More Wi-Fi Means More Attacks

By Eric Griffith

December 22, 2003

The monitoring of the air at the Wi-Fi Planet Conference revealed fewer security attacks over all, but far more than before that were successful.

The trend seems to say: Wi-Fi users think they're invulnerable.

AirDefense , the Alpharetta, Georgia-based maker of wireless LAN security, monitoring and intrusion detection solutions, has handed in its usual report on the state of wireless use from a major tradeshow -- in this case our own Wi-Fi Planet Conference & Expo which took place the first week of this month in San Jose, Calif.

Without naming names or spelling who did what and to what degree these things are malicious, AirDefense says it saw a huge jump in the percentage of successful hack attacks at the show -- including 16 successful Man-in-the-Middle (MitM) attacks out of (out of 23 attempts. That's up from only 3 successful attacks (out of 32) at the Boston show last June.

And this was done with monitoring only from one location in a corner of the Expo show floor. In Boston they monitored from two opposite corners of the oversized room.

Other attacks they recorded includes targeted Denial of Service (DOS) attacks (75 of them toward specific access points, and 12 more Cloud-type that kicked all users off a specific channel); 25 FakeAP attacks broadcasting non-existent SSIDs; and 125 spoofed MAC addresses that could have been attempted identity thefts -- all numbers down from the Boston show.

And there were 89 scans of the network from tools like Wellenreiter and Netstumbler(down from 149 at the last show).

The overall numbers are AirDefense is reporting may be down but the increased success of the MitM attacks says to Richard Rushing, AirDefense's vice president of technical services, that the "people are savvier and the tools are better written" than before. He says with more users out there than ever playing with Wi-Fi, there's more Web sites and more information on how to configure and do something to a wireless network.

He admits, though, that its not easy to pinpoint, especially in an environment like a tradeshow with several access points running, just what is a malicious attack and what's potentially innocent (though none-the-less harmful).

"There were definite specific MAC address spoofs that were malicious, such as all zero addresses," says Rushing.

Additionally, a number of software tools were usually tied to operating systems like Linux which had only a limited number of Wi-Fi hardware options. But new products like Smac run under Windows. Smac will let a Windows computer spoof any possible MAC address with ease, whereas before such a step could require doing heavy handed hacks like modifying the registry.

Most companies have to protect themselves from the people on the outside, says Rushing. However, with wireless, "it's the reverse: I need to protect my computer from connecting to other devices. There's nothing to prevent these connections." The lights telling you you're connected to a network are not telling you if you're on the right network, which is something more users should be aware of.

It appears, as stated above, Wi-Fi end users -- even those who work in the industry -- don't worry about it. Only six percent of the e-mail downloaded at the show was protected by a secure virtual private network tunnels. 130 users with Windows XP were blithely broadcasting a search for networks that weren't at the show, doing automatically look-ups of their home or office networks.

89 users were recorded as having ad hoc mode on instead of Infrastructure mode (the former leaves them open to direct connections from others; the latter would connect them only to an access point). In fact, AirDefense says one ad hoc network used the SSID of "wifiplanet" -- which is also the SSID being used by the default network at the show, thereby tricking at least 10 users mistakenly using ad hoc mode into a direct connection they didnt want.

The next Wi-Fi Planet Conference & Expo will be in Toronto, Ontario, Canada on March 15-17, 2004.



Comment and Contribute
(Maximum characters: 1200). You have
characters left.