Wireless

WPA-TKIP Now Vulnerable to Attack

In my How to Secure Your Computer series of articles, I issued Maxim #13, “WiFi Security–The Only Way is WPA“. However, TKIP–which is one of the protocols used under the WPA certification standard–is now vulnerable to attack, so I feel it prudent to modify my stance a bit and shed a little light on the subject. Certain media reports would have you believe that WPA has been cracked; this isn’t the case. (See “WPA Not Cracked, But Still Vulnerable.”) Steve Gibson’s latest episode (#170) of Security Now! explains in great detail the TKIP hack and why it’s much to worry about–at least, not yet.

Under the WPA/WPA2 standards, a wireless access point or router can use either TKIP (Temporal Key Integrity Protocol) or AES-CCMP (Advanced Encryption Standard, Counter Mode/CBC MAC Protocol). TKIP is an enhancement of WEP that utilizes the RC4 stream cipher with 128-bit keys for encryption and 64-bit keys for authentication; CCMP provides much stronger protection because it uses AES (Rinjdael) encryption.

Two German researchers, Martin Beck and Erik Tews, recently found a way to crack TKIP. They use what is called a chopchop attack, which attempts to decrypt packets byte by byte. You can read all about it in their white paper, “Practical attacks against WEP and WPA” so I won’t go into the details here.

While there doesn’t appear to be much an attacker can do at this point, the attack is a harbinger of things to come and now would be a good time to log into your wireless router and see what’s up. I discovered that mine doesn’t support AES-CCMP, only TKIP, so I need to upgrade the firmware. I recommend that everyone do one of the following: 1. Switch your current WPA configuration to AES-CCMP if it’s supported; 2. Upgrade the firmware in your router so it supports WPA2 with AES-CCMP;  3. If neither of those is possible, or, heaven forbid, your router only supports WEP, replace it with one that’s WPA2 compliant and use AES-CCMP.

This Router Configuration Option Can Be Dangerous

In my February 20th post, “Omit This Setup Step and Your Router Can Be Easily Compromised,” I stressed the importance of changing the default router password. I forgot to mention in that article another configuration option that can be dangerous, even if you’ve changed the default password: Remote management. While I’ve never seen this feature enabled by default, it’s better to err on the side of paranoia and make certain it isn’t enabled on your router.

Obviously, this would be a serious problem if you haven’t changed the default password; it’s less of a concern if you have, but passwords can be cracked and if someone decides to target you, it’s not a good idea to have your router’s login visible to them. If you absolutely must have remote management available to you (why?), then it’s imperative that when you change the default login password, you use an unguessable and virtually uncrackable one.

WiFi Security–The Only Way is WPA

Please note: since this article was posted, WPA-TKIP has been found to be vulnerable. See my post of 2008.11.13 entitled “WPA-TKIP Vulnerable to Attack” for more information.

It’s far too easy to set up WiFi for your home or business; all you have to do is go to your local electronics superstore and pick up a wireless router, plug it in to your network, and connect to it. The default configuration of most consumer products–completely open with no security enabled–will allow you to connect without having to enter any configuration information into your wireless PC. That’s why in any given neighborhood you’ll see multiple unsecured wireless network connections available. Most public WiFi hotstpots are also unsecured, open connections. If you just surf the web and send an occasional email, you might be OK (besides the fact that anyone in range can connect to and use your Internet connection), but the moment you start using your PC for banking, making purchases, and paying bills online, that wireless connection absolutely must be secured. It must be done right, and there’s really only one right way to do it. Before I explain that, let me tell you what not to do:

1. Don’t rely on SSID hiding. I’ve seen numerous articles that tout SSID hiding as a security measure (and one CISSP, no less, is recommending it!) While this technique may serve to hide your network from casual view, there’s nothing secure about it: the SSID is transmitted in clear text in every packet and is easily sniffed by wireless packet sniffers. For example, Network Stumbler will identify the SSIDs of any network within range, regardless of whether or not the wireless access points are broadcasting.

2. WEP is broken. Using 40,000 to 100,000 packets, which can be captured in about a minute, you can crack a WEP key in about three seconds on a Pentium M 1.7 GHz PC. Don’t believe me? Check it out: This list even provides video tutorials on how to do it. Sure, it provides a small measure of security and it’s better than nothing, but why use something that’s already been proven inferior? Would you feel more secure knowing the garage where your store that vintage Corvette is protected by a Master lock or one you bought at an everything-for-a-dollar store? Your personal information is much more valuable than that car.

3. Don’t bother with MAC address filtering . I don’t know why so many people are recommending this. MAC address filtering is equivalent to SSID hiding–it’s virtually useless, except to keep a casual user from inadvertently connecting to your wireless network. Like the SSID, MAC addresses are sent in clear text within the network packets and can easily be discovered and spoofed by anyone sniffing your network.

So, what’s the right way? WiFi Protected Access, known by its acronym, WPA. There are two versions: WPA-Personal and WPA-Enterprise. WPA-Personal relies on a pre-shared key (PSK), while WPA-Enterprise requires a special authentication server and is therefore more suited to corporate environments. WPA implements 128-bit encryption and as long as you create a strong, unguessable passphrase, it’s completely secure. Configuring WPA-PSK on a given wireless router depends on the brand, but you can find a general tutorial at this site.

And that, my dear reader, is Maxim #13 in the How to Secure Your Computer series of articles:

When it comes to securing a WiFi network, the only way is WPA.

Wireless Headset Security Nightmare

Being a Ham Radio operator, I’ve always understood the risk inherent in using radio signals to transmit sensitive information: anyone with the right equipment can receive and record anything transmitted over the air. These days, I’m noticing a lot of people in various offices walking around with these cute wireless headsets hooked up to their office phones.

Ever wondered what kind of security risk these things might pose to your company? Yeah, me too. So, did the folks at Secure Network Technologies as evidenced by their article “Hacking Wireless Headsets” that appeared Jan. 22, 2008 at DarkReading.com, a site that provides in-depth security news and analysis. Here’s an excerpt:

To perform the work, we purchased a commercially available radio scanner. These devices are available at any local electronics retailer at prices ranging from $80 to several thousand dollars. We chose a scanner capable of monitoring frequencies from 900-928 Mhz and the 1.2 Ghz ranges, which is where many of the popular hands-free headsets operate.

We took a position across the street from the facility and started up the scanner. Within seconds of turning on the device we were able to listen to conversations that appeared to be coming from our client’s employees. Several of these conversations discussed the business in detail, as well as very sensitive topics. After some careful listening, we determined that the conversations were indeed coming from our customer.

See the nightmare coming? With the right information you can then use social engineering techniques to get your tentacles very deep into the company. And that’s exactly what they did:

Our plan was to assume an identity of an employee who had never been to the office we were testing. Using that identity, we would enter the building, commandeer a place to sit and work, then see how long we could stay inside the building. After zeroing in on a particular employee, we gathered as much intelligence on him as we could. To prepare for the entry into the facility, we printed a business card with our assumed identity. I put on my best suit, and then went to work.

In all, they spent three days “working” in the company, gaining access to all sorts of information, technology, and resources. Not only that, but they also discovered that the headsets acted as bugging devices; even when disconnected, the headsets continued to transmit. The impersonators were able to listen in on conversations carried on by the wearers.

Be afraid. Be very afraid Seriously, read the article and if your office uses these things, do your own tests to find out where you’re leaking. Then, plug the leaks.