Just between you, me and the hackers on that wireless network
- By John Breeden II
- Aug 07, 2003
John Breeden II, GCN Lab Director
If you think your wireless network is secure, think again.
In recent days the GCN Lab staff went to hacker classes and learned some unsettling lessons. Even the most secure wireless networks, using security methods we have advocated, can be compromised. For every current method of security, there is a countermeasure; not even virtual private network tunnels or remote authentication dial-in user service servers are safe.
The most common method of wireless authentication uses Media Access Control addresses to filter valid or invalid users. But this method can be cracked in less than five minutes.
Almost any scanning hacker tool reports all MAC addresses in use'both clients and access points. Then a hacker simply runs Windows Registry Editor to dig through the HKeyLocal folder to key subfolders. From there the hacker can pick the right driver folder for your wireless card and spoof a valid MAC address. Presto, the hacker has just become an authorized user.
Wired Equivalent Privacy keys also are not completely secure. Though it takes more time, a hacker can determine the WEP key over time with constant monitoring. Even if a network uses 128-bit encryption and four rotating keys, hacker tools are quite helpful in sorting the data. The access point has to tell the clients what WEP key is in use and the clients have to transmit that key, so outsiders can break it down.
The supposed Holy Grail of security, using 802.11x and a RADIUS server in conjunction with a security method such as Cisco Systems Inc.'s Leap, is not all that safe, either.
The problem is that a program called Microsoft Chat can be used to challenge clients for their security credentials. And for whatever reason, the last two letters in the password are sent unencrypted using Leap. A hacker can then use a dictionary program to slam an access point with possible password combinations till getting it right.
And don't think your VPN tunnels are secure. A new form of attack I learned about is called 'man in the middle.' What a hacker does is look for a user communicating via a VPN. The hacker then puts two wireless cards into a notebook PC, disrupts the wireless signal and invites the client to reconnect to the hackers' notebook as if it were the access point. Traffic then passes through the hacker's computer back to the access point using the client's credentials.
It only takes an instant and suddenly the hacker has become a hidden bridge in the middle of the VPN tunnel. Everything coming across the hacker's screen is unencrypted, too, since the access point thinks it is talking with the client and the client thinks it is talking to the access point.
Even a no-wireless policy probably won't save you. Most handhelds and notebooks come with wireless chips now, and these can be used to hack into a network even if no official framework exists.
In the coming weeks the GCN Lab will be writing about security methods that can help make wireless a bit more secure.
John Breeden II is a freelance technology writer for GCN.