APs have weaknesses that are both due to design mistakes and user interfaces that promote weak passwords, etc. It has been demonstrated by many publicly conducted war-driving efforts (www.worldwidewardrive.org) in major cities around the world that a large majority of the deployed APs are poorly configured, most with WEP disabled, and configuration defaults, as set up the manufacturer, untouched.
Configuration
The default WEP keys used are often too trivial. Different APs use different techniques to convert the user’s key board input into a bit vector. Usually 5 or 13 ASCII printable characters are directly mapped by concatenating their ASCII 8-bit codes into a 40-bit or 104-bit WEP key. A stronger key can be constructed from an input of 26 hexadecimal digits. It is possible to form an even stronger104 bit WEP key by truncating the MD5 hash of an arbitrary length pass phrase.
Defeating MAC Filtering
Typical APs permit access to only those stations with known MAC addresses. This is easily defeated by the attacker who spoofs his frames with a MAC address that is registered with the AP from among the ones that he collected through sniffing. That a MAC address is registered can be detected by observing the frames from the AP to the stations.
Rogue AP
Access points that are installed without proper authorization and verification that overall security policy is obeyed are called rogue APs. These are installed and used by valid users. Such APs are configured poorly, and attackers will find them.
Trojan AP
An attacker sets up an AP so that the targeted station receives a stronger signal from it than what it receives from a legitimate AP. If WEP is enabled, the attacker would have already cracked it. A legitimate user selects the Trojan AP because of the stronger signal, authenticates and associates. The Trojan AP is connected to a system that collects the IP traffic for later analyses. It then transmits all the frames to a legitimate AP so that the victim user does not recognize the on-going MITM attack. The attacker can steal the users password, network access, compromise the user’s system to give himself root access. This attack is called the Evil Twin Attack.
It is easy to build a Trojan AP because an AP is a computer system optimized for its intended application. A general purpose PC with a wireless card can be turned into a capable AP. An example of such software is HostAP (http://hostap.epitest.fi/ ). Such a Trojaned AP would be formidable.
Equipment Flaws
A search on www.securityfocus.com with “access point vulnerabilities” will show that numerous flaws in equipment from well-known manufacturers are known. For example, one such AP crashes when a frame is sent to it that has the spoofed source MAC address of itself. Another AP features an embedded TFTP (Trivial File Transfer Protocol) server. By requesting a file named config.img
via TFTP, an attacker receives the binary image of the AP configuration. The image includes the administrator’s password required by the HTTP user interface, the WEP encryption keys, MAC address, and SSID. Yet another AP returns the WEP keys, MAC filter list, administrator’s password when sent a UDP packet to port 27155 containing the string “gstsearch
”.
It is not clear how these flaws were discovered. The following is a likely procedure. Most manufacturers design their equipment so that its firmware can be flashed with a new and improved one in the field. The firmware images are downloaded from the manufacturers’ web site. The CPU used in the APs can be easily recognized, and the firmware can be systematically disassembled revealing the flaws at the assembly language level.
Comprehensive lists of such equipment flaws are likely circulating among the attackers.
0 Responses