselves may regularly use the guest network. But guest networks are not always encrypted. So, if the access point does not isolate users from each other, an attacker who has access to an unencrypted guest network can attack company employees, listen in to their traffic, and intercept sensitive information, including access credentials. Attackers can combine this flaw with use of a rogue access point as described previously.
To improve the security of the guest network, we recommend configuring the access point to isolate users from each other, using strong encryption (WPA2), and prohibiting use of guest networks by company employees.
UNAUTHORIZED ACCESS POINTS
The human factor is important when securing any infrastructure, including Wi-Fi networks. Many employees access the Internet for personal purposes (social networks, email, and chat). But some companies restrict access or even have a total ban on Internet use. So, what are employees to do? Often they go online using their smartphones or, for greater convenience, use tethering to create their own mobile hotspot that connects to their workstation and access the Internet via this unauthorized connection.
Wi-Fi security testing revealed an average of three unauthorized access points per site in 2016. At one company, we found seven unauthorized access points running simultaneously.
If successful, attacks on such Wi-Fi networks can provide access to LAN resources and enable attacks on users of these hotspots. During one test, our experts detected a wireless network that did not belong to the client company.
Our experts then captured a handshake between the client and hotspot, which allowed them to conduct local brute-force attacks to obtain the hotspot password. Dictionary attacks and information about the network environment helped us to find out that the external IP address of the device belonged to the network of a mobile operator. As a result, we made a successful attempt to log in to the account page of the employee on the mobile operator's website without entering a password. It turned out that this was a corporate account. With our access to the account page, we could have set up call forwarding, sent text messages, and read incoming text messages.
To stay safe, we recommend regularly sweeping for and disconnecting unauthorized access points within the restricted area. Employees must be familiar with security rules and procedures. An awareness program covering all employees should concentrate on the practical aspects of information security. Training should be periodic, with follow-up to ensure the program's effectiveness.
Dictionary passwords are disturbingly common on almost all infrastructures (see our report with vulnerability statistics for corporate information systems1). Wi-Fi networks are no exception. Passwords are often short and/or simple, making them quick for attackers to bruteforce. As mentioned previously, attackers can intercept a handshake for an access point in order to conduct a brute-force attack locally (on the attacker's own computer, without requiring a network connection) to find the password. Passwords consisting of dictionary words or simple combinations can be bruteforced in mere seconds.
At some companies, the Wi-Fi password is based on the company's name or similar information. This makes it child's play for attackers to discover the password. They can conduct a personalized brute-force attack using special software (for example, CeWL and RSMangler). The dictionary of possible passwords tried by the attacker will be specially created for the targeted company. During one test, our experts accessed LAN resources by first brute forcing a password similar in spelling to the name of the client company.
The recommendation here is unsurprising but important: enforce a strict password policy requiring the use of hard-to-guess passwords.
WPS (Wi-Fi Protected Setup) is another case when convenience comes at the cost of security. WPS is enabled by default on most routers and is designed to simplify setup of Wi-Fi networks, by automatically setting the network name and type of encryption. No configuration is necessary—all that is necessary for connecting is a PIN code. This sequence of numbers is often written on the outside of the router itself, visible to anyone able to approach the device for a few seconds. Even worse, these PINs are weak. An attacker can easily bruteforce the PIN and connect to the network. There is even special free software targeting WPS, enabling an unskilled attacker to identify access points with WPS turned on and crack their PIN codes.
WPS has been widely criticized by security researchers, but our experts still frequently encounter WPS-enabled wireless access points in the wild. In some cases, this has allowed them to gain access to LAN resources.
Protection against this type of attack is simple: disable WPS in the settings of all access points.
In some cases, a wireless network may use a list of authorized MAC addresses (whitelist) to authenticate devices. This approach is insecure because MAC addresses can be easily faked by intruders conducting man-in-the-middle (MITM) attacks.
Our testers discovered a wireless network for which access is implemented through an HTTPS website. After successful authentication, the MAC address of the connected device is used to identify packets on the network. Future connection attempts are authenticated based on the user's MAC address.
To demonstrate the threat, our experts installed a rogue access point and their own equipment, which forwarded user requests to the legitimate access point. A tablet of an employee connected to the rogue access point; the employee entered credentials in a fake authentication form. From that point onward, all of user's network traffic was transmitted to the access point by way of our equipment, which allowed listening in and adding the MAC address of our "malicious" workstation to the whitelist. And with Wi-Fi access, our testers could access other, even more sensitive segments of the network.
To prevent such situations, use secure authentication methods (see the "Rogue access point" section).
As our experience shows, the majority of companies using WiFi networks do not take sufficient security measures. All security tests carried out by Positive Technologies uncovered various security flaws, and even more concerning is the fact that in every test, we could use our foothold on wireless networks to conduct attacks on LAN resources.
In practice, a single flaw frequently leads to the compromise of the whole system. For example, one client used domain authentication for the company's wireless networks. One of these accounts was found on the company's official website as cleartext. At the same time, connections to Wi-Fi networks could be made from outside the restricted area. Therefore, any attacker able to perform a Google search could have obtained network access without entering the target's building.
So is it worth doing away with Wi-Fi networks entirely? Not necessarily. These problems remain manageable with the help of a comprehensive layered approach to security. Acceptable security can be ensured if administrators use secure configuration, segment wireless networks, implement secure authentication methods with certificate validation, restrict access of guest clients to the LAN, regularly test wireless network security, and identify and disconnect unauthorized access points. Of course, this approach also requires education of employees to improve security awareness and ensure ongoing vigilance.