Wireless Hacking Live

I love demos. They’re an endless source of unexpected entertainment. For example, at a wireless security conference back in April I saw an “Attacks Live” demo that gave me some idea of just how easy it is to hack wireless LANs – even the newest ones with the latest security features. (On another note, I also learned that, and despite efforts by cellular carriers like Sprint to provide managed cellular services, most big companies still basically have staff get their own phones and expense them. That already ran as a Computerworld story, Sprint sees mobile device security neglect, so you can read about it there. On to the live demo.)

I enjoy demos because you never know what's going to happen. In this case Lisa Phifer and an assistant from consulting firm Core Competence Inc.  provided the hacking entertainment. Phifer's point was that anyone can hack wireless LANs. Since I'm always hearing this overused refrain repeated in the press I thought I'd see for myself whether it was true.

Phifer had downloaded a variety of freely available tools and had her assistant, who she claimed had no technical background in hacking, use them to decode passwords, lock up WLAN access points with a denial of service attack and generally create havoc. Was she a ringer? Her assistant did seem to know her way around a PC and had no trouble using command-line syntax and switches to operate the tools. However, at a few points she got lost, in one case attacking the wrong access point, and had to be set straight. So overall I'd say she probably was a good test subject. And unfortunately, she did indeed make it all seem just too easy.

Perhaps funniest thing about the tests was that some 20 vendors in a nearby exhibitor area had set up WLAN monitoring tools. When I went in there an hour later one person told me that their monitoring systems had been going nuts after  detecting a whole series of attacks.

Back at the demo, Phifer discussed how when vulnerabilities are first discovered, exploiting weaknesses requires the expertise of more seasoned hackers. But as time goes on, tools emerge that make the exploits easy for almost anyone to do. Early vulnerabilities, such as those in WEP and WPA are already in that stage, she says. But attacks that defeat 802.1x still require more sophisticated tools.

Phifer started by having a laptop grab the MAC address of an access point and masquerade as that device. She demonstrated how cleartext evesdropping tools like Kismet and BSD-AirTools can be used to monitor traffic and how other tools like AirSnort and dwepcrack can be used to break passwords encrypted using a WEP key. Of course, the brute force attack worked in part because WEP encryption uses weak IDs. Some of the tools can be used to grab user IDs and passwords as users log into POP e-mail accounts from public hot spots, Phifer says.

Even very simple attacks can be disruptive, Phifer says. To demonstrate, she used a test appliance utility that came with an Intersil Corp. Prism wireless LAN card to put the card into continuous transmit mode. It quickly overwhelmed an access point and kept it offline until the attack was shut off. As few as 300 continuous accesses is enough to create problems, she says.

But the most surprising thing about the event was how little of what’s out there is protected by even the most simply security measures. A slide in another presentation I attended showed a series of dots representing access points on a satellite map of San Francisco. The information was compiled through an aerial survey. Most of the APs used a default access point ID such as LINKSYS and the vast majority had no security enabled whatsoever. So although the tools exploit weaknesses that many businesses can close, the fields are ripe for exploits everywhere else.

The idea behind the demonstration, Phifer says, was not to scare attendees but get them thinking about the risk each attack presented to their organization. She said attendees should weight the probability of each attack and its potential damage in their organization with the cost of preventing it. You can’t protect against absolutely everything, she says. And some cases, she says, the costs of protection outweigh the risks.