PCI security standard endangers wireless LANs

PCI security standard endangers wireless LANs

Summary: One of the biggest threats facing wireless LAN users is SSID probing, which is forced by the reckless usage of SSID broadcast suppression. But many users are taught that SSID broadcast suppression is good.

SHARE:
42

With wireless penetration tools like KARMA and the new FreeRADIUS-WPE, users who are using urban legend security and enterprise wireless LANs are more vulnerable than ever. One of the biggest threats facing wireless LAN users is SSID probing which is forced by the reckless usage of SSID broadcast suppression. Unfortunately, many users and security professionals are being taught that SSID broadcast suppression is a good thing and security standards bodies like PCI standard v1.1 require you to disable SSID access point broadcast and thus insecure.

I've had a difficult time trying to reverse this horrible dogma in many security circles and many have it ingrained in their minds and resist change. Fortunately I've at least gotten the CISSP organization (I am a member) to update their teachings on wireless security though I still need to follow through on that. Getting the PCI standards body to agree to remove this destructive setting is also on my agenda though FreeRADIUS-WPE author and researcher Joshua Wright hasn't had much luck with them in the past. I'll keep banging the drum here until I get them to reform their ways.

Whenever I tell people SSID "hiding" or broadcast suppression is dangerous, the immediate reaction is "isn't broadcasting SSID beacons on an access point leaking information unnecessarily and therefore bad"? No because you can't really "hide" the SSID just by suppressing the beacons because there are four other routine mechanisms in normal wireless LAN usage that disclose the SSID. Trying to hide the SSID broadcast beacons is like trying to hide the location of a large permanent military base.

So not only is it useless to suppress the SSID beacon broadcasts on your permanent infrastructure, it forces your clients to constantly reveal their presence and broadcast your company SSID everywhere they go. So because you insist on using a useless mechanism on your infrastructure side, your tens, hundreds, or thousands of wireless clients broadcast the SSID in probe requests where ever they go making them ripe targets for the picking. As FreeRADIUS-WPE has shown, an attacker can hear the SSID probe request and pose as the infrastructure and harvest authentication requests for quick offline cracking. Once that happens, your infrastructure and applications are wide open since the user credentials have been compromised.

Some may ask "but can't we suppress the client-side probe requests too"? No because someone has to call out to the other to start the wireless association process so it might as well be infrastructure. If neither the infrastructure nor client declares their presence, both sides will assume the other isn't there. By broadcasting the SSID through beacons on the access point, the clients can operate in stealth mode and this is crucial when they go on the road.

Starting with the Windows XP wireless client patch which is an add-on to XP service pack 2 and Windows Vista, Microsoft has wised up and they will suppress client-side SSID probes by default. However, Microsoft is forced to enable SSID probes if the network infrastructure doesn't broadcast the SSID. Once you enable "Connect even if this network is not broadcasting" which is off by default, Windows XP and Vista will enable SSID probe requests making them a sitting duck for user credential hijacking and other forms of exploitation.

Topics: Security, Networking, Wi-Fi

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

42 comments
Log in or register to join the discussion
  • I see no problem with SSID hiding

    The real problem is that the SSID probe request contains enough information to facilitate offline cracking.

    The SSID probe request will always be there, if it's insecure, then make it secure!

    Users will always use urban legend security (sometimes) in addition to real security. If turning off SSID broadcasts and MAC address filtering decreases security, then we need a completely different approach to security, because SSID hiding and MAC address filtering is here to stay.
    Ronny102
    • It is only there if enabled

      You said, "The SSID probe request will always be there" That is not true. If you don't hide SSID then the client doesn't always send out the SSID probe request. The only people that can see the SSID is those who are in range of the AP. If the probe is enabled then if a laptop is used and carted around the SSID is broadcast everywhere it goes and people can create false SSIDs for the laptop to connect to.
      DevGuy_z
    • This is the kind of ignorant response I'm talking about

      "I see no problem with SSID hiding
      The real problem is that the SSID probe request contains enough information to facilitate offline cracking."

      You are wrong about that. SSID probe requests DO NOT contain enough info to facilitate offline cracking. What gives enough info for offline password cracking is any kind of LEAP, or improperly deployed PEAP/EAP-TTLS/EAP-FAST. SSID probes expose users of improperly deployed PEAP/EAP-TTLS/EAP-FAST wireless LANs or no users who use no security in their WLANs at all.

      "The SSID probe request will always be there, if it's insecure, then make it secure! ... because SSID hiding and MAC address filtering is here to stay."

      It's only here to stay for people who are ignorant about security. SSID probes go away when you don't hide SSID beacons. That was the entire point of this article and I'm sorry you couldn't see it.
      georgeou
  • RE: PCI security standard endangers wireless LANs

    ok, i have a question. what about users in their neighborhoods? i know some have wireless connections to their routers and they use desktops. these aren't going to be moved offsite. what settings are best for them?
    g_keramidas
    • Just turn on WPA-PSK and use a nice random 10-character alphanumeric PSK

      Just turn on WPA-PSK and use a nice *RANDOM* 10-character alphanumeric Pre-Shared Key. Make sure you change the default SSID and router/AP password.

      Avoid the following like the plague.
      * SSID "hiding"
      * MAC filtering
      georgeou
      • Avoid Mac filtering?

        Why is Mac Filtering bad?
        jgellman
        • Please see this article

          http://blogs.zdnet.com/Ou/?p=454
          georgeou
  • Wireless and Retail don't mix

    http://www.washingtonpost.com/wp-dyn/content/article/2007/06/27/AR2007062700062.html

    According to the Gartner Group: "Insecure networks and point-of-sale terminals are riskier than online shopping.."

    "The short-term forecast for POS security doesn't look great, however. Gartner predicts that by next year, most attacks against retailers will be directed at their POS terminals, and only 30 percent of POS software will be compliant with the prevailing security standards by 2009."



    http://www.eweek.com/c/a/Retail/PCI-The-Panacea-For-Everything-Other-Than-Security/

    "The PCI DSS (Payment Card Industry Data Security Standard), or just PCI, is officially about security, although most security folk have already grown tired of saying that "PCI-compliant" is to "secure" as "filed a tax return by April 15" is to "honest." PCI is a list of security ideals, but strict adherence to that list certainly doesn't mean that a retailer is secure. It's a fine starting point, but it's little beyond that."

    "The truth is that the next wave of retail applications???with their heavy emphasis on wireless capabilities of all sorts???will bring with them an ocean of new security problems. Ostensibly, they'll be addressed by the next wave of PCI requirements, which will free up more investment."


    George - While I agree with you that hiding a SID is bad for roaming users, in the real world, Wireless LAN's do not belong in the retail mix. While WPA is good today, when it first came out, so was WEP.
    Furthermore, we don't like laptops in the retail mix either. We have appropriate security inside the store. Take the laptop outside the secure network, then bring it back in. That's not good.

    -Mike
    SpikeyMike
    • Please don't give me the old "if WEP was bad then so is WPA"

      "George - While I agree with you that hiding a SID is bad for roaming users, in the real world, Wireless LAN's do not belong in the retail mix. While WPA is good today, when it first came out, so was WEP."

      Please don't give me the old "if WEP is bad so is WPA" argument. That is a tired old myth that needs to die. WEP was deliberately worthless from the get-go because it was designed in the late 90s when it had to be export compliant. WEP was known to be broken from the beginning.

      We've had DES encryption which was never broken in over three decades cryptographically and was only weaker because it was only 56 bits long. WPA uses AES which is considered government/military grade. Even WPA with TKIP which is a proper implementation of RC4 encryption is still solid today after 6 years on the market.

      So please, stop repeating these dumb old myths.

      Wireless LANs can absolutely be secure. Encryption can absolutely be solid. The question is whether you inform yourself enough to implement the right technology. What I seek to do is educate my readers and the security standards bodies like PCI and the security certification groups like CISSP.
      georgeou
  • To be fair...

    I do believe that WPA is secure.

    The problem is, retailers aren't technologists.

    It's hard enough to get them to hire a qualified network cable installer. I don't like support calls due to faulty wiring.

    Now, I'm referring to Mom and Pop retail stores - not big chains with the required change-control policies and competent IT staff.

    If we installed or allowed wireless LAN's, the retailers would bring in their home laptops or other devices. Since WPA would confuse them, they'd disable it. How's that for real world?

    You can have your opinion, you're certainly entitled to it. I'll keep mine. And that is, in the real world, wireless networking does not belong in a retail environment. A big chain store with competent staff, maybe. Not in my world of decidedly non-technical users.

    -Mike
    SpikeyMike
    • To be fair, you should properly qualify your statements

      To be fair, you should properly qualify your statements. What you mean to say that insecure wireless LAN deployments have no place in retail, or any other business or home.

      Frankly if WPA-PSK confuses you, then you shouldn't use a computer period and you should resort back to an abacus.
      georgeou
      • Thanks george!

        WPA doesn't confuse me at all. I think you are over estimating the abilities of retailers though.

        But, you're the expert on these matters. I'm only giving your readers a glimpse of my piece of the puzzle.

        I'd like to argue with you some more on why a company that actually deploys retail systems won't support a wireless network, but I'm too busy developing software that is used in hundreds of retails stores across the country.

        -Mike
        SpikeyMike
        • I use to design wireless LANs for a lot of retail chains

          I use to design wireless LANs for a lot of retail chains. I got one national chain with hundreds of stores to secure their wireless LAN. Smaller wireless LANs are actually simpler to deploy since they use the same simple security mechanism that homes use. I've already summed out how simple WPA-PSK with 10 RANDOM alphanumeric characters is.
          georgeou
  • George, you educated very well.

    I don't use SSID hiding, but I do use WPA-TKIP with very strong, 16-character password with a combination of upper/lowercase letters, numbers, and symbols. However, this is just for home use, and your article makes me think you're targeting for businesses, where they'll use a strong encryption with RADIUS server for authentication and digital certificate. :)
    Grayson Peddie
    • It applies to the home too. Never use SSID "hiding".

      It applies to the home too. Never use SSID "hiding" because you can't hide it and you're only forcing your clients to broadcast their probe requests everywhere they go.

      16-character password is fine so long as it's random and not predicable.
      georgeou
      • SSID hiding and random password

        I never use SSID hiding as you mentioned in your previous blogs.

        My password won't be predictable for hackers to guess, so I'm okay.

        You don't have to give me a reminder about SSID hiding and randomized passwords... It's those posters who are not well-informed about wireless networking/security that need to be informed. Not me.
        Grayson Peddie
        • And I'm not targetting you at all, I'm targeting the PCI standard

          And I'm not targeting you at all, I'm targeting the PCI standard which FORCES retailers to use insecure wireless LAN settings. I'm targeting those who listen to people like the ones here that still insist SSID broadcast suppression is good. By having something here that informed people can point to, I'm hoping that IT managers will have a resource to shoot down bad recommendations.
          georgeou
  • How about a simple work around?

    You claim that SSID polling due to hidden SSID beacons causes traveling users to be vulnerable as their WiFi drivers poll the airwaves for their preferred, automatic connection. Why not eliminate automatic connections as a user policy?

    Does the WiFi driver need to poll for the preferred and usual connection if there is none? In other words, when the WiFi connection pops up (as it does constantly on boot for my MacBook Pro whether booting XP Pro or Mac OS-X) and asks you to select an access point, does the driver need to poll for any hidden SSIDs if there is no preferred or automatic connection set in the Wireless Connection network system tray settings?

    I have no preferred or automatic connections as I am frequently running on wire. XP Pro will happily connect on the wired cable and then connect the wireless channel as well. I have stopped all preferred or automatic connections as our hardware firewall will open a channel to the Internet for both, redundant connections and use two instead of one of our Firewall license nodes. If I need a wireless connection, I always do that manually in order to prevent any unwanted or unnecessary connections...
    jacarter3
    • I already told you the correct solution

      Stop disabling SSID beacon broadcasts from your access points and you'll avoid forcing your clients to broadcast their SSID probe requests. I never used the word "polling".

      You don't need another workaround.
      georgeou
      • This is why I stopped using this site...

        Thanks for the arrogant response and not answering any of my questions.

        BTW my SSID broadcasts are enabled. But it seems to me that the problem lies in the WiFi driver trying to locate the silent access point, is it not? If this mechanism is is disabled, then your whole reason for being a jerk is too. What a great idea.

        Bye
        jacarter3