Watch out for wireless technologies
This is a cross post of a blog article I wrote at xiphosresearch.com
Common risk assessment blind spots
Wireless technologies have become commonplace in the last few decades, everything with a battery seems to have an IP stack and an antenna. Ubiquitous connectivity allows us access to the whole of human knowledge with a simple Google search. If an organisation didn't provide the infrastructure to access the internet then they might be thought of as backwards and out of touch with modern business methods. There has been a lot written on the subject of WiFi security and many lessons have been learned since the good old days of WEP “encryption”, but there are still things organisations need to think about before deploying this kind of technology.
WPA2 is secure, right?
Yes, WPA2 is pretty secure and if someone is looking to have a play with your access points then seeing that in their favorite scanning tool will probably have them looking elsewhere. When I am tasked with assessing the security of a wireless installation then use of WPA2 is not in itself enough for me to give the thumbs up. You see, when WPA2 is used with a pre-shared key there is the possibility that whomever set it up did not create a complex enough key. It is a simple matter to observe the wireless network traffic until you see a device authenticating to the access point, once this happens and you observe the 4 way handshake you can feed this into a tool like aircrack-ng along with a word list. If the network admin picked a dictionary word, or a dictionary word with some “clever” character substitutions then you can usually recover the pre-shared key in a day or so. An attacker can boost their chances of obtaining the key by seeding the word list with words that are closely linked to the organisation they are attacking. They simply download the entire company website, pull out every unique word they find and add them to the usual word list.
As you can see from the above, it is imperative that the key you select be as random and as long as possible to help mitigate this kind of attack. The problem this gives you is the same as with any other password complexity requirement. The more secure it is, the more likely it is to be written down where someone who should not know it can find it. You also have the added headache of distributing the key to the legitimate users of the network.
What a lot of network administrators fail to think about is what happens when they key is compromised, for example if a wireless device is lost, stolen or breached by viruses or malware. Once your key is out of your control then you need to make sure that it is changed and a new key distributed to all of your users. In my experience this rarely happens, and it is usually a reason for abandoning the pre-shared key model and looking at enterprise level controls using 802.1x.
It’s just a guest network
A lot of organisations have secure 802.1x wireless infrastructures for their staff to use for corporate LAN access but decide that it would be nice for visitors to be able to get internet access without having to provision certificates for them and allowing them access to the corporate LAN. This is very convenient for guests, but as we shall see there are a number of issues that need to be addressed before you roll something like this out.
Firstly, wireless does not respect the walls of your building the way that your wired infrastructure does. A 2.4GHz WiFi network can usually be observed from the car park of an office building as well as other floors of a building that may not be under your organisations control. When you implement your infrastructure take care with antenna type and placement to minimise the amount you radiate to the outside world by using directional antennas and turning down the transmission power on your access points. If a network is radiating too much power in the wrong direction then it is trivial to get access to it using a laptop's built in network card, but someone who wanted to take advantage of your generous offer of free WiFi could do so from quite a considerable distance with something like an Alfa USB wireless card and a cheap directional antenna, which brings me onto my second point.
You are liable for what happens on your network
You may trust the people you work for and the guests you invite into your buildings, but if someone can access your network from outside of your organisations sphere of control then they have free internet access and you have no way to control them. If you implement guest WiFi access then make sure that you apply the same levels of content filtering and logging that you do on your wired network. If someone is intent on doing something illegal using your network then any investigation is going to end up on your doorstep. I don’t know a single company that would want to be in that position. Ultimately this needs to be taken on board as part of the standard risk assessment process, and the benefits of offering this service may not be worth the investment required to mitigate the threat of unauthorised or illegal use of the infrastructure.
It’s not just WiFi that radiates
The points that I have addressed above are the biggest blind spots that I have come across in my experience with corporate WiFi, but one that still catches a lot of organisations out is all of the other things they have that utilise radio. This kind of problem is one that the intelligence services have been aware of for quite some time, which is why you will never see a wireless keyboard and mouse in GCHQ. They have invested time and money into both protecting themselves and being able to intercept these kinds of signals from others. This kind of signals intelligence is known to the outside world under it’s codename ‘Tempest’ and has been actively researched since the mid 1980’s.
I would have a hard time justifying to a client that they should adopt ‘tempest’ levels of emission control as most of them simply are not under threat from actors who will use this level of sophistication, however I have seen wireless technology deployed within critical business functions where it simply was not needed.
An example of this would be in a service centre environment. The agents in the service centre were delivering first contact support to the entire organisation including authentication and access control services. They are desk bound, and in fact cannot do their job if they are away from their computer. These agents had recently had their phone system upgraded and had all been given very nice looking wireless headsets with which to take their calls. A brief look at these headsets revealed that the protocol they were using to communicate with their base stations was DECT, a standard that anyone with a wireless phone or baby monitor would be familiar with. DECT can employ encryption of the data stream, however since 2010 this has been rendered ineffective as the team at deDECTed.org managed to reverse engineer the closed source security algorithm in place so that the encryption key could be recovered.
I mention the encryption here to ensure you understand that even with encryption in place the content of these conversations cannot be considered to be private, however in the case of the contact centre I was investigating the data sheets for the device proudly stated that encryption was not actually implemented. The data sheets were also very proud of the range of the devices, boasting a 50m range within a building and up to 200m outdoors using only the low power headset and base station. This particular contact centre was well within 200m of a public space with direct line of sight to the call handling agents through the buildings windows. A small investment in a Com-On-Air PCMCIA card and possibly a cheap directional antenna and someone could very easily listen in on or record every phone call taking place, a treasure trove of information for someone who wishes to do your organisation harm.
In this case I strongly advised that they cease using this technology and outlined the risks above, but I can’t really blame them for implementing it in the first place. It’s my job to think evil things about every piece of technology I come across, but the vast majority of people who are involved in procurement and risk assessment don’t make the connection between ‘wireless’ and ‘security’ unless they see the WiFi logo somewhere on the box.
It’s all about risk
Technical security has been talked about a lot with regards to wireless networking and wireless technologies but as I have demonstrated here there are still a few blind spots that organisations need to address when investigating any technology that comes with a radio in it. Utilise your organisations security staff as part of the risk assessment process and ensure that they are given the resources to keep their knowledge up to date. If you are implementing anything using wireless technologies and do not have the skills in house to assess the security implications then invest in some external consultancy. This could save you a lot of time and money compared to fixing an insecure implementation. This is a problem that is not going to get any easier to deal with as radio connectivity becomes more a part of every device we use.