Current Event – A Broader Look on Wireless Access Point Vulnerabilities

By qwerty at 5:02 pm on March 16, 2009 | 1 Comment

Wireless access points are a great technology – allowing a user the convenience of accessing the same wired network without wires.  But the vulnerabilites and weak points that they produce can often be overlooked.  Most people install these devices to extend their network to laptop or other wireless users, and can be secured if they are installed properly.  But what if the installer is malicious?  Anyone can buy a wireless access point for around $40 and install it themselves by plugging it into the wall ethernet plug they usually use.  If this is on a cooporate network, which is usually a private one in which only employees from within the building can access their network, then installing this WAP opens up this network to anyone within range of the WAP.  As noted in another interesting article regarding the subject, a disgruntled employee could install a wireless access point, hide it behind a file cabinet, and leave it there after they leave or get fired.  Months later they can come back with their laptop and freely access the coorporate network from the parking lot.

Companies and organizations are becoming more aware of these type of vulnerabilities and have come up with some ways to supress these security holes, one of which is called “war-walking”, otherwise known as “war-driving”.  War-driving is primarily something a hacker would do which consists of having a laptop with a wireless access card, and driving/walking around sniffing for wireless networks, noting the vulnerable ones.  By using one of hacker’s most used methods of finding vulnerabilities, companies can find them before they can be used.  Security professionals can perform a walk of the building looking for any wireless access points that are unauthorized and pinpoint the ones that aren’t.

As with all battles between security professionals and malicious adversaries, the hackers have come up with methods to resist their own attack methods.  One is to use a wireless access point that broadcasts on a frequency that is out of range of the strict FCC regulated frequency.  Such WAPs can come from Europe or Japan, in which these frequencies are legal.  This makes these wireless access points undectable to people sniffing in the legally operating range.   Also, 802.11n is a fairly new technology, which many companies have not updated to yet, and therefore if they are using a card that uses the older wireless methods, they will be unable to sniff for the 802.11n WAPs.

Also, in addition to 802.11 wireless, even bluetooth, a technology assumed by most to only operate at short ranges, could be used in the same way that WAPs are used.  Since the war-walking company security experts would most likely be using an 802.11 card, the bluetooth traffic would be unrecognized.

One final method strikes me as very clever: wireless knocking.  A WAP is kept dormat, blocking any traffic on all ports, until a certain event happens.  When the correct sequence of ports are attempted to be accessed at this WAP, it opens up a specified port on the WAP for traffic to go through.  This is essentially like a passcode encoded into the WAP.  It makes it very hard for anyone to try and guess the “knocking sequence”, but quite easy for the adversary who installed it to access it and gain access to whatever networkt he WAP is hooked up to.

This current event (of analyzing WAPs) makes me realize that, although most malicious adversaries are out to weaken other people’s security and find security holes, in the meantime they themselves are creating their own security mechanisms in order to block being detected.  To this it is the security professionals that must work to break this security – and the vicious cycle continues…

Filed under: Current Events1 Comment »

1 Comment

  • 1
    Get your own gravatar for comments by visiting

    Comment by Mike

    March 18, 2009 @ 6:46 am

    As you correctly point out, it’s becoming more and more naive to assume that a wired network is intrinsically secure due to the possibility of rogue access points, or of access jacks or cables being accessible in semi-public areas.

    Rather than implement a clever knocking sequence to activate an access point, a simpler / cheaper method would be to plug the access point into a timeswitch. Unless the security audits are carried out (say) between 4pm on a Friday and 9am on a Monday, there’s no access point to detect. (The timeswitch is more noticeable on a physical inspection, however).

    As well as Bluetooth, consider also the possibilities for networking opened up by mobile phones / GM GSM devices: worldwide accessibility, difficulty distinguishing between legitimate and illegitimate radio traffic, and network access only on demand.

RSS feed for comments on this post