A Windows feature that automatically searches for Wi-Fi connections
can be exploited by hackers, a security researcher has warned.The feature is part of Windows XP and 2000 and was exposed as being vulnerable at hacker conference ShmooCon on Saturday by vulnerability researcher Mark Loveless.
Loveless claimed that hackers can take advantage of the feature to include a user's PC in a peer-to-peer network, giving them access to information on its hard drive.
When a PC running Windows XP or Windows 2000 boots up it will automatically try to connect to a wireless network. If the computer can't set up a wireless connection, it will establish an ad hoc connection to a local address. This is assigned with an IP address and Windows associates this address with the SSID of the last wireless network it connected to.
The machine will then broadcast this SSID, looking to connect with other computers in the immediate area.
The danger arises if an attacker listens for computers that are broadcasting in this way, and creates a network connection of their own with that same SSID. This would allow the two machines to associate together, potentially giving the attacker access to files on the victim's PC.
Security experts contacted by ZDNet UK on Monday confirmed that the flaw exists, but said that it should not be a problem for those using firewalls.
Paul Wood, security analyst at MessageLabs indicated that users will probably be unaware that their computers have connected to the peer-to-peer network in such a way.
MessageLabs believes that users running Windows XP Service Pack 2 (SP2) are not at risk.
"This yet again is a wake-up call for those who haven't installed SP2. Any machines running a copy of XP without SP2 are saying 'Come and get me', as there are so many gaping threats," said Mark Sunner, chief technology officer at MessageLabs.
Get some protection
Experts recommended companies deploy a security policy, if one isn't
already in place: "Any organisation deploying a Wi-Fi network needs to
implement a company security policy," said Sunner. "The potential
victims are the road-warrior community. Does the in-house security
department have a mechanism to check the visibility of remote machines?"
MessageLabs also recommended that individual teleworkers be given personal firewalls.
Individuals can also protect themselves by disabling Wi-Fi when not using it, said Greg Day, security analyst at McAfee.
MessageLabs advised the following:
"Users with Wi-Fi can disable the peer-to-peer facility by going to "Wireless Network Properties | Advanced | Network Access Point | Choose Infrastructure Networks Only," said Wood. "We recommend people only connect to infrastructure points, although some users may want to use peer-to-peer for head-to-head gaming and file sharing."
MessageLabs pointed out that system administrators can also mitigate the problem by blocking ports 135, 137, 138, and 139 — which in Sunner's words "should be nailed shut already" — from accepting NetBIOS connections.
Day downplayed the potential of the attack: "Hackers are trying to class this as virus-like. You become part of the problem because your machine is now broadcasting on a peer-to-peer network. However, all this gives hackers is the ability to see other machines — they still have to write exploits. But if the user is patched or has a firewall, they are protected."
Sunner echoed those feelings: "I'm a purist, and for me the [virus] analogy is not rooted in reality. Could it be self-replicating? It's not really within the realms of possibility," said Sunner.
Criminal gangs were unlikely to target this flaw as it would be too labour-intensive to exploit, predicted MessageLabs, saying that it was "really a threat from script kiddies".
Microsoft had not responded to a request for comment at the time of writing.
Talkback
That was a nice article. But, there is still the problem where the attacker actually fakes the accesspoint, i.e : The attacker pretends to be your accesspoint, if he succedes with that the hacker can do a "man-in-the-middle" attack on all the victims internet communication so the local firewall isnt much help in such scenario. The local firewall however help protect the individual computer from intruders, but it doesn't protect the information sent to or from the computer...
This is nothing new. Whether you broadcast the SSID or not really doesn't make a difference. A hacker can simply wait for someone to connect, jam the signal for a few seconds, or send a disconnect packet to the wireless access point.
Once the signal is reacquired, a hacker simply begins to capture packets, where the SSID is pretty easy to see. Also during this time, the packets used for passkey processing can be captured and taken offline where software can be used to eventually 'crack' the passkey.
So, same as always. Use a good 128 bit encryption with a passkey which is at least 15 characters or more long. Also, change this passkey monthly.
I first described the vulnerability that I termed "WiPhishing” over a year and a half ago (Google “wiphishing” for more information). I postulated that “WiPhishing” occurs when a hacker sets up an access point to lure computers that are set to automatically connect to easily guessable SSIDs such as “Linksys”, “BTopenzone” or “dlink”. Computers get set up this way either deliberately by users, so that their computers will automatically connect to their home network or a Starbucks network, or automatically by the XP wireless client. This "newly discovered" vulnerability makes matters even worse, as we now discover that the XP client can't tell the difference between a normal access point-to-laptop (infrastructure) WiFi mode and the less commonly used laptop-to-laptop (ad-hoc) WiFi mode. What is now being pointed out is that laptops set to automatically connect to normal infrastructure (laptop-to-access point) networks called, for example, Linksys (which is bad enough but very common), will also mistakenly automatically connect to ad-hoc (laptop-to-laptop) networks with the same name (SSID). After they have made this connection, they are "infected" with this ad-hoc connection profile and will start broadcasting it, just as they previously broadcasted the Linksys infrastructure connection. Unfortunately, because of this vulnerability, all computers that subsequently connect to them also get “infected” with the ad-hoc profile and so on and so on.
The bottom line is this; because of this vulnerability, all a hacker has to do to WiPhish a laptop, is set up a laptop with an ad-hoc connection set to “Linksys” or “BTopenzone”. As soon as a laptop set up this way is turned on, all other laptops in the vicinity that are set up to automatically connect to a network with the same name will start mistakenly connecting to the hacker’s laptop. A hacker sitting outside an office building or in an airport using this technique can gain access to many users’ laptops, often without their knowledge, and create WiFi mayhem in the process by trying out different easily guessable network names like Linksys until they catch a Phish. Once connected to a user’s laptop, an experienced hacker can not only potentially access data on that laptop (all shared folders are immediately accessible) but can also potentially use the laptop’s authenticated connection to a wired office network to access other network-connected resources such as servers or other computers.
I did a piece on the subject with the NBC affiliate in Dallas last year which can be viewed at the following link: http://cf.nbc5i.com/dfw/sh/videoplayer/video.cfm?id=4459208&owner=dfw
Even if Windows firewall has been turned on and locked by an employee’s network administrator, the user can easily turn it off (so they can play their favorite MPORG) by downloading software readily available on the Internet for this specific purpose.
This is a real problem, not just for users who do not know enough to secure their laptops properly, but more importantly for their employers. For this and other reasons, it is essential that organizations define wireless connectivity policies and have the means to enforce compliance with those policies on all laptops used for and at work. My company developed what we believe is the only complete solution to this threat, which is currently being used by many organizations large and small. We call our solution AirSafe Enterprise, and it enables wireless connectivity policies to be established and enforced across the enterprise, and also automatically turns off a laptop’s wireless adapter whenever the laptop is connected to a wired network.
More information on AirSafe Enterprise and our other products is available at our web site at www.cirond.com, or at that of our exclusive licensee, AirPatrol Corporation, at www.airpatrolcorp.com.
Nicholas Miller
CEO Cirond Corporation
This issue is obviously not a problem for sophisticated users and as usual, we hear the familiar refrain: "anyone with half a brain knows how to ..." from the computer literati; but therein lies the problem. Take a drive around any neighborhood or business park with a wireless laptop and you will see numerous access points set to the default settings and many without even basic WEP turned on. This means that many laptops are, in all likelihood, set up to automatically connect to those networks (either accidentally or on purpose). Just sit outside any office building with a WiFi router or access point, or as we now find out, a laptop with an ad-hoc connection profile with its SSID set to Linksys or tmobile, and see how many laptops connect to it. This is a very easy way for hackers to gain access to those laptops and also potentially to the office wired network that they may be simultaneously connected to. If anyone is in any doubt, check out this link (shameless self promotion!): http://cf.nbc5i.com/dfw/sh/videoplayer/video.cfm?id=4459208&owner=dfw
This “new” threat pours gasoline on the fire as we now discover that the XP client can't tell the difference between a normal access point-to-laptop (infrastructure) WiFi mode and the less commonly used laptop-to-laptop (ad-hoc) WiFi mode. What is now being pointed out is that laptops set to automatically connect to normal infrastructure (laptop-to-access point) networks (which is bad enough but very common), will also mistakenly automatically connect to ad-hoc (laptop-to-laptop) networks with the same name (SSID). After they have made this connection, they are "infected" with this ad-hoc connection profile and will start broadcasting it, just as they previously broadcasted the Linksys infrastructure connection. Unfortunately, because of this vulnerability, all computers that subsequently connect to them also get “infected” with the ad-hoc profile and so on and so on.
The bottom line is this; because of this vulnerability, all a hacker has to do to WiPhish a laptop, is set up a laptop with an ad-hoc connection set to “Linksys” or “tmobile”. As soon as a laptop set up this way is turned on, all other laptops in the vicinity that are set up to automatically connect to a network with the same name will start mistakenly connecting to the hacker’s laptop. A hacker sitting outside an office building or in an airport using this technique can gain access to many users’ laptops, often without their knowledge, and create WiFi mayhem in the process by trying out different easily guessable network names like Linksys, Dlink or tmobile until they catch a Phish. Once connected to a user’s laptop, an experienced hacker can not only potentially access data on that laptop (all shared folders are immediately accessible) but can also potentially use the laptop’s authenticated connection to a wired office network to access other network-connected resources such as servers or other computers. OOPS!
Some say XP SP2 and Windows firewall solves the problem, but hands up all who are prepared to bet the security of their entire corporate network on Windows Firewall, assuming of course that it is turned on. Even if Windows firewall has been turned on and locked by the employees' network administrators, users can easily turn it off (so they can play their favourite MPORG) by downloading software readily available on the Internet for this specific purpose. This is a real problem, not just for users who do not know enough to secure their laptops properly, but more importantly for their employers. For this and other reasons, it is essential that organizations define wireless connectivity policies and have the means to enforce compliance with those policies on all laptops used for and at work. Before anyone inevitably points out that my company "conveniently" offers a solution to this problem - as if we invented it (more information is available at our web site at www.cirond.com, or at that of our