One of the cool demos from the TechEd-IT security talk today was a WEP based spoofing attack.  The Truesec guys have a script that will listen for client 802.11 beacon packets advertising familiar SSIDs.  In response, the script will immediately configure an access point to respond to that SSID and allow the client to bind.

The rogue network includes a DNS server as well.  The point being that if a client surfs to a sensitive web site via their wireless NIC (most likely on a laptop), gets redirected to a spoofed site, and attempts to authenticate via a login form, then that password is compromised.  Further, the attack can be launched from a safe distance via a high-gain antenna, placing the attacker at less risk.

The threats are all old news, but much of it was demonstrated via live demo and it went well.  Much of the audience was in shock, which is shocking in itself, given that this is old news.

Anyway, someone asked if a PKI-based deployment (802.11x) with server and client certificate-based auth would mitigate the above threats.  Answer:  No.  Although the presenter neglected to explain this, I understood the purpose of their attack to be Spoofing (and not Man in the Middle, for example).  To my knowledge, there’s no way to prevent an XP laptop from affinitizing (great word) and connecting to a given SSID, as described above – even if it’s presently connected to a wired LAN – provided the antenna is enabled.  And even if the attacker uses a bogus server-auth certificate on the spoofed site, the majority of users will ignore the error and happily type in the password if the site looks convincing.

What would mitigate this threat?  Perhaps a machine policy preventing connection to a WLAN if the wired network is connected.  Or a policy requiring user confirmation before connecting to any WEP based network (and always give priority to an 11x network).  Not sure about this one.

No Comments »