In the Air Tonight, 2002-03-04
Hello, my name is Timothy, and I am addicted to sniffing 802.11.
“
You can bet your bits that the hard-core sniffers out there have been looking at your traffic since it first hit the airwaves.
”
When I got started with all this computer stuff, my primary role was that of a network engineer. Someone would decide their company needed X, and I would get hired to install boxes, plug them all into the LAN, and make everything work so when someone put in Y, X popped out the other end. It was magic.
Back then, we really didn't think much about security; hell, it was hard enough to get the network up in the first place. Ends had to be crimped onto freshly stripped cable, ohm meters were used to test terminations, and network shells had to be generated using object drivers specific to the network card. Attaching to the server was an accomplishment in itself and cause for celebration!
Security came up a couple of times, like when we did some contract work for the Air Force, but to be honest most of that revolved around physical security. Securing the data on the wire never really came into play when the design work was being done. It was Someone Else's Job.
Even today, security seems to be something we consider after the fact-- when the 'real' work is done. We interact with it as though it is something you plug in; something you attach to the network once it is already up and running to make particular parts of it 'secure.' In most cases, we perceive the need for security, but don't implement it until something happens to force it into being.
But no more. The times they are a-changin'.
Wireless networks are becoming more and more prevalent. In metropolitan areas, you can almost close your eyes and feel the 2.1 GHz bit pattern of 802.11 packets flowing through your body. Ok, maybe you have to have other stuff flowing through your body for that to work... But it's no problem with a decent stiffer.
Armed with my trusty Cisco 340 and a copy of the AiroPeek 802.11 packet analyzer (by
The results of my research are a bit disconcerting: We are only half-way there. The technology is certainly being used, but it is not being secured.
The problem here is that the same model of our 'wired' networks is being followed. Wireless is getting to be so cheap that in some cases it costs less to drop in an Access Point and configure a few 802.11 cards than it does to have a number of cable runs made. And the bonus of walking around with your laptop and remaining on the net is sometimes just too good to pass up.
So, Ned the Network Nerd installs the AP, plugs in the client cards and drivers, sees other boxes pop up in Network Neighborhood, and goes about his business knowing it was a "job well done." Need we mention that the manufacturer's preconfigured SSID's went untouched? Need we mention that the WEP keys were left at their defaults as well?
Stretch pants are a good thing, but some people should not be allowed to wear them. Wireless configurations are no different; some people just have no business being responsible for the deployment of a wireless network.
Wireless topologies must have security built into them at the baseline. At the earliest points of the design phase, you have to think about what you will be doing to secure your traffic. If the people implementing your wireless solution are not thinking about security in parallel, then you might want to find someone who is.
Do you think that no one is sniffing your traffic? Think again. If a "Johnny-come-lately" like me is doing it, then you can bet your bits that the hard-core sniffers out there have been looking at your traffic since it first hit the airwaves.
It may be more common than you think. In fact, in recent months, I have become an Airopeek-aholic. (Hello, my name is Timothy, and I am addicted to sniffing 802.11.) I'm not proud to say it, but I've searched for SSID's in Singapore, horked hashes in Hong Kong, and even sniffed SMTP in Seattle.
It got so bad that I recently fired up Airopeek at 30,000 feet to see what hidden treasures the MD11 on which I was flying had buried in the cockpit.
Looking back, it probably wasn't the smartest thing to do--- after all, hitting 'play' on my Mpeg player during takeoff will apparently put the aircraft into a tail spin. But with fevered anticipation, I plugged my Cisco card into my PCMCIA slot and nervously awaited the "doo-deep" tones signifying a successful initialization. No nose-dive. Good so far... I started Airopeek and hit Ctrl+Y to bring up my capture screen. All quiet. Finally, with eyes wide and ears drawn back, I looked at the lady next to me with a "You don't think I'll do it, do you?" look on my face, and clicked "Start Capture."
Nothing. Not a single packet. I didn't really expect to find that the airline had a Win95 box running the plane with its C: Drive shared to the world, but I had to try.
And that is what everyone else is doing... trying. WEP, the "Wired Equivalent Privacy" encryption scheme used on 802.11 devices to secure data in transmission, has recently been busted. Though I haven't done it myself, others "in the know" tell me that all you need is a Linux box, a wireless card, and about 120 seconds to kill in order to capture enough traffic to break the WEP encryption scheme.
According to 'Weaknesses in the Key Scheduling Algorithm of RC4,' by Scott Fluhrer, Itsik Mantin, and Adi Shamir, WEP's implementation of RC4 is fatally flawed; something to do with the concatenation of fixed keys to known modifiers--- that's about all I retained from the 22 pages of cryptospeak I waded through. Fortunately for me, I don't really have to understand how to break it--- I only have to understand how to download the tool to break it for me. Unfortunately, the same goes for everyone else out there.
So what has this taught us? Once again, the lesson is Security in Depth. Different teachers, different textbook, same lesson. More and more wireless networks are being deployed everyday, but I don't think that there is a corresponding increase in security training. If you are a company that budgets for new technologies, you had better include some funding for education.
And remember, whenever a packet leaves your trusted network space, you better have more than one method of keeping that data private. Or it won't be.
