Cedric,
Thanks again for the great feedback. You confirmed what I already was
thinking about this situation. I had a previous employer with such a
situation and the LAN admin refused to use further encryption/security
techniques because they were "too cumbersome". He determined on his
own that WEP-128 without a SSID is sufficient.
The long story short, they are vulnerable BIG TIME because they
wouldn't do some simple things for security (WPA, VLan, or
Authentication). This is a VERY sad situation. Unfortunately, for IT
Professionals like us, I think it is all to common in big/medium
corporations. One of the big obstacles has been client compatibility
(and barcode scanner compatibility). If the clients are
upgraded/flashed everything could be changed to WPA2, etc. .
Unfortunately for the IT Dept., it requires they dedicate already
limited resources to the problem.
Good luck when you guys make the argument for security to your
managers and customers. I have found few willing to take action on it.
I hope you have better success.
Regards,
--
Tyrel McMahan
tman@xxxxxxxxxxxxxxx
+48.600.508.440 Mobile (Warsaw, PL)
On 5/8/07, Cedric Blancher <blancher@xxxxxxxxxxxxxxxxxx> wrote:
Le mardi 08 mai 2007 à 07:44 +0200, Tyrel McMahan a écrit :
[Issues upgrading from WEP]
> 1. Couldn't you do some things to VLAN the AP's away from the main network?
That's definitly the best bet. If you can't enforce your WLAN security,
then isolate it to mitigate the issue. However, if you have a networked
barre-code readers system, it's very likely to report to a server, that
is itself connected to your ERP. Therefore, your readers being able to
connect to server, it is exposed to attacks. One can spoof a reader and
feed it with inaccurate data. Once compromised, attacker can bounce from
that server to your ERP. Etc.
In addition to firewalling/segregation, you also have to monitor...
> 2. Wouldn't a combination of MAC-address filtering help?
Not for long. Sniffing Wi-Fi traffic on the network will kindly give you
a list of authorised MAC addresses you can use.
> 3. Does turning off the broadcast beacon help at all against this
> newest hack?
My first objection to this will be interoperability. Do you readers
support a cloaked SSID, i.e. will they detect and associate the
network ? Not very likely, cloaked SSID are a good source of problem...
Now, consider it's working. Every association request contains SSID. So
you just have to disassociate/disauthenticate readers to force
reassociation to discover SSID. In addition to this, to discover such a
network, your readers will have to emit targeted probes requests that
contains SSID, revealing it. In a more general situation, this could
facilitate RogueAP attacks as pointed out by Joshua:
http://www.securityfocus.com/archive/137/461967/30/30/threaded
http://www.networkworld.com/columnists/2007/030507-wireless-security.html
Now, does SSID cloaking help against WEP cracking ? Not very much ! SSID
cloaking is a dumb wardriving mitigation technic. Because WEP cracking
does not need you to be associated. I know most tutorial tells you to
associate a random MAC address with aireplay you will use as a source
for your packets, but you can simply use one of already associated MAC
addresses to inject your frames. Moreover, as I demonstrated with
Wifitap:
http://sid.rstack.org/index.php/Wifitap_EN
You can send WEP traffic to a station without being associated. Thus, If
you use aireplay(-ng) -j switch that allows from-DS bit to be set, you
can perform a non associated ARP replay.
> 4. What is the recommended next step for a small company where
> implementing LEAP is seen as "too cumbersome" and not supported by the
> barcode scanners?
Well, to paraphrase a speaker in a recent Wi-Fi security talk: "there's
no free lunch in Wi-Fi security". Meaning that if you want a secure
WLAN, you have to do it right and pay the price. There's no middle
position or compromise. You have to use WPA2/802.1x, or at least WPA. If
it's "too cumbersome", then be honest with yourself and do not try to
cope with security.
My recommended next step would be to hire a professional for whom it's
not cumbersome to deploy 802.1x. I mean come on ! If you care about
security, you just don't have the choice. WEP is plain broken and even a
standard LEAP, as LEAP auth. and WEP cipher, offers a far sufficient
window for an attacker to break in, wether in breaking your credential
as Joshua (again !) demonstrated with asleap:
http://asleap.sourceforge.net/
Or in just breaking the WEP session to gain time limited access to
network.
> Conclusion: I suppose we have to get the vendor to support WPA2 or
> similar in the next firmware release? Right?
That would be the best.
Now, if I was in a situation I described before, where you can't get WPA
or WPA2 and you can't renew your hardware and I can't just shut down the
WLAN, I would do the following:
. deploy the best authentication method supported on top of WEP
. 802.1x PEAP, EAP-TLS or LEAP if no other choics
. have dynamic WEP keys on top of it
. limit sessions time to the minimum, like 15min
. use MAC addresses filter even if it don't bring much
. isolate this WLAN from the rest of the infrastructure as much as
possible
. harden hosts that have to communicate with outside networks as much as
possible
. monitor this network with IDS and event log parsers
. pray, sacrifice a chicken, nail a hacker doll, etc.
--
http://sid.rstack.org/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
SyScan'07: 2 days of WiFi training and practice in Singapore
http://syscan.org/reg_training.html
