Wifi Security

So my question is pretty simple. You have all these major companies such as google/earthlink/sprint/etc. building wifi networks. Lets say I want to collect peoples information so I setup an AP with the same ssid as google’s ap so people connect to it and I log all of their traffic. Most people won’t check beyond the ssid to look at the mac address but even that could be spoofed. Is there anyway to verify a certain ap beyond mac/ssid, will there be in the future? How do these companies plan to mitigate this threat or are they just going to hope consumers are smart enough to figure it out?

Ross Hosman

Network/Systems Administrator
E: rhosman@corp.hometel.com

P: 618-644-2111 x 238

C: 314-898-3381

Y!: rosshosman

Why would you even need to set up an AP? Why not just sit and sniff traffic? Gets you the _exact_ same information.

And why worry about Google, etc., when Starbucks and airports have been doing this for _years_?

Lastly, most consumers are smart enough to know to use encryption (the little pad-lock in their browser). Some aren't. Changing the WiFi architecture is not going to save those who aren't.

I have to disagree that most consumers are smart
enough to use encryption. Most consumers are dumb as a
brick when it comes to the internet and especially
security. Take a look at the average AOL user and
you'll see what I'm saying.

Starbucks and t-mobile is a little bit different as
these networks aren't concentrated. As we companies
start covering entire cities I believe you could start
seeing this as becoming a regular problem.

> So my question is pretty simple. You have all these major companies such as
> google/earthlink/sprint/etc. building wifi networks. Lets say I want to
> collect peoples information so I setup an AP with the same ssid as google's
> ap so people connect to it and I log all of their traffic. Most people
> won't check beyond the ssid to look at the mac address but even that could
> be spoofed. Is there anyway to verify a certain ap beyond mac/ssid, will
> there be in the future? How do these companies plan to mitigate this threat
> or are they just going to hope consumers are smart enough to figure it out?

Why would you even need to set up an AP? Why not just sit and sniff traffic?
Gets you the _exact_ same information.

man in the middle is easier if you are the gateway, no need to steal arp

And why worry about Google, etc., when Starbucks and airports have been doing
this for _years_?

yup

Lastly, most consumers are smart enough to know to use encryption (the little
pad-lock in their browser). Some aren't. Changing the WiFi architecture is
not going to save those who aren't.

'most consumers' .. cmon, less than one percent.. seriously.. ymmv tho, eg at
airports you stand a higher chance of sniffing a vpn connection but as has been
demonstrated many times, even us techies havent got our heads around encryption
yet.

heres some fun, next time you're at nanog or your favourite geek conference,
just run 'tcpdump -w - -s1500 -nn|strings|grep -i password' and be prepared to
hit scroll lock

Steve

* steve@telecomplete.co.uk (Stephen J. Wilcox) [Mon 21 Nov 2005, 16:07 CET]:

Why would you even need to set up an AP? Why not just sit and sniff traffic? Gets you the _exact_ same information.

man in the middle is easier if you are the gateway, no need to steal arp

It's *wireless*! You can just sit and sniff traffic, no need to play ARP games to redirect traffic to you.

heres some fun, next time you're at nanog or your favourite geek conference, just run 'tcpdump -w - -s1500 -nn|strings|grep -i password' and be prepared to hit scroll lock

I've visited conferences where the wireless LAN was deemed "secure" by the organisation because they had outlawed sniffers.

  -- Niels.

That line of thinking is unfortunately not unique to outlawing sniffers ;-)..

yes, there are stupid people everywhere... Perhaps asking the question in
another way is in order:

"Given a large and widely available wireless network solution for
'consumers', how would you propose to raise the 'security' for users of
that network?'

Would you force WEP?
Would you force WPA/WPA-2?
Would you force ipsec?
Would you skip transport level encryption in favor of application level
security?
Would you do widespread and widescale education efforts for the users?

-chris

* steve@telecomplete.co.uk (Stephen J. Wilcox) [Mon 21 Nov 2005, 16:07 CET]:
>>Why would you even need to set up an AP? Why not just sit and sniff
>>traffic? Gets you the _exact_ same information.
>man in the middle is easier if you are the gateway, no need to steal arp

It's *wireless*! You can just sit and sniff traffic, no need to play
ARP games to redirect traffic to you.

i was more thinking in terms of breaking into encrypted sessions by spoofing the
server and client

>heres some fun, next time you're at nanog or your favourite geek conference,
>just run 'tcpdump -w - -s1500 -nn|strings|grep -i password' and be prepared
>to hit scroll lock

I've visited conferences where the wireless LAN was deemed "secure" by the
organisation because they had outlawed sniffers.

hehe

Steve

--- "Christopher L. Morrow"

yes, there are stupid people everywhere... Perhaps
asking the question in
another way is in order:

"Given a large and widely available wireless network
solution for
'consumers', how would you propose to raise the
'security' for users of
that network?'

Would you force WEP?
Would you force WPA/WPA-2?
Would you force ipsec?
Would you skip transport level encryption in favor
of application level
security?
Would you do widespread and widescale education
efforts for the users?

-chris

Google has come out with their secure access product
which helps but reminding someone's grandma to use
that product when she is using a wifi network is going
to be near impossible. For one she doesn't know what
wifi is, she just knows how to connect her computer to
the internet and click that email icon on her desktop.

Education will also be nearly impossible as many can
hardly grasp simple concepts.

With wireless encryption you could setup your "fake"
AP to use it between the user and the AP then just
sniff the traffic on the end.

You’re making an assumption that all these services will work like any old AP or traditional WISP, perhaps one with open SSID, which may or may not be true.

As far as open SSID is concerned, as you probably already know, there’s nothing much other than VPN client from a machine you trust to some place you trust that is going to help you. Such is the nature of the beast.

As far as other abuse prevention voodoo and other operation and implementation specifics, I somehow doubt anyone will spill their guts here. One path to find a few of the answers is to discuss this very subject with the equipment vendors in this space, which shouldn’t infringe on any proprietary information of the operators.

This is still a very much evolving technology as well, so, expect fairly rapid developments to address needs as they emerge.

Best regards,
Christian

So my question is pretty simple. You have all these major companies such
as google/earthlink/sprint/etc. building wifi networks. Lets say I want
to collect peoples information so I setup an AP with the same ssid as
google's ap so people connect to it and I log all of their traffic. Most
people won't check beyond the ssid to look at the mac address but even
that could be spoofed. Is there anyway to verify a certain ap beyond
mac/ssid, will there be in the future? How do these companies plan to
mitigate this threat or are they just going to hope consumers are smart
enough to figure it out?

What do you learn by looking at someone's ipsec, ssl-wrappered, or ssh tunneled traffic?

Clear-text data-streams have the same liability almost everywhere (in the public sphere), so if you want to move data that has any importance at all you protect the data end-to-end.

So my question is pretty simple. You have all these major companies such as
google/earthlink/sprint/etc. building wifi networks. Lets say I want to
collect peoples information so I setup an AP with the same ssid as google's
ap so people connect to it and I log all of their traffic. Most people
won't check beyond the ssid to look at the mac address but even that could
be spoofed. Is there anyway to verify a certain ap beyond mac/ssid, will
there be in the future? How do these companies plan to mitigate this threat
or are they just going to hope consumers are smart enough to figure it out?

Why would you even need to set up an AP? Why not just sit and sniff traffic?
Gets you the _exact_ same information.

man in the middle is easier if you are the gateway, no need to steal arp

you don't have to steal arp on a wireless network, you just sniff the frames as they go by.

* joelja@darkwing.uoregon.edu (Joel Jaeggli) [Mon 21 Nov 2005, 18:52 CET]:

As others pointed out (to me as well), for a _man in the middle_ attack
(e.g. impersonating www.paypal.com) it is necessary to play ARP games or
otherwise insert yourself in the flow of traffic.

not really. you just need to be there first with a bogus, redirecting,
dns response.

randy

Randy Bush wrote:

As others pointed out (to me as well), for a _man in the middle_ attack (e.g. impersonating www.paypal.com) it is necessary to play ARP games or otherwise insert yourself in the flow of traffic.

not really. you just need to be there first with a bogus, redirecting,
dns response.

I wish I had a nickel (ok, a dollar) for every bogus laptop I've seen in hotels and airports that was setup for "co_presidents_club", "starbucks", "t-mobile" AND "tmobile", "corporate", etc. I've often wondered if those users were really being malicious, plain stupid, or were carrying around a laptop "owned" by someone else. Either way, there are PLENTY of systems out there pretending to be something they aren't. I often try to connect to them and get some data, but most either won't give an IP, or if they do, they don't forward packets or respond with anything worthwhile. I run a pretty tight system, so perhaps those faux APs are trying to detect other configs (Client for MS/Netware, F/P Sharing, SNMP, WINS, IPX, etc).

-Jim P.

Randy Bush wrote:

As others pointed out (to me as well), for a _man in the middle_ attack (e.g. impersonating www.paypal.com) it is necessary to play ARP games or otherwise insert yourself in the flow of traffic.

not really. you just need to be there first with a bogus, redirecting,
dns response.

I wish I had a nickel (ok, a dollar) for every bogus laptop I've seen in hotels and airports that was setup for "co_presidents_club", "starbucks", "t-mobile" AND "tmobile", "corporate", etc. I've often wondered if those users were really being malicious, plain stupid, or were carrying around a laptop "owned" by someone else.

They were configured with a specific ssid at one point and are now beaconing in adhoc mode becasue they can't find that ssid. Crappy driver implentation is that root cause of that.

Either way, there are PLENTY of systems out there pretending to be something they aren't. I often try to connect to them and get some data, but most either won't give an IP, or if they do, they don't forward packets or respond with anything worthwhile.

Dumb users in adhoc mode.

I run a pretty tight system, so perhaps those faux APs are trying to detect other configs (Client for MS/Netware, F/P Sharing, SNMP, WINS, IPX, etc).

No they're just poor clueless users with bad software.

That's right. Remember all they need to do is sniff wireless traffic for
dns request for "paypal.com" and then send a UDP packet back as an answer
(from closer location - might even be on the wireless network) that has faked its origin as if it came from dns server the user asked and has some
other address for paypal.

The good news is that if SSL is used (dns request is due to user going to https://www.paypal…) then it will not properly work because they can not fake SSL cert for paypal from verisign, so some kind of warning about cert being self-signed and not issued by known provider would probably be displayed, but many users will ignore such warnings.

But lets know imagine different situation and instead of paypal, lets
imagine user doing ssh to shell.mywork.com. Now lets imagine that dns
request has been sniffed and instead of getting real address for shell.mywork.com, you get an address for wireless ip address of someone
else nearby that has redirecting ssh server. That special ssh server
would provide its own cert pretending to be shell.mywork.com and would
internally do proxy to another ssh session that is actually going to
real shell.mywork.com. Ho do you like this scenario?

So just in case do remember that when you ssh from insecure wireless network node (even on NANOG conference) that you do it to the server
that you already previously did ssh to (and so have public key in
.ssh/known_hosts) and dont just assume that because its ssh you're safe.

no, we're not trying to do that, you dont really think that because its
encrypted it cant be decrypted do you?

for example, we want to intercept the encrypted data which we do by putting
ourselves inbetween the client and the server and pretending to be the server to
the client and the client to the server.. we relay security information and hope
the user clicks 'yes' when they are told the host key has changed

you dont have to break the code if the endpoints trust sessions with you and
share their encryption keys

Steve

<snip>

What do you learn by looking at someone's ipsec, ssl-wrappered, or ssh
tunneled traffic?

no, we're not trying to do that, you dont really think that because its
encrypted it cant be decrypted do you?

I do believe (reasonably so, I think) that if I'm going have a conversation with a second party whom I already trust, that a third party will have trouble inserting themself into the path of that conversation without revealing their presence..

<snip>

you dont have to break the code if the endpoints trust sessions with you and
share their encryption keys

Successfully inserting yourself in the middle requires some social-engineering or really bad protocol design. The former can be mitigated through vigilance, the later falls into the realm of peer review and security research.

If I may paraphrase the original posters question (Ross Hosman), it was:

Do large wireless buildouts present a new security threat due to the potential to spoof AP's?

The answer to that is no, this is a threat we live with currently. We have tools to mitigate the risks associated with it.

You can say that consumers are stupid, and won't figure this out, and that may be true; however when it's starts to cost them losts money, they will sit-up take notice and buy tools to solve this problem for them, just like they do with any other security threat that goes beyond being an anoyance. probably said product will be blue, say linksys on it, and have the word vpn (among others) buried on the packaging someplace.

<snip>
>
>> What do you learn by looking at someone's ipsec, ssl-wrappered, or ssh
>> tunneled traffic?
>
> no, we're not trying to do that, you dont really think that because its
> encrypted it cant be decrypted do you?

I do believe (reasonably so, I think) that if I'm going have a conversation
with a second party whom I already trust, that a third party will have trouble
inserting themself into the path of that conversation without revealing their
presence..

this is assuming that you are talking to the second party and not in fact me
sitting in the middle grabbing credentials, possibly by this stage already
pretending to be that second party

its also assuming you understand your certificates, keys and trust. i'd bet most
users will click yes when presented with a 'do you trust this new key' message.

> you dont have to break the code if the endpoints trust sessions with you and
> share their encryption keys

Successfully inserting yourself in the middle requires some social-engineering
or really bad protocol design. The former can be mitigated through vigilance,
the later falls into the realm of peer review and security research.

you forgot to include 'or user error'.. the protocol may be fantastic but if the
user fails to notice a security alert or does something stupid it can be
compromised.

depending on how good you are you may be able to thwart all but the determined
hacker, altho to be fair most people are not going to be a target once they
employ basic security such as weak encryption. but if you are a target then its
vital to be using strong trusted secuity and know your onions!

If I may paraphrase the original posters question (Ross Hosman), it was:

Do large wireless buildouts present a new security threat due to the potential
to spoof AP's?

The answer to that is no, this is a threat we live with currently. We have
tools to mitigate the risks associated with it.

mmmmmm.. i'd say yes. wifi is still pretty niche, its in the offices, its in
airports and starbucks.

once billy bob and his grandpa start using it tho you're bringing it to the
masses who arent IT trained, who havent had a security brief, who are running
windows thats not been patched for 2 years and who think 'billy' is reasonable
for their password

so the technology is the same, but the users are new

You can say that consumers are stupid, and won't figure this out,

okay "consumers are stupid, and won't figure this out"

and that may be true; however when it's starts to cost them losts money, they
will sit-up take notice and buy tools to solve this problem for them, just
like they do with any other security threat that goes beyond being an
anoyance. probably said product will be blue, say linksys on it, and have the
word vpn (among others) buried on the packaging someplace.

i'm thinking beyond your corporate staff who are currently using these systems
(and quite badly if my casual network sniffing in environments with supposedly
clued individuals is anything to go by!)

my 2-cents :0)

Steve