Feeds

That Wi-Fi network you thought was secure? It ain't

'Pwnage Edition' on the prowl

Top 5 reasons to deploy VMware with Tegile

Businesses using some of the more advanced methods for securing connections to Wi-Fi access points need to take a hard look at the configuration settings of client computers. So say researchers who have documented a simple way to impersonate trusted networks.

The attack works on access points that use the Wi-Fi Protected Access (WPA) in concert with Protected Extensible Authentication Protocol (PEAP) or other so-called Extensible Authentication Protocols (EAPs). Such technologies use public-key certificates to authenticate a trusted network to a laptop or other connected device and provide an encrypted SSL tunnel through which the two can communicate.

Problem is, laptops running Windows, OS X and various versions of Linux frequently have the security settings mis-configured, according to researchers Brad Antoniewicz and Josh Wright. Using a program called FreeRADIUS-WPE (short for FreeRADIUS Wireless Pwnage Edition), it's easy to dupe the clients into connecting to imposter networks and giving up critical information, they say.

The attack relies on a technology known as a wireless supplicant, which sits on the client and checks the validity of a network's credentials. All too frequently, the researchers say, it's not configured to validate a certificate at all, or at the very least, not to properly validate a server's RADIUS TLS certificate.

"In either of these scenarios, FreeRADIUS-WPE (our modified version of the open source RADIUS server) can be used to gain access to the inner authentication credentials passed in the TLS tunnel that is established between client and the authentication server," Antoniewicz writes here. "In some cases these protocols reveal the client's username and password in clear text, while other cases require a brute force attack. Due to active directory integration, these credentials may also be those used for domain authentication."

The researchers envision a scenario where a vulnerable client could be induced to give up sensitive information while connected to a public hotspot that's in close proximity to a corporate access point.

Microsoft's Windows Zero Configuration (WZC) by default is set to validate server certificates and we suspect the same can be said about wireless supplicants contained in competing operating systems. But Antoniewicz says these settings are frequently turned off, presumably at the first sign of connectivity problems, and then never turned back on. What's more, Windows users can easily be misled by prompts that ask if they want to connect to a network whose validation doesn't check out.

"When using WZC and other supplicants, you'll want to make sure that the client clearly validates the server certificate by only trusting certificates that match the signing authority, and hostname of the RADIUS server," Antoniewicz advises. ®

Internet Security Threat Report 2014

More from The Register

next story
'Kim Kardashian snaps naked selfies with a BLACKBERRY'. *Twitterati gasps*
More alleged private, nude celeb pics appear online
Home Depot ignored staff warnings of security fail laundry list
'Just use cash', former security staffer warns friends
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
UK.gov lobs another fistful of change at SME infosec nightmares
Senior Lib Dem in 'trying to be relevant' shocker. It's only taxpayers' money, after all
Who.is does the Harlem Shake
Blame it on LOLing XSS terroristas
Snowden, Dotcom, throw bombs into NZ election campaign
Claim of tapped undersea cable refuted by Kiwi PM as Kim claims extradition plot
Freenode IRC users told to change passwords after securo-breach
Miscreants probably got in, you guys know the drill by now
THREE QUARTERS of Android mobes open to web page spy bug
Metasploit module gobbles KitKat SOP slop
BitTorrent's peer-to-peer chat app Bleep goes live as public alpha
A good day for privacy as invisble.im also reveals its approach to untraceable chats
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.