Wireless networks are growing more and more numerous, and the corporate landscape is no exception. The convenience offered by a laptop or mobile device together with WiFi connectivity to the corporate infrastructure allows employees more flexibility around the office than ever before.
However, the pervasive nature of a wireless signal means it can be available in places you would never dream of rolling-out your wired network. From an attacker's point of view that's one of the most appealing things about WiFi.
The hurdle of gaining physical access is removed, being replaced by the far more alluring prospect of attempting a breach from the comfort of the coffee shop next door.. In the event network traffic is permitted between the wireless segment and the corporate LAN, the attacker may even consider getting a loyalty card.
One of the latest methods of attempting to breach wireless networks (even those operating strong encryption protocols with long passphrases) comes via the WiFi Protected Setup (WPS) functionality offered by newer access points. WPS is designed to facilitate more consumer friendly association of wireless devices with routers. WPS supports a number of association models, but the one of most interest to an attacker would be the PIN only method. The WPS PIN is 8 digits long, and entering it correctly leads to an association being established between the device and the router, with the router then transmitting the passphrase required for successful authentication.
In late 2011, it was revealed that the implementation of WPS was flawed, dramatically reducing its effectiveness against what's known as a brute force attack. This attack attempts all possible combinations of the PIN, eventually guessing the correct one. It was shown that wireless routers typically split the validation of the PIN in to 2 steps, rejecting a user's request if the first 4 digits are incorrect. This lets an attacker focus on the first 4 digits and once verified, the next 4 digits. Further to this, the last digit of the WPS PIN is a checksum – a validation bit designed to ensure the PIN value has transmitted accurately. This reduces the complexity of this second half to only 3 digits, as the checksum digit can be calculated during the attack.
As a result of this, the attacker only needs to attempt 11,000 combinations (104 followed by 103) to guess the whole PIN. Given that the attacker needs to wait for a verification or failure message from the router after each attempt (which takes around 1.3 seconds), it would take over 4 years to complete the attack had the 8 digit PIN been treated as a whole (108 or 100,000,000 combinations). However, 11,000 combinations cuts this time to less than 4 hours.
The recommendation from suppliers is to disable WPS or upgrade to a firmware version which addresses this issue. That said, even plugging this hole, using strong encryption and passphrases, doesn't stop an attacker from setting up rogue access points for unsuspecting users to connect to or sending de-authentication packets to devices they wish to knock off any given network. These attacks could be used to gather information such as login credentials - useful for attacks against individuals directly, or companies posing as legitimate users.
It is clear that while wireless network popularity has grown, their accessibility requires appropriate segregation to be in place. The protective measures surrounding wireless networks need to be as strong, if not stronger than their Ethernet cousin. Once the physical walls are stripped away, a strong configuration is all that is left.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
