Matt Miller Wireless Penetration Test improvement, wireless

Improving Wireless Security

In this blog, we will discuss some ways your organization can improve its wireless security. To do this, we will take a look at our 3 of the top findings we see during wireless penetration tests and discuss how to mitigate the associated risks. We’ll look at rogue access points, the risks associated with pre-shared keys (PSKs), and evil twin attacks. Although there are a number of other risks, some that are more critical even, they are far less common. For example, if your organization is still using WEP, you should stop reading this article now and go move to another technology, such as WPA2. Hopefully by covering our most common findings, you can start improving wireless security in your organization immediately before your next wireless penetration test.

1. Rogue Access Points

As part of a wireless penetration test, our engineer will perform a wireless survey. During this step, the engineer will walk around your building and use various tools to measure the wireless signals being broadcast in the area. One of the main things the engineer will be looking for is rogue access points. Rogue access points are simply unauthorized or unknown access points on your network or within your organization. Most of the time, these are benign and are ad hoc networks broadcast by wireless printers. However, in some cases, these are a form of shadow IT. Employees may set up a new access point without asking in order to bypass security controls, or just because they want to be able to watch Netflix without being bothered.

The risk of rogue access points is that they may be bridging a network you are trying to secure (e.g. your corporate network) with a network you have no control over. Take, for instance, a printer. If you just plug that printer into your network, it is likely that the wireless network it is broadcasting is not protected at all, or if it is, it’s just protected with a default password. Many times, these ad hoc wireless networks just permit direct print services, but in some instances, they may be abused by an attacker in various ways. Additionally, that printer is likely plugged into your internal network with an ethernet cable. This means if an attacker, from the parking lot, can connect to that printer’s wireless network and compromise the printer, then he or she may have access to the internal network. In the case of a Shadow IT access point, this likely has a weak password (as it hasn’t been hardened by your IT department) and would also directly lead to internal network access.

To prevent rogue access points, you should conduct regular wireless surveys yourself. PCI requires this be done quarterly. And this can be as simple as walking around your office with a laptop and ensuring there are no wireless access points that are unauthorized or not a part of your access point inventory. You could use a tool for this (I recommend acrylic wifi, which is free) that will have a time vs. signal strength graph to map SSID strength as you walk around. As you get closer to the device emitting the SSID your tracking, the signal strength goes up. So you can identify that printer or unauthorized access point and turn off its wireless capabilities.

2. Pre-Shared Keys

The second thing we need to talk about as you improve wireless security is pre-shared keys. This is our most common finding, as most organizations we test have WPA2-PSK in place on at least one network. Let’s talk through the risks associated with them. First, a pre-shared key is vulnerable to offline password attacks. Through a variety of methods, and attacker can monitor the network for a short-period of time and capture the hashed key. Check out our blog on offline password attacks for more information on this, but in short, this means an attacker can try to guess this key offline without you having any indication it is happening. Also, because it is offline, the attacker can perform more a lot more password guesses per second than they’d be able to in an online attack (many magnitudes faster). To put this in perspective, if your wireless PSK is only 8 characters, no matter how complex it is, an attacker can crack it in under two days.

The second risk of pre-shared keys comes down to key management. Because this key is shared by definition, multiple people have access to it. We see a lot of companies understand this and take steps to implement a new key without telling the employees what it is. The problem with this is, if an attacker can compromise any system, they can gain access to this password. Additionally, even if the number of people who have access to this key is small, it needs to be rotated every time a user or vendor who has access leaves. Over time, this becomes a major administrative burden, and usually, we see that this key is not rotated according to best practice. PSKs also get written down and passed around, so all it takes is an attacker who knows where to look.

To reduce the risk and take steps toward significantly improving wireless security, we recommend using WPA-enterprise instead. In WPA-enterprise, users connect with their unique network credentials (usually via Active Directory integration). There is single shared key or password, and it is much harder for an attacker to capture a user’s hash and get that password hash offline to crack (more on that in step 3). If this setup is not possible, or is further down on your security roadmap, consider using strong pre-shared keys in the meantime (14 or more characters). Additionally, rotate keys regularly and when anyone who has access to the key leaves the organization or no longer needs access.

3. Evil Twin Attacks

Even if you are using WPA-enterprise, unfortunately, you are not out of the woods yet. A relatively recent attack, the evil twin attack can trick users into providing their network credentials to an attacker. In this type of attack, an attacker creates an access point that broadcasts the same SSID as your WPA-enterprise network. The attacker then sets up this spoofed access point with a RADIUS server. The attacker disassociates clients who are using the organization’s wireless network, and by using a stronger signal than the real network, hopes to trick the employee’s computer to joining the evil, replicated network instead, in the process asking the user to re-authenticate to the attacker’s RADIUS server. When users login to the spoofed access point, the attacker steals that user’s credentials and can reuse them to gain access to the real network.

The best way to protect against evil twin attacks is to use 802.1X with EAP to provide mutual authentication. In mutual authentication, the access point has to authenticate to the client, and similarly, the client has to authenticate to the access point. This method makes your clients inspect and make sure a valid and trusted certificate is provided by the access point. This makes it much harder for an attacker to emulate a valid access point, as they will not have that trusted certificate. Additionally, modern wireless access points, controllers, and IDS/IPS systems have rogue access point detection, which can alert, or even block, a new access point being stood up. These detection mechanisms help identify rogue access points in a more automated fashion, as well as improving wireless security logging and alerting.

Improving Wireless Security Overall

In this blog, we discussed three of the most common findings we see during a wireless penetration test. The goal was to educate you on the risks associated with rogue access points, pre-shared keys, and evil twin attacks. Also, we discussed some practical steps you can take to reduce the risk associated with these vulnerabilities. Hopefully by discussing them, you are able to take practical steps towards improving wireless security in your organization.