Wireless LAN security myths that won't die

Wireless LAN security myths that won't die

Summary: It's been two years since I wrote "The six dumbest ways to secure a wireless LAN," and it's probably been one of my more successful blog entries ever, with two flashes on Digg. Since that time, I've written a free electronic book on enterprise wireless LAN security for anyone to use and download from TechRepublic.

TOPICS: Networking

It's been two years since I wrote "The six dumbest ways to secure a wireless LAN," and it's probably been one of my more successful blog entries ever, with two flashes on Digg. Since that time, I've written a free electronic book on enterprise wireless LAN security for anyone to use and download from TechRepublic. Since it has been two years, I'm going to update the information with more defined categories and better explain why they're so bad from an ROI (return on investment) and security perspective.

Waste of money, resources, time

  • MAC filtering
  • Disable DHCP and use Static IP addresses
  • Signal suppression with expensive paint or antenna placement

Worse than no wireless security at all

  • LEAP (adding EAP-FAST to the list)
  • SSID Access Point beacon suppression (or "hiding")

Has nothing to do with security mechanisms

  • Just use 802.11a or Bluetooth

The original blog has probably been read by more than a hundred thousand people, but I still can't kill these nasty urban legends because they are so engrained as "best practice."  I was shocked and infuriated to find that even some security certifications, like the CISSP, and VISA payment processing compliance requirements, like PCI, are recommending most of these methods as "best practice."

Note that I recently attended the official CISSP boot camp training and in spite of this bad wireless LAN advice, I still recommend the CISSP certification and training. It really taught me how to better communicate to management and business people and align security and IT to the business. I have, however, asked them to fix their small section on wireless LAN best practices, and I hope they fix it.

The most common and misguided arguments I hear against my advice and in favor of implementing this nonsense are:

  • What's the harm? It's a layered approach to security.
  • It makes us harder to see and hack.
  • We're a small company, and we can't afford real security.

The problem with these arguments is that they're based on some fundamentally wrong assumptions and an inadequate knowledge of how wireless LAN security works. 

  • These aren't layered approaches; they're more like buying overlapping warranty coverage, since any benefit against casual bandwidth thieves is already covered by real security measures. The harm is that people confuse these methods for the real thing, and they spend more money and resources on implementing the wrong security mechanisms and end up skimping on real security.
  • They don't make you harder to hack. Kismet, which is a free utility, will reveal so-called hidden SSIDs, MAC addresses, and static IP schemes within seconds of scanning the airwaves, sending all that money and time spent on MAC address and static IP management down the toilet.
  • If you have a limited budget with limited IT staff, it's all the more reason to use real wireless LAN security, because you certainly won't be able to afford the complexities of MAC filtering and static IP configuration. True wireless LAN security is far cheaper to implement and maintain.

Rock solid wireless LAN security for the home or small office can be summed up in a single paragraph. All you need to do is use WPA-PSK security with a random alpha-numeric pass-phrase that has a minimum of 10 characters. I estimated that a truly random alpha-numeric 10-character pass-phrase using modern single-core computers will take one thousand PCs working in parallel 500 years to crack. If your hardware doesn't support WPA mode, you can almost always get a free software/firmware upgrade to support it. If WPA mode absolutely can't be supported, you can run WEP (104 bit AKA 128) security, which might take a semi-skilled script kiddy using two PCs in an active attack configuration 10 minutes to break. WEP shouldn't ever be considered effective wireless LAN security, but it's hundreds of times harder to break than any of the myths. WEP can be considered an actual deterrent when nothing better like WPA is available, whereas these myths aren't even worthy of the deterrent title. The ROI for any of the first three wireless LAN security myths is essentially zero.

[Next page - Worse than no wireless security at all]

Worse than no wireless security at all

I've added a second subcategory of "worse than no wireless security at all." For this category, I've listed Cisco's proprietary LEAP and EAP-FAST protocols, along with SSID beacon suppression. Not only are these mechanisms ineffective, they're even harmful. LEAP uses unencrypted hash-based authentication, which relies strictly on password complexity. The problem is that 99% of all human-generated passwords can be cracked within hours or days.  That means once a hacker breaks into a wireless LAN network by cracking LEAP, they're not only inside your network but they've got your passwords to freely access your data. If a domain admin were to use LEAP, the keys to the kingdom are handed over to the attacker. Cisco co-created a superior authentication mechanism called PEAP, which is standardized. But still pushes its customers toward the proprietary EAP-FAST protocol, which was created as a direct replacement for LEAP as a way to lock you in to Cisco hardware. EAP-FAST is only slightly less dangerous than LEAP, but its default and most commonly used configuration is just as dangerous as LEAP because it relies on anonymous server certificates that anyone can spoof.

I've added SSID beacon suppression to the list of "worse than no wireless security at all" because it forces you to spew your wireless LAN configuration from your laptop everywhere you go.  Security researcher Joshua Wright recently highlighted these dangers in this article. The problem with turning off SSID beaconing on your access point is that not only is it worthless, since the SSIDs are still easily detectible over the air, but it also forces your laptops to probe for the SSID. That means that all of your laptops will run around the world broadcasting your SSID, which opens them up to data seepage or even evil twin attacks. If you forget this nonsense about SSID beacon suppression on the access point, you can turn off SSID probing on your notebooks, making them safer to operate. You can do this with the latest Windows XP SP2 Wireless Client Update, and Windows Vista has this feature built in. You simply need to make sure that you don't enable "Connect even if the network is not broadcasting."  The default behavior for SSID probing in Windows Vista is off, which is the safe setting.

As for using 802.11a or Bluetooth, there's nothing wrong with those technologies, except that they shouldn't be confused with security mechanisms. They're merely alternative data transport mechanisms, and you need to apply the same wireless LAN security principles. Bluetooth shouldn't even be considered a wireless LAN technology, and the only reason I mentioned it is that some so-called experts were touting it as such.

One other solution mentioned for wireless LAN security is the use of VPN, which is an outdated and cumbersome method. The use of VPN for wireless LAN security isn't fundamentally dangerous (if you avoid using PPTP), but it does leave the data link layer wide open, which lets a hacker do nasty things like DHCP poisoning or possibly other Layer 2 attacks. At the very least, it allows the attacker to be on the same subnet as your legit users, which means they get to probe for missing personal firewalls or holes. At worst, the attacker can try to MAC bomb the CAM table or try to do a denial of service attack with spanning tree protocol BPDU VLAN resets if the access point passes on these attacks. Most people just stick their access point right into their Cisco switches with no VTP domain password, along with automatic trunking turned on with no consideration for Layer 2 security. My recommendation is that organizations focus on data link layer solutions like WPA, which offer cheaper and more effective protection.

The bottom line is that these six security myths should be permanently labeled worthless at best or dangerous at worst. For businesses and organizations, I would highly recommend my ultimate guide to enterprise wireless LAN security. For small businesses and homes, all you need to do is use WPA-PSK security with a random alpha-numeric pass-phrase that's a minimum of 10 characters long. If WPA security isn't available to you, at least run WEP as a 10-minute deterrence mechanism.

Topic: Networking

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Does OS X probe for hidden SSIDs

    The story mentioned that WinXP did this. What about Mac OS X?
    • All OSes can do it. The question is whether it lets you disable.

      All OSes can do it. The question is whether it lets you disable. If it can't let you disable/enable it, then that means it seeps data. Any client that can connect to a hidden SSID is seeping data.
    • OSX probing

      The best I have found for probing SSID on OSX is KisMac. Its really easy to use, finds "hidden SSIDs" quickly, and if your version of airport supports what it needs, will break WEP in less then 10 minutes most of the time. Much easier then Kismet on Linux since Kismet is all command based and KisMac has a GUI.
    • As of OS X 10.4, the ability to turn off probing was removed

      As of OS X 10.4, the ability to turn off probing was removed. David Maynor of Erratasec.com told me this. Now it probes like crazy and you can't turn it off. That's unfortunate.

      Latest XP SP2 WLAN patch lets you turn off probing. Vista defaults to no probing unless you explicitly ask for it.
      • Can OSX 10.4.9 turn off probing

        With all the security updates to 10.4 lately, has any of them restored the ability to
        turn off probing?
  • So at home

    I run a 802.11g router in "silent" mode with WPA-PSK. You would argue that I should re-enable the SSID broadcast? Why? At the very least I can present "due dilligence" if my wifi is ever hacked and used to committ a crime.

    Isn't that worth the price?
    • If you're already using WPA-PSK, SSID hiding is harmful to your laptop

      If you're already using WPA-PSK, you're good to go so long as the PSK is random and complex enough. SSID hiding is harmful to your laptop because it forces your laptop to probe for the hidden SSID every 60 seconds and that happens whenever your notebook is turned on where ever you go. SSID beacon suppression on the AP is worthless anyways.
      • Then,

        Instead of focusing on hiding/silencing the AP, we should focus on silencing/hiding the laptop? I assumed that since the AP was static in its location, it was better to make it more secure. I wanted to make it harder for people to bang away on it.

        But, you would argue that securing the wifi from the laptop's side is more important and more effective. Correct? Intriguing. I just passed my CISSP in December and what you say does run crossways to what they taught. I shall have to ponder this and reorient my thinking some more.

        Is there a way to view the presentation by the researchers at the black hat conference (regarding the data leakage from wifi cards)?
        • There is no such thing as hiding the AP

          At some point you'll have to use that WLAN and the SSID will be revealed to Kismet along with the MAC and IP scheme. You're not making it more secure and you're not hiding anything.

          You should apply that XP SP2 patch and make sure you're not probing for all your WLANs from your laptop. When you're on the road, there's no need to be broadcasting your SSID list to the whole world since there is no chance you'll ever need to connect to them.
        • About the CISSP, I'm trying to get them to fix their training

          About the CISSP, I'm trying to get them to fix their training. I attended the training too and it was a good high-level management course. However the wireless stuff was really bad and they've promised to look at it.
      • So true...

        Hiding the SSID string will just complicate your own configuration, because you won't be true you're onnecting to the correct WiFi Hub, meaning that you may connect to a much more insecure network.

        I do think that it is safer to connect to a WiFi hotspot that you can recognize. You can even change this SSID string on the router once you've logged on it and attached your device.

        The fastest you connect to it, the safest you are, because you can then disable the attachment in the router. Really, most routers now come with a preconfigured SSID that is a shortnmae for its model or manufacturer, and the last few hex digits of its MAC Ethernet address, you can instantly recognize it;

        Also enabling dHCP is also the default in most cases, there's little interest into changing that, given that you won't connect a lot of devices to it, and the DHCP leases are quite long (generally about one week); in many routers, once you have atttached your PC to it, you can even record the IP that was assigned to it to make it permanent, so that your PC will not suffer of future conflict if it tries to come back when the IP has been reassigned to another device.

        Note also that WiFi is mostly used for mobile laptops and PDAs, so they are likely to be used in multiple areas with distinct IP requirements; all commercial hotspots use DHCP to let you know your IP once you are onnected. If you manage your configuration with static IP, it will just complicate your life when you use it in multiple areas.

        DHCP offers anyway absolutely no security, and not even the Mac filtering, you're right (but MAC filtering is often required in the default configuration, where only preauthorized stations are able to connect when the router is placed in attachment mode for a short period (usually for 3 minutes max).

        But once you enable WPA, MAC filtering plays effectively no role, because it is immediate to detect using packet sniffers if you have already cracked WPA (or WEP); just wait for broadcast messages that are sent every 15 minutes at least by all stations connected to the virtual Ethernet segment that is established through the WiFi attachment.

        BlueTooth has a much weaker security: typically only a 4 digits PIN; its only supposed security is that you normally con't detect the signal after a few meters, because a BlueTooth signal usually has a weaker emiited power. But with a good antenna (or better with a pair of antennas) you can get the signal easily at roughly 100 or 150 meters away! you can send pakets to a BlueTooth hotspot as well by using such antenna with better input gain and more power on output;

        Using 802.11/a is also a bad choice, given that it uses a range of frequenies that is not allowed everywhere, so it is often not supported by many WiFi devices; It offers absolutely no benefit or difference with 802.11b; 802.11g is the same as 802.11b except that it doubles the bandwidth.

        802.11n (MIMO) offers the same security but for more bandwidth and better signal /noise ratio and it avoids multiple paths with distinct phase, that are causing spcial interference and black zones for reception. But 802.&1n remains compatible with all 802.11/b/g equipments, so it does not change the security model. WiMAX is in this famlily, but works in a different range of frequencies, and at much higher emitted power (so it can cover a dozen of kilometers;;;)

        if there's a better alternative to WiFi (802.11 a/b/g/n), I think it would be USB Wireless, which is also faster (up to 480Megabits/s) but use a stronger security than WiFi.
    • Nope

      I think what he's saying is that a lot of people just use silent/hide SSID or Mac filtering instead of using WEP or WPA-PSK. So if you're using both Silent and WPA-PSK, you're security measures are just fine.

      • No, I'm saying "hidden" SSID is dangerous for your laptop

        No, I'm saying "hidden" SSID is dangerous for your laptop because now your laptop is going around broadcasting and probing for that SSID every 60 seconds. There is no such thing as hiding an SSID; you're merely stopping the Access Point from beaconing.
        • Missing Something

          Help me understand. At home, once connected, the SSID is not being broadcast and the PC is not scanning for it, it is therefore hidden and therefore better than open.

          Now, on the road, with my Linux PC, I have not enabled Access Port Roaming (continuous scan) of wireless networks. When I want to, I right click scan for networks, find the one I want and then I am on. Once connected to a "guest" SSID (like at a hotel), my system is not scanning for the "home" SSID right? (That's the question, when connected to an access point, is the computer still looking for all your other registered SSIDs?).

          In any case. we are talking about the decimal places here. Last time I was in Seattle, in my hotel, I found no less than 13 wide open networks, and I would assume they all had the default router password. Joe Average plugged in the router, they got online automatically and that was all they did. :)

          • No, here's why

            Here's an excerpt from my six dumbest ways blog.

            SSID hiding: There is no such thing as "SSID hiding". You?re only hiding SSID beaconing on the Access Point. There are 4 other mechanisms that also broadcast the SSID over the 2.4 or 5 GHz spectrum. The 4 mechanisms are; probe requests, probe responses, association requests, and re-association requests. Essentially, you?re talking about hiding 1 of 5 SSID broadcast mechanisms. Nothing is hidden and all you?ve achieved is cause problems for Wi-Fi roaming when a client jumps from AP to AP. Hidden SSIDs also makes wireless LANs less user friendly. You don?t need to take my word for it. Just ask Robert Moskowitz who is the Senior Technical Director of ICSA Labs in his white paper Debunking the myth of SSID hiding.

            Your laptop will still probe even when it's connected to an AP.
          • I don't understand...

            Is the purpose for the 'disable SSID Probe' to prevent people from finding out your SSID when you are away from your network, or is it to prevent AP Spoofing?

            If someone finds out your SSID from your laptops probe, what is the difference if your AP is broadcasting anyways?

            If you are using WPA, shouldn't it be hard (or impossible) to spoof the AP as well?
          • SSID and spoofing

            SSiD probes are broadcast requests sent by your laptop every minute to every access point as long as it is not attached;

            When you "hide the SSID" in the configuration of the AP, you're just saying to the AP to not REPLY to those SSID requests.

            But now your laptop can't see if the AP is reachable when it is not attached. So this is more an inconvenience for your laptop usage. Spoofing is not involved here, but your laptopis still ready to accept incoming connections from any other laptop around for connection in "ad hoc" mode.

            When looking for an access point or ad hoc connection, your laptop does not need the SSID; in fact the SSID is just a name resolution protocol that allows resolving a station into some human readable string; this is only a helper to help you choose on your laptop among several possible destination. The SSID is not needed for attachment to an access point (or to your laptop in "ad hoc" mode.)

            Now, , suppose your laptop is attached to an AP. It will send all its WiFi packets to everybody. Anyone can intercept them. But if you're using WEP or WPA, your packets are encrypted, as well as those from the access point, but those packets still contains the indication of the source and destination as MAC addresses, as if everybody was connected to the same Ethernet segment. the SSID is not used while you are connected, but anyone could sniff your packets to see the MAC addresses and that's the MAC which is really needed to perform an attachment.

            And as long as your laptop is exchanging some traffic with the AP (or "ad hoc" remote laptop), it will not perform broadcast requests for looking for new connections. but anyone can still capture your traffic and the traffic from the AP.

            There's no utiulity to spoof a SSID; because what is needed for exchanging traffic is to use the WPA or WEP encryption so that packets are accepted by both parties. What can be spoofed here is not the SSID (because it is absent) but the MAC address, but this won't allow you to spoof effectively if you don't have.

            Not revealing the SSID will not protect your WiFi card to be discovered with its MAC, but at least the true MAC is protected by the encryption, so MAC spoofing does not work.

            Only WPA (or WEP) protects your traffic from being monitored or your identity to be spoofed successfully, whever you use DHCP or not to configure your IP connectionover the WiFi link...

            Others can still see you exist by your MAC, but then what? They know there's a station using some MAC with WEP or WPA. the effective target is now just the WEP or WPA encryption keys to make spoofing or monitoring possible.

            The WEP encryption key can be guessed but this requires either brute force or using smart algorithms trying to find collisions from the many packets you're sending while connected to your access point. With WPA (and a long enough passphrase), you're making this task many orders of magnitude more difficult.
          • George - [b]Updated ICSA whitepaper link [/b] - previous one is broken...

            It looks like ICSA changed their site structure. For those interested in the ICSA SSID hiding whitepaper, here's the link:

          • Smart update

            Especially since that PDF was cited a number of times but was coming up DOA (and I knew their server wasn't getting THAT hammered by the mere reference).
          • Thanks, I updated the link