Ryan Orsi, Director Product Management, WatchGuard Technologies, explores the major security deficits present in many Wi-Fi solutions and the need for businesses to fundamentally reassess what they expect from their Wi-Fi.
Since the first 802.11 protocol was released in 1997, Wi-Fi has become a massive worldwide market worth more than US$6 billion now and projected to reach US$15.6 billion by 2022 at a compound annual growth rate of 21.2%. But, despite this growth and the central role Wi-Fi has come to play in business and life in general, the vast majority of Wi-Fi access points, routers and hotspots are highly exposed attack surfaces (besides a handful of government buildings and a sprinkling of enterprise office buildings).
Practically every security company in the business focuses on layer seven application attacks (such as zero-day malware and ransomware), but very little attention has been paid to the Wi-Fi layer two attack surface. There are six known threat categories in Wi-Fi security and they’ve gone unaddressed in the networking and security industries for far too long.
It will take education and awareness to correct this global security issue. One resource to help build awareness of what constitutes good Wi-Fi security is the Trusted Wireless Environment Framework. It explains how to build a complete Wi-Fi network that is fast, easy to manage, and most importantly, secure. In order to be a true Trusted Wireless Environment, a Wi-Fi system must provide automatic detection and prevention from these six known Wi-Fi threat categories:
- Rogue APs – A rogue AP is an AP that has been physically connected to a network without explicit authorisation from an administrator. It’s an instant PCI-DSS violation. Rogue APs are connected to the authorised network, allowing the attackers to bypass perimeter security. This could be with a physical AP or one created in software on a computer and bridged to an authorised network. For instance, in a busy retail store that has customers coming in and out all day it is impossible to keep an eye on everyone there. It’s feasible for someone to jump into the wire closet and plug in the cheapest AP they could get. Now they can gain access to the company’s private secure network and hijack POS systems to reveal credit card numbers or access building controls like door locks, alarms and cameras. Wi-Fi systems need to detect if a signal in the air is being broadcast from an AP physically connected to the authorised network. If so, it needs to be able to prevent the Rogue AP from gaining access to the LAN, which is typically done via ARP poisoning. It should also be able to prevent Wi-Fi clients from associating to it, usually via a surgical flood of deauthentication frames.
- Evil twin APs – Evil twin APs will mimic legitimate APs, spoofing SSIDs and usually MAC addresses as well. Attackers can then intercept traffic as the man-in-the-middle (MitM). How exactly does this work? Once a victim is connected, the attacker can steal credentials, inject malicious code into the victim browsers, redirect the victim to a malware site and so much more. If an employee in the office on lunch break decides to connect to the guest Wi-Fi to do some e-commerce shopping, a nearby hacker can use an evil twin AP broadcasting the same guest SSID as the company to trick that employee into connecting to the malicious AP. When they pay for their online shopping goods, they send their credit card details right to the attacker. This tactic was used by Russian agents in hacks aimed at anti-doping agencies and chemical weapons regulators, exposed by US and UK law enforcement in October 2018. A Wi-Fi security system must not interfere with clients not administered by the authorised network, but at the same time must detect when evil twin APs are attempting to get authorised clients connected to them and prevent this association with de-authentication floods and other techniques.
- Neighbour APs – This threat occurs when an authorised, company-managed client connects to a guest or external access point, bypassing the company’s perimeter security and getting around security restrictions set by the firewall. There’s actually no super-secret hacker trick to this one. Any employee could be (and probably is) doing this right now. By choosing to connect their devices to the guest network or the coffee shop network downstairs, employees are bypassing network security. Another example of this threat in action would be when a restaurant server takes the Wi-Fi connected POS tablet to the table to accept credit card payment from a patron. That server will notice the POS tablet prompting them to choose a Wi-Fi network to connect to, so they pick the SSID of the café next door that has great Wi-Fi service. The server has just connected the tablet to a neighbour AP SSID that’s open and is sending credit card information in plain text, which anyone can intercept out of the air. Wi-Fi solutions must be able to automatically classify client devices managed by the company as authorised clients and prevent them from connecting to any other SSID than the ones IT administrators have defined. Prevention techniques for this threat again include surgical de-authentication floods.
- Rogue clients – Any client previously connected to a rogue AP or other malicious AP within the range of a private network is considered a rogue client. A client that connected to a rogue AP could have been victimised by a plethora of man-in-the-middle (MitM) attacks that include loading ransomworms, malware or backdoors onto the client. When a rogue client connects to another network, it can spread this malware. For instance, take a person that stops by the same café on the way to work every day. Since they’ve connected to the cafe Wi-Fi before, their phone automatically connects once inside. One day, someone sets up an evil twin AP, tricks this person’s phone and infects it with ransomware for them to take back to the office. Wi-Fi security systems need to automatically re-classify an authorised client as a rogue client the moment it is detected connected to a malicious AP and prevent this client from re-associating to private authorised SSIDs until IT has confirmed the device is free of malware.
- Ad-hoc networks – This threat is essentially a peer-to-peer Wi-Fi connection between clients that lets two or more devices communicate with each other directly, circumventing network security policies and making the traffic invisible. Any employee could quickly set up an ad-hoc network between their colleagues’ devices if they wanted. For example, as a meeting is about to start, an executive is waiting for a file he was promised would be there hours ago. It would take him too long to use the IT-approved secure network file sharing service, so an employee decides to set up an ad-hoc network to send it directly from laptop to laptop. Wi-Fi solutions must be capable of automatically detecting when authorised clients, managed by corporate IT, are participating in ad-hoc networks and prevent this connection, even if encrypted using cell-splitting techniques or similar methods.
- Misconfigured APs – It can be too easy for network administrators to accidentally make a configuration mistake such as making a private SSID open with no encryption, potentially exposing sensitive information to interception over the air. This can happen any time an access point isn’t set up properly (for example, by leaving default settings unchanged). Picture this – an AP gets shipped from corporate to a new office and a receptionist volunteers to plug it in. He follows the instructions but makes a mistake and installs the AP so that it broadcasts an open SSID and leaks private data like a sieve. He can’t be blamed because he’s not an IT pro, but the business is still left with a misconfigured AP that could be a serious risk to the organisation.
Wi-Fi management systems need to include configuration policy settings where IT admins can specify details such as minimum encryption requirements on SSIDs broadcasted by managed APs, vendor OUIs allowed to broadcast SSIDs and so on. An AP on the authorised network that does not adhere to this policy should be prevented at layer two from having any clients connect to it until IT remedies the configuration error.
Continued education for the Wi-Fi Industry
The layer two Wi-Fi attack surface is created by the access points and routers broadcasting Wi-Fi signals. To fix this issue, it’s going to take the influence of the people purchasing these devices. Business owners, home users and networking and security professionals alike should ask the vendors and service providers that sold them their APs and routers if they meet these emerging security standards that enable Trusted Wireless Environments. This simple question will ensure that more companies have their Wi-Fi products tested for security by unbiased, independent companies and over time increase the security capabilities of everyone’s Wi-Fi networks.