Windows Wi-Fi 'vulnerability' not a vulnerability

Windows Wi-Fi 'vulnerability' not a vulnerability

Summary: If the hacker did want to put up an evil twin to perform man-in-the-middle attacks on you, he wouldn't bother with your "vulnerable" probe requests because the hotspot Access Point will already have been announcing it 10 times a second. If you really think about it, it's even more dangerous to hook up a broadband connection because you're not just vulnerable to hackers within a 150 foot radius but to hackers all over the world.

SHARE:
TOPICS: Wi-Fi
75

[Updated 1/20/2006 2:00 AM:  I had a chat with Mark Loveless after he contacted me after reading this blog and we cleared some issues up.] We've had two stories this week by Tom Espiner declaring a new Wi-Fi vulnerability in Windows XP with SP2 and that a fix wasn't available for another year or more.  The first story claimed that there was a new vulnerability discovered in Microsoft's Windows XP wireless network client loosely based on researcher Mark Loveless' claims that he found a new Windows Wi-Fi vulnerability.  [Upadated: Mark Loveless didn't actually use the word "vulnerability" but he rated this Windows behavior with a severity of "high" along with the qualification that the risk was "albeit lame".]  The second story stated that Microsoft admitted to this vulnerability and that they wouldn't patch it for another year or more.  We may as well rip out our wireless LAN adapters from our PCs... [Update: Since Loveless technically never used the word "vulnerability", he didn't stretch anything.  But I can see how his severity rating of "high" can easily be misinterpreted as a "vulnerability"] The problem is that Loveless this is really stretching the definition of a "vulnerability" if it can even be considered a vulnerability at all and Microsoft never acknowledged this as a vulnerability.  I checked with a Microsoft spokesperson and they confirmed that Microsoft Security Research Center states that this is not a security vulnerability.

This is what I suspected all along because by definition, a software vulnerability is when software can be made to do something it wasn't designed to do.  This "vulnerability" that Loveless Espiner's story raised is actually a feature designed into every wireless "supplicant" (that's IEEE speak for "client") software in the world because it is a fundamental and critical feature of the IEEE 802.11 protocol.  The name of this feature that Loveless Espiner's story is concerned about is "SSID probe requests", but the feature is critical if a wireless client computer wants to find an access point or ad-hoc wireless peer computer that suppresses its SSID beacons.  Someone obviously has to reach out to the other party first if there is to be a wireless LAN connection at all.

[Updated: For the record, Loveless' report is actually concerned about a behavior in Windows that doesn't distinguish between ad-hoc networks and infrastructure networks if their SSID happens to be the same.  Loveless also found an a recommendation in RFC 3927 section 5 paragraph 3 coauthored by a Microsoft employee that an automatic addressing scheme shouldn't be used in Wireless LANs so he is criticizing Microsoft for failing to follow this recommendation.  For me, restricting the use of automatic IP addressing in any kind of Wireless LANs is silly because it shouldn't be used as a substitution for real protection in the first place.  Loveless is also complaining about Windows advertising SSIDs and establishing Wi-Fi connections to these SSIDs without explicit user consent just because the SSID had be used before in an unsecured manner.  I still don't have a problem with this because it's a basic usability feature and I don't want Windows bugging me with pop-ups every time just because it's connecting to an unsecured SSID that I've already willingly connected to before.  Anyone afraid of unsecured network connections shouldn't make them in the first place or make sure they take the appropriate precautions if they do.  This was the case I made in this original blog and I'm sticking to it.]

A normal access point will beacon (broadcast) its SSID about 10 times per second to let wireless users know of its presence.  When this SSID broadcast feature is disabled because some network administrator thinks it's such a great security feature, the only way a client computer can establish a connection with that access point is if it goes out and probes for that access point by its SSID.  It essentially has to shout out to the access point  (figuratively speaking) "HEY ARE YOU THERE!" until the access point replies "YES I AM!" before it can continue negotiating a wireless connection session.  Loveless Espiner's story is complaining that by broadcasting this SSID in the probe request to the public airwaves, you are essentially giving away what SSID to hackers who can potentially endanger you with Wi-Fi evil twins that pose as legitimate hotspots or peers so that you will establish a Wireless Ethernet connection to them.  The problem with this train of thought is that if you suppressed all SSID broadcasts, you are essentially breaking a fundamental mechanism in 802.11 wireless networking.  Taking this to its logical conclusion, we may as well rip out our wireless LAN adapters from our PCs and be done with it.

Just the act of using a wireless hotspot itself will put you in even more danger because the hacker doesn't even need to bother putting up an evil twin because he can attack your computer in that hotspot because he is on the same LAN as you.  If the hacker did want to put up an evil twin to perform man-in-the-middle attacks on you, he wouldn't bother with your "vulnerable" probe requests because the hotspot access point will already have been announcing it 10 times a second.  If you really think about it, it's even more dangerous to hook up a broadband connection because you're not just vulnerable to hackers within a 150 foot radius but to hackers all over the world!

But is this really the end of the world?  Of course not!  That's what firewalls are for and just about any firewall will do, even the free built-in Windows XP firewall.  Corporate IT departments can easily enable the Windows XP SP2 firewall on every PC they own by setting firewall policies in Active Directory Group Policy.  Once users have a personal firewall enabled, they will be relatively safe when they connect to any public unsecured network whether it was a wireless hotspot or wired broadband connection.

If anyone is paranoid about ad-hoc wireless LAN connections, they can simply set their wireless supplicant software to only connect to "infrastructure networks."  Any IT administrator can do the same thing globally to all Windows PCs in their domain by configuring the wireless security settings in their Windows 2003 Active Directory Group Policy.  The dangers of SSID probe requests that Loveless Espiner's story describes is nothing new and classifying this feature as a vulnerability on Microsoft or any other wireless supplicant software maker is just plain silly.

Topic: Wi-Fi

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

75 comments
Log in or register to join the discussion
  • Good One / Infrastructure Only

    A quick Start>Run>cmd, to get to a dos prompt followed by:

    netstat -r

    Will display your routing table.

    If you see 'link-local' or you use -rn, you should NOT expect to see a destination:

    169.254.x.x

    As George astutely points out (George knows Networking), setting your wireless to 'infrastructure' (Managed) vs (Ad. Hoc) should cure this.

    And, of course, slap yourself 'silly' if you haven't got your firewall turned on!

    Just a sideline tangent to this--users of Laptops who travel, can set up secure shell (e.g., Cygwin or Putty) to tunnel encrypt all of their activity back to their home machine (provided the home machine is running the sshd server) or to a web lowcost shell account.

    This sets up an encrypted tunnel from the Laptop to the endpoint sshd server where all activity is the forwarded.

    Cygwin Example:

    ssh -l username -D:8000 home_ip

    Then, go into your browser and set up a proxy with 'localhost' and port 8000 and you can protect all of your browser activity whilst on the road.

    And all of your browser activity will become tunneled to the home server and then forwarded to the net!

    Guaranteed.

    Thanks George for a good article.
    D T Schmitz
    • Instead of ssl

      For those people that don't want to install cygwin or MS Unix services on their laptop and have a *nux server at home, which Dietrich seems to have, you can also setup l2tp and ipsec on a *nix or Windows server than you might have on a home ip and VPN into your home network achiving the same result using Windows networking software that is already installed. This is what I do on my Windows laptop and it has always worked well. It is too bad my Linux server does not support the same compression protocol as Windows.
      balsover
      • Compression

        I am not sure what is meant by "does not support the compression protocol as Windows".

        If you are wireless (anywhere, hotspot, office), you are effectively taking advantage of the card's effective bandwidth.

        All the ssh does is sets up a fully encrypted socks4 proxy tunnel from your Laptop to your home machine where all http activity is then forwarded to the net.

        The connection is actually no so slower than it would have been in the first place using wireless to the access point.

        Make sense?

        But, it really depends on what the user's goal is.

        If you want to reach your Desktop GUI at home, via rdp Windows Terminal service, then that's a 'horse of a different color'.

        Or, one can use (not as fast, of course) VNC or VNC over ssh (VNC can tunnel thru ssh and is doable), or if you are a Linux 'gearhead' (like myself), you can install FreeNX server and download the NX 'client' from www.nomachine.com (for either the Windows or Linux client side).

        This is somewhat 'sideways' from George's article, but security-wise, I have spent several weeks testing a Knoppix 4.0 FreeNX server connection about 1,000 miles away over dialup 56K, and broadband. NX tunnels everything over ssh.

        If you are curious about NX read more here:

        http://en.wikipedia.org/wiki/FreeNX

        Suffice it to say, NX rocks and, speed-wise, there is 'negligable' difference in screen refresh between disl-up and broadband!. It is as good as Windows Terminal Server--acts like a localhost connection.

        Even better, it's FREE, and it supports, rdp, nx, and vnc protocols whereas Windows Terminal server supports just rdp.

        But don't take my word for it, you can give it a 'test drive' at www.nomachine.com

        Or here's another 'radical' idea for Windows Laptop users--(don't shoot the messenger--please!):

        Install the FREE (yes that's right FREE) VMWare Player along with the VM 'Browser-Appliance' image of Ubunu Linux 5.1 Distro, which includes ssh, by default.

        VMWare is distributing the 'Browser-Appliance' as a means to provide 'safe' 'sandbox' around your internet connection.

        Have only messed with it a few days, but I am impressed with it so far. Here's where you can get it:

        http://www.vmware.com/products/player/

        I haven't tried to set up FreeNX running inside a VMWare Linux vm machine, but in theory it should work the same, provided you install from root--one of my projects when I have more time to putter.

        By the way, George is a BIG VMWare fan and understandably so.

        Ok, I'll let that sink in.

        Thanks Balsover and thanks again George!
        D T Schmitz
        • One More Nattering Point

          And since this article was about Skype, you 'can' run Skype for Linux in the VMWare 'Browser-Appliance', to boot!

          What's my point? I am not sure. ;)
          Be safe.
          D T Schmitz
          • Typo

            I meant George's 'last article'! Not THIS article.

            Thanks!
            D T Schmitz
        • I am familiar with the protocols.

          I know how ssl, l2tp and ipsec functions as I have implemented them on embedded systems before. The compression protocol that MS likes to use (MPPC) in their l2tp sessions has patent issues so if you use a Linux server as I do then it is not available unless you license it (or cheat, there is code on the net for that purpose). If I were to start using my Windows 2003 server then I would get compression on my connection, but I don't want to use the Windows server for that purpose.

          >If you are wireless (anywhere, hotspot, office), you are effectively taking advantage of the card's effective bandwidth.

          If you were able to enable compression on a l2tp connection your would increase the card's *effective* bandwidth beyond what it normally has. Most traffic on the net is still just text so compression would yield respectable performace gains.

          >All the ssh does is sets up a fully...
          ssh also supports compression. However, you still need to install third party software to take advantage of ssh on a windows box. Dialup networking and l2tp is already there and can be totally transparent in it's use if configured correctly.

          >Or, one can use (not as fast, of course) VNC or VNC over ssh...

          I use VNC for my Linux servers, for the Windows machines I always use Remote Desktop Connection as it's performace even over a remote link is superior to VNC. I would never install VNC server on a Windows PC. I always use Remote Desktop over the ipsec VPN, my Linux firewall does not allow it otherwise.

          The NX package looks interesting, I will follow up on that. Thanks.

          As far as installing *nix software on Windows boxes, I don't promote it or support it no more than I would install Microsoft software on my Linux machines. MS's software works quite well if the person setting up the machine has a clue about what they are doing, the same can be said of the software that I use on Linux. As OpenSwan works well with Windows clients and is very stable I don't see any point in exposing the GUI orientated Windows users to a command line to get these add-on packages to do the same job. With dial-up networking you can configure the Windows client to start a dialup connection for any network access, even if it is only a vpn and they already are physically wired to the internet. At home I use MAC filtering on my access point only to keep free loaders off of my network, but I don't use WEP encription because I use l2tp and ipsec even while on my home wireless network.
          balsover
          • Elaborate

            I won't take up any more space here in this blog than necessary with side issues, but I appreciate your follow-up clarification and please give NX a look.

            You'll see it's as good a 'thin client' as Windows Terminal Server, and then some.

            Thanks Balsover very much for your thoughtful reply.

            Best!
            Dietrich
            D T Schmitz
    • VPN and SSL hacking...

      VPN and SSL are favorite attack vectors that allow malicious hackers to inject hostile code into the encrypted data stream and thus bypass the firewall, AV, and IDS.

      If you stay online and active with your VPN or SSL session for longer than 6 minutes, then your vulnerability is even greater. The public key used for the session can be cracked by malicious hackers in 8 minutes with Beowolf nodes. With drag-and-drop exploits they can inject into your VPN or SSL stream that looks to your home system like legit traffic originating from you.
      cburgess-iPALADIN
      • VPN hacking / What

        Does anyone know what he's referring to here?
        D T Schmitz
        • He doesn't know what he's talking about

          He thinks public keys are crackable in 8 minutes with drag and drop tools. Let me say this as straight forward as possible. Public Keys above 768 bits can't be cracked in 8 minutes, 8 hours, 8 days, or 8 years.
          george_ou
          • Thanks George

            ..
            D T Schmitz
          • Not so fast George

            I was making an overall generalization. There are exceptions to my statement, such as 768 bit encrytion you mentioned, but is only valid if the cracker is only using a single computer to attempt the cracking.

            Most encryption is far less than 768 unless users opt for better features with particular software. With some software the default is well below 128bit. Then again, there is software that insists on using stronger than 128bit encryption by default.

            If the software accesses the Windows ADVAPI.DLL file when generating the public key then the key is compromised from the start (the SS used that feature of the ADVAPI.DLL to access the VPN sessions of Shadowcrew). If the software uses a separate encryption runtime other than that provided by MS, then the public key is much more secure.

            George, evidently you are not up to speed on the processing capabilities of a well designed Beowolf multi-node parallel/distributed system - developed at Los Alamos National Lab. Since the release of the source code into the public domain several years back, the code has been refined by some security researchers, black-hats as well as white-hats.

            My reference to drag-and-drop hacking tools were in the context of after the key has been cracked. In many cases the public key must be compromised in order to fully cloak the code injected into the VPN or SSL data stream.
            cburgess-iPALADIN
          • Just stop. You don't even understand basic cryptography.

            "I was making an overall generalization. There are exceptions to my statement, such as 768 bit encrytion you mentioned, but is only valid if the cracker is only using a single computer to attempt the cracking"

            Just stop, you don't understand encryption period. You don't even know the difference between asymmetric 768-bit crypto versus symmetric 128-bit crypto. I don't care how many computers you use, you're not going to crack 768-bit RSA public keys for the next 20 years. Oh and by the way, you can't practically do parallel cracking on RSA because of the need to access a massive matrix.
            george_ou
          • RSA is very obsolete

            RSA is very obsolete, which is why the NSA is frantically researching a solution that uses elliptic curve methodologies. While solutions do exist, none of them are fast enough yet.

            One of the flaws of asymmetric encryption in Windows is that it is that the random number generator is flawed...assuming that the crypto software being used is accessing the Windows random number generator.
            cburgess-iPALADIN
          • You don't even know what RSA is

            ... or the basic difference between it and symmetric crypto, yet you're throwing around these big words like elliptic curve crypto and a few excerpts of some technical gotchas that need to be avoided when using RSA keys. I would tell you to read up on some crypto 101 first.

            By the way, there are special elliptic curves that have to be avoided when using elliptic curve crypto just like there are things you have to watch out for when using RSA PKC. I?m not going to spend any more time entertaining this.
            george_ou
  • Thanks, George

    I agree completely. And I'm amazed how often this fact is overlooked:

    [i]"...the hacker doesn't even need to bother putting up an evil twin because he can attack your computer in that hotspot because he is on the same LAN as you."[/i]
    Real World
  • OEMs could help...

    ...by not shipping Windows notebooks with the administrator password set to null by default. Most home users of laptops never seem to get around to changing this, even when they set up other users on the laptop.
    dragontiger
  • Very well said...but...

    Thanks George for a very clear explainations. Now, if you can, please write that up and give that to every BestBuy/CircuitCity/Walmart/Target/etc sales. Really, the problem isn't going to be 'most' Corporate America (or those with IT knowledgable staff that understands that you should not put an AP in the middle of your network without some sort of 'fence' around it), it is going to be all the SOHO/End-users environment.

    I'm so-so-so worry for all my neighbors because just about every one has a wireless AP with default passwords/SSIDs. I have like 6 "linksys" as SSIDs and 3 "NETGEAR" as SSIDs (everyone on the same default channels as well) around my house here and all with NO min security configuration setup on them. I've gone in to just about everyone's AP/network and can see/map drives to their network/pc/notebooks.

    I think that the whole wireless gears market is doing a HUGH disservice in making their gears too easy to use with zero 'thinking' behind it. Talk about your drive by hacking. This is the BIGGER security vulnerability than anything else.
    JJ_z
    • Every one at fault here

      Most vendors don't want to deal with the helpdesk calls of setting up security. The Microsoft Access Point (when you could get it) was actually one of the few that forced you to set up a random key which it exported to an XML file that could be portable.

      Hey, I'd be happy if everyone simply supported WPA. It took Sony a full year before they supported WPA on the PSP.
      george_ou
  • Good Article George, But What About Avg Joe Home User?

    I teach an IT security course and most of the fault is because most home users leave the wireless routers on factory default and never go into the settings to turn on strong WEP and don't have any kind of firewall running. Even most ISPs that will set up a wireless network leave the routers at factory default. Go to any subdivision and do a netstumbler sweep and you'll find at least 75-85% of the wireless networks are running in the clear, and most of them have file sharing turned on their systems, leaving them completely in the open.

    A lot of the fault is on the low-level of technical expertise for home users caught up in the wi-fi craze.
    itanalyst