January 19th, 2006

Windows Wi-Fi 'vulnerability' not a vulnerability

Posted by George Ou @ 3:01 am

Categories: Mobile/Wireless, Networking, Security

Tags:

[Updated 1/20/2006 2:00 AM:  I had a chat with Mark Loveless after he contacted me after reading this blog and we cleared some issues up.] We’ve had two stories this week by Tom Espiner declaring a new Wi-Fi vulnerability in Windows XP with SP2 and that a fix wasn’t available for another year or more.  The first story claimed that there was a new vulnerability discovered in Microsoft’s Windows XP wireless network client loosely based on researcher Mark Loveless’ claims that he found a new Windows Wi-Fi vulnerability.  [Upadated: Mark Loveless didn't actually use the word "vulnerability" but he rated this Windows behavior with a severity of "high" along with the qualification that the risk was "albeit lame".]  The second story stated that Microsoft admitted to this vulnerability and that they wouldn’t patch it for another year or more.  We may as well rip out our wireless LAN adapters from our PCs… [Update: Since Loveless technically never used the word "vulnerability", he didn't stretch anything.  But I can see how his severity rating of "high" can easily be misinterpreted as a "vulnerability"] The problem is that Loveless this is really stretching the definition of a "vulnerability" if it can even be considered a vulnerability at all and Microsoft never acknowledged this as a vulnerability.  I checked with a Microsoft spokesperson and they confirmed that Microsoft Security Research Center states that this is not a security vulnerability.

This is what I suspected all along because by definition, a software vulnerability is when software can be made to do something it wasn’t designed to do.  This "vulnerability" that Loveless Espiner’s story raised is actually a feature designed into every wireless "supplicant" (that’s IEEE speak for "client") software in the world because it is a fundamental and critical feature of the IEEE 802.11 protocol.  The name of this feature that Loveless Espiner’s story is concerned about is "SSID probe requests", but the feature is critical if a wireless client computer wants to find an access point or ad-hoc wireless peer computer that suppresses its SSID beacons.  Someone obviously has to reach out to the other party first if there is to be a wireless LAN connection at all.

[Updated: For the record, Loveless' report is actually concerned about a behavior in Windows that doesn't distinguish between ad-hoc networks and infrastructure networks if their SSID happens to be the same.  Loveless also found an a recommendation in RFC 3927 section 5 paragraph 3 coauthored by a Microsoft employee that an automatic addressing scheme shouldn't be used in Wireless LANs so he is criticizing Microsoft for failing to follow this recommendation.  For me, restricting the use of automatic IP addressing in any kind of Wireless LANs is silly because it shouldn't be used as a substitution for real protection in the first place.  Loveless is also complaining about Windows advertising SSIDs and establishing Wi-Fi connections to these SSIDs without explicit user consent just because the SSID had be used before in an unsecured manner.  I still don't have a problem with this because it's a basic usability feature and I don't want Windows bugging me with pop-ups every time just because it's connecting to an unsecured SSID that I've already willingly connected to before.  Anyone afraid of unsecured network connections shouldn't make them in the first place or make sure they take the appropriate precautions if they do.  This was the case I made in this original blog and I'm sticking to it.]

A normal access point will beacon (broadcast) its SSID about 10 times per second to let wireless users know of its presence.  When this SSID broadcast feature is disabled because some network administrator thinks it’s such a great security feature, the only way a client computer can establish a connection with that access point is if it goes out and probes for that access point by its SSID.  It essentially has to shout out to the access point  (figuratively speaking) "HEY ARE YOU THERE!" until the access point replies "YES I AM!" before it can continue negotiating a wireless connection session.  Loveless Espiner’s story is complaining that by broadcasting this SSID in the probe request to the public airwaves, you are essentially giving away what SSID to hackers who can potentially endanger you with Wi-Fi evil twins that pose as legitimate hotspots or peers so that you will establish a Wireless Ethernet connection to them.  The problem with this train of thought is that if you suppressed all SSID broadcasts, you are essentially breaking a fundamental mechanism in 802.11 wireless networking.  Taking this to its logical conclusion, we may as well rip out our wireless LAN adapters from our PCs and be done with it.

Just the act of using a wireless hotspot itself will put you in even more danger because the hacker doesn’t even need to bother putting up an evil twin because he can attack your computer in that hotspot because he is on the same LAN as you.  If the hacker did want to put up an evil twin to perform man-in-the-middle attacks on you, he wouldn’t bother with your "vulnerable" probe requests because the hotspot access point will already have been announcing it 10 times a second.  If you really think about it, it’s even more dangerous to hook up a broadband connection because you’re not just vulnerable to hackers within a 150 foot radius but to hackers all over the world!

But is this really the end of the world?  Of course not!  That’s what firewalls are for and just about any firewall will do, even the free built-in Windows XP firewall.  Corporate IT departments can easily enable the Windows XP SP2 firewall on every PC they own by setting firewall policies in Active Directory Group Policy.  Once users have a personal firewall enabled, they will be relatively safe when they connect to any public unsecured network whether it was a wireless hotspot or wired broadband connection.

If anyone is paranoid about ad-hoc wireless LAN connections, they can simply set their wireless supplicant software to only connect to "infrastructure networks."  Any IT administrator can do the same thing globally to all Windows PCs in their domain by configuring the wireless security settings in their Windows 2003 Active Directory Group Policy.  The dangers of SSID probe requests that Loveless Espiner’s story describes is nothing new and classifying this feature as a vulnerability on Microsoft or any other wireless supplicant software maker is just plain silly.