Businesses using some of the more advanced methods for securing connections to Wi-Fi access points need to take a hard look at the configuration settings of client computers. So say researchers who have documented a simple way to impersonate trusted networks.

The attack works on access points that use the Wi-Fi Protected Access (WPA) in concert with Protected Extensible Authentication Protocol (PEAP) or other so-called Extensible Authentication Protocols (EAPs). Such technologies use public-key certificates to authenticate a trusted network to a laptop or other connected device and provide an encrypted SSL tunnel through which the two can communicate.

Problem is, laptops running Windows, OS X and various versions of Linux frequently have the security settings mis-configured, according to researchers Brad Antoniewicz and Josh Wright. Using a program called FreeRADIUS-WPE (short for FreeRADIUS Wireless Pwnage Edition), it's easy to dupe the clients into connecting to imposter networks and giving up critical information, they say.

The attack relies on a technology known as a wireless supplicant, which sits on the client and checks the validity of a network's credentials. All too frequently, the researchers say, it's not configured to validate a certificate at all, or at the very least, not to properly validate a server's RADIUS TLS certificate.

"In either of these scenarios, FreeRADIUS-WPE (our modified version of the open source RADIUS server) can be used to gain access to the inner authentication credentials passed in the TLS tunnel that is established between client and the authentication server," Antoniewicz writes here. "In some cases these protocols reveal the client's username and password in clear text, while other cases require a brute force attack. Due to active directory integration, these credentials may also be those used for domain authentication."

The researchers envision a scenario where a vulnerable client could be induced to give up sensitive information while connected to a public hotspot that's in close proximity to a corporate access point.

Microsoft's Windows Zero Configuration (WZC) by default is set to validate server certificates and we suspect the same can be said about wireless supplicants contained in competing operating systems. But Antoniewicz says these settings are frequently turned off, presumably at the first sign of connectivity problems, and then never turned back on. What's more, Windows users can easily be misled by prompts that ask if they want to connect to a network whose validation doesn't check out.

"When using WZC and other supplicants, you'll want to make sure that the client clearly validates the server certificate by only trusting certificates that match the signing authority, and hostname of the RADIUS server," Antoniewicz advises. ®

Related stories

• FreeRADIUS fragged by fuzzer – by invitation – and fifteen fails found (18 July 2017)

  https://www.theregister.com/2017/07/18/freeradius_bugs/

• Bloggers howl after conference snoops on 'secure' network (15 October 2009)

  https://www.theregister.com/2009/10/15/sector_network_monitoring_bruhaha/

• Cisco Wireless LANs at risk from 'skyjacking' flaw (25 August 2009)

  https://www.theregister.com/2009/08/25/wireless_skyjacking_vuln/

• Researchers find more flaws in wireless security (8 November 2008)

  https://www.theregister.com/2008/11/08/wi_fi_protected_access_attack/

• London consumers trounce corporates in wireless security (28 October 2008)

  https://www.theregister.com/2008/10/28/rsa_wireless_security_survey/

• Chrysler shoves hotspots into hot rods (27 June 2008)

  https://www.theregister.com/2008/06/27/chrysler_hotspots/

• Google launches security group for open source (6 May 2008)

  https://www.theregister.com/2008/05/06/google_launches_ocert/

• Ericsson CMO says Wi-Fi hotspots' days are numbered (20 March 2008)

  https://www.theregister.com/2008/03/20/wi_fi_hotspots_claim/

• Tool makes mincemeat of Windows passwords (4 March 2008)

  https://www.theregister.com/2008/03/04/windows_password_bypass_tool/

• Will EV SSL stop phishing attacks? Probably not (29 February 2008)

  https://www.theregister.com/2008/02/29/ev_ssl_doubts/

• More remote workers squatting next door's broadband (5 February 2008)

  https://www.theregister.com/2008/02/05/teleworker_security_survey/

• Et tu, Gmail? Simple hack defeats last barrier to decades-old attack (1 February 2008)

  https://www.theregister.com/2008/02/01/google_ssl_sidejacking/

• Netgear extends next-gen Wi-Fi into 5GHz band (6 January 2008)

  https://www.theregister.com/2008/01/06/netgear_goes_5ghz/

• Half of computer users are Wi-Fi thieves (15 November 2007)

  https://www.theregister.com/2007/11/15/stolen_wifi/

• TJX breach was twice as big as admitted, banks say (24 October 2007)

  https://www.theregister.com/2007/10/24/tjx_breach_estimate_grows/

• Cafe Latte attack steals credentials from Wi-Fi clients (18 October 2007)

  https://www.theregister.com/2007/10/18/cafe_latte_wi-fi_attack/

• Uber-hacker Max Vision misses the killswitch (18 September 2007)

  https://www.theregister.com/2007/09/18/max_butler_affidavit/

• Is wireless security just a pipe dream? (12 September 2007)

  https://www.theregister.com/2007/09/12/wireless_security_poll/

• A US CERT reminder: The net is an insecure place (8 September 2007)

  https://www.theregister.com/2007/09/08/security_group_warns_of_web_vulnerabity/