{"id":4630,"date":"2010-03-08T00:00:00","date_gmt":"2010-03-08T00:00:00","guid":{"rendered":"https:\/\/www.esecurityplanet.com\/2010\/03\/08\/top-ten-wi-fi-security-threats\/"},"modified":"2023-03-29T20:12:16","modified_gmt":"2023-03-29T20:12:16","slug":"wi-fi-security-threats","status":"publish","type":"post","link":"https:\/\/www.esecurityplanet.com\/trends\/wi-fi-security-threats\/","title":{"rendered":"Top Ten Wi-Fi Security Threats"},"content":{"rendered":"
\n

Gone are the early days of Wi-Fi, when CSOs lost sleep over threats like WEP cracking and war driving<\/a>. 802.11n products have matured to the point where many enterprises are investing in larger, faster WLANs to support mission-critical applications. And yet, pros know that security is never to be taken for granted. Here, we offer our Top Ten Wi-Fi Threats and explain why diligence is (still) required.<\/p>\n

1.\u00a0\u00a0\u00a0 Data Interception:<\/strong> Today, it\u2019s widely understood that data sent over Wi-Fi can be captured by eavesdroppers \u2013 easily, within a few hundred feet; even farther with directional antennas. Fortunately, all Wi-Fi CERTIFIED<\/a> products now support AES<\/a>-CCMP data encryption and integrity. Unfortunately, there are still legacy products that only speak TKIP<\/a>, and many WLANs are configured to accept both AES and TKIP. But TKIP is vulnerable to message integrity check (MIC) attacks that allow a limited set of spoofed frames to be injected \u2013 for example, ARP. Although resulting risks are modest, the writing is on the wall: The time has come to retire TKIP and require AES-CCMP<\/a>.<\/p>\n

2.\u00a0\u00a0\u00a0 Denial of Service:<\/strong> WLANs are inherently vulnerable to DoS. Everyone shares the same unlicensed frequencies, making competition inevitable in populated areas. The good news: As enterprise WLANs migrate to 802.11n, they can use channels in the larger, less-crowded 5 GHz band, reducing \u201caccidental DoS.\u201d Moreover, contemporary access points (APs) can auto-adjust channels to circumvent interference. But that still leaves DoS attacks: Phony messages sent to disconnect users, consume AP resources, and keep channels busy. To neutralize common DoS attack methods like Deauth Floods, look for newer products that support 802.11w management frame protection.<\/p>\n

3.\u00a0\u00a0\u00a0 Rogue APs:<\/strong> Business network penetration by unknown, unauthorized APs has long been a top worry. Fortunately, most enterprise WLANs now use legitimate APs to scan channels for possible rogues in their spare time. Unfortunately, verifying \u201ctrue rogues\u201d by tracing their wired network connectivity is a skill that ordinary WLAN gear has yet to perfect. Without accurate classification, automated rogue blocking is a risky proposition. To not just detect, but effectively mitigate rogue APs, deploy a Wireless IPS that can reliably differentiate between harmless neighbors, personal hotspots, and network-connected rogues that pose real danger, taking policy-based action to trace, block, and locate the latter.<\/p>\n

4.\u00a0\u00a0\u00a0 Wireless Intruders:<\/strong> Wireless IPS products like Motorola AirDefense, AirMagnet, and AirTight can also detect malicious Wi-Fi clients operating in or near a business\u2019 airspace. However, truly effective defense requires up-to-date, properly deployed WIPS sensors. In particular, 802.11a\/b\/g sensors must be updated to monitor new 5 GHz channels (including 40 MHz channels), parse 802.11n protocols, and look for new 802.11n attacks. Furthermore, because 802.11n clients can connect from farther away, WIPS sensor placement must be reviewed to satisfy both detection and prevention needs.<\/p>\n

5.<\/strong>\u00a0\u00a0\u00a0 Misconfigured APs:<\/strong> Back when standalone APs were individually-managed, configuration errors posed a significant security threat. Today, most enterprise WLANs are centrally-managed, using coordinated updates and periodic audits to decrease TCO, improve reliability, and reduce risk. But 802.11n adds a slew of relatively complex config options, the consequences of which depend on (highly variable) Wi-Fi client capabilities.\u00a0 Prioritization and segmentation for multi-media further complicates configuration. The answer here: Combine sound, centralized management practices with 802.11n\/WMM education and planning to reduce operator error.<\/p>\n

6.<\/strong>\u00a0\u00a0\u00a0 Ad Hocs and Soft APs: <\/strong>Wi-Fi laptops have long been able to establish peer-to-peer ad hoc connections that pose risk because they circumvent network security policies. Fortunately, ad hocs were so hard to configure that few bothered to use them. Unfortunately, that barrier is being lifted by \u201csoft APs\u201d in Windows 7 and new laptops with Intel and Atheros Wi-Fi cards. Those virtual APs can provide easy, automated direct connections to other users, bypassing network security<\/a> and<\/em> routing traffic onto the enterprise network. Measures used to deter Ad Hocs may also prove useful against unauthorized Soft APs, such as IT-managed client settings and WIPS.<\/p>\n

7.<\/strong>\u00a0\u00a0\u00a0 Misbehaving Clients: <\/strong>Clients that form unauthorized Wi-Fi connections of any type, whether accidentally or intentionally, put themselves and corporate data at risk. Some enterprises use Group Policy Objects to configure authorized Wi-Fi connections and prevent end-user changes. Others use host-resident agents and\/or WIPS to monitor Wi-Fi client activity and disconnect high-risk connections. However, many businesses (especially SMBs) still depend on end-users to connect only to known, authorized wireless APs.\u00a0 Given ubiquitous deployment, longer reach, and broader consumer electronics integration, accidental or inappropriate Wi-Fi connections have never been easier.\u00a0 If you haven\u2019t already taken steps to stop Wi-Fi client misbehavior, start now.<\/p>\n

8.<\/strong>\u00a0\u00a0\u00a0 Endpoint Attacks:<\/strong> Now that over-the-air encryption and network-edge security have improved, attackers have refocused their attention on Wi-Fi endpoints. Numerous exploits have been published to take advantage of buggy Wi-Fi drivers, using buffer overflows to execute arbitrary commands \u2013 sometimes at ring 0 (high-privilege kernel mode).\u00a0 Automated attack tools like Metasploit can now be used to launch Wi-Fi endpoint exploits with minimal effort.\u00a0 Although vendors do (usually) patch these bugs once discovered, Wi-Fi driver updates are not distributed automatically with OS updates. To protect your workforce, track Wi-Fi endpoint vulnerabilities (for example, using WiFiDEnum<\/a>) and keep your Wi-Fi drivers up-to-date.<\/p>\n

9.<\/strong>\u00a0\u00a0\u00a0 Evil Twin APs: <\/strong>Fraudulent APs can easily advertise the same network name (SSID) as a legitimate hotspot or business WLAN, causing nearby Wi-Fi clients to connect to them. Evil Twins are not new, but easier-to-use hacker tools have increased your risk of running into one. Tools like Karmetasploit can now listen to nearby clients, discover SSIDs they\u2019re willing to connect to, and automatically start advertising those SSIDs. Once clients connect, DHCP and DNS are used to route client traffic through the Evil Twin, where local (phony) Web, mail, and file servers execute man-in-the-middle attacks. The only effective defense against Evil Twins is server authentication, from 802.1X server validation to application server certificate verification.<\/p>\n

10.<\/strong>\u00a0 Wireless Phishing: <\/strong>In addition to the above man-in-the-middle application attacks, hackers continue to develop new methods to phish Wi-Fi users. \u00a0For example, it\u2019s possible to poison Wi-Fi client Web browser caches<\/a>, so long as the attacker can get into the middle of a past Web session \u2013 such as by using an Evil Twin at an open hotspot. Once poisoned, clients can be redirected to phishing sites long after leaving the hotspot, even when connected to a wired enterprise network.\u00a0 One technique for mitigating this threat is to clear your browser\u2019s cache upon exit.\u00a0 Another possibility is to route all hotspot traffic (even public) through a trusted (authenticated) VPN gateway.<\/p>\n

In summary, the state of Wi-Fi security has significantly improved over the years. Today\u2019s enterprise WLANs can be effectively hardened against intrusion and misuse. However, end-to-end security still cannot be assumed; just enabling Wi-Fi encryption will not make applications running over wireless networks<\/a> \u201csafe.\u201d Wi-Fi technologies, products, and attacks will continue to emerge. Security admins still need to keep abreast of new threats, assess their business risk, and take appropriate action.<\/p>\n

Lisa Phifer owns Core Competence, a consulting firm focused on business use of emerging network and security technologies. A 28-year industry veteran, Lisa enjoys helping companies large and small to assess, mitigate, and prevent Internet security threats through sound policies, effective technologies, best practices, and user education.<\/em><\/p>\n<\/div>\n\n\n

\n \n\n \n\n
\n \n <\/path>\n <\/svg>\n <\/div>\n \n
\n
\n

\n Get the Free Cybersecurity Newsletter <\/h3>\n \n \n

\n Strengthen your organization's IT security defenses by keeping up to date on the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday <\/p>\n <\/div>\n\n

\n
\n \n Email Address\n <\/label>\n \n <\/div>\n\n
\n
\n \n \n By signing up to receive our newsletter, you agree to our Terms of Use and Privacy Policy. You can unsubscribe at any time. <\/label>\n <\/div>\n <\/div>\n \n