[ISN] That Wi-Fi network you thought was secure? It ain't

From: InfoSec News (alerts@private)
Date: Wed Feb 27 2008 - 04:06:19 PST


http://www.channelregister.co.uk/2008/02/26/wpa_enterprise_pwnage/

By Dan Goodin 
Channel Register
26 Feb 2008

Businesses using some of the more advanced methods for securing 
connections to Wi-Fi access points need to take a hard look at the 
configuration settings of client computers. So say researchers who have 
documented a simple way to impersonate trusted networks.

The attack works on access points that use the Wi-Fi Protected Access 
(WPA) in concert with Protected Extensible Authentication Protocol 
(PEAP) or other so-called Extensible Authentication Protocols (EAPs). 
Such technologies use public-key certificates to authenticate a trusted 
network to a laptop or other connected device and provide an encrypted 
SSL tunnel through which the two can communicate.

Problem is, laptops running Windows, OS X and various versions of Linux 
frequently have the security settings mis-configured, according to 
researchers Brad Antoniewicz and Josh Wright. Using a program called 
FreeRADIUS-WPE [1] (short for FreeRADIUS Wireless Pwnage Edition), it's 
easy to dupe the clients into connecting to imposter networks and giving 
up critical information, they say.

The attack relies on a technology known as a wireless supplicant, which 
sits on the client and checks the validity of a network's credentials. 
All too frequently, the researchers say, it's not configured to validate 
a certificate at all, or at the very least, not to properly validate a 
server's RADIUS TLS certificate.

"In either of these scenarios, FreeRADIUS-WPE (our modified version of 
the open source RADIUS server) can be used to gain access to the inner 
authentication credentials passed in the TLS tunnel that is established 
between client and the authentication server," Antoniewicz writes here 
[2]. "In some cases these protocols reveal the client's username and 
password in clear text, while other cases require a brute force attack. 
Due to active directory integration, these credentials may also be those 
used for domain authentication."

The researchers envision a scenario where a vulnerable client could be 
induced to give up sensitive information while connected to a public 
hotspot that's in close proximity to a corporate access point.

Microsoft's Windows Zero Configuration (WZC) by default is set to 
validate server certificates and we suspect the same can be said about 
wireless supplicants contained in competing operating systems. But 
Antoniewicz says these settings are frequently turned off, presumably at 
the first sign of connectivity problems, and then never turned back on. 
What's more, Windows users can easily be misled by prompts that ask if 
they want to connect to a network whose validation doesn't check out.

"When using WZC and other supplicants, you'll want to make sure that the 
client clearly validates the server certificate by only trusting 
certificates that match the signing authority, and hostname of the 
RADIUS server," Antoniewicz advises.

[1] http://www.willhackforsushi.com/FreeRADIUS_WPE.html
[2] http://www.avertlabs.com/research/blog/index.php/2008/02/21/can-i-own-your-wireless-network/


___________________________________________________      
Subscribe to InfoSec News
http://www.infosecnews.org/mailman/listinfo/isn 



This archive was generated by hypermail 2.1.3 : Wed Feb 27 2008 - 04:18:32 PST