March 11th, 2008
PCI security standard endangers wireless LANs
With wireless penetration tools like KARMA and the new FreeRADIUS-WPE, users who are using urban legend security and enterprise wireless LANs are more vulnerable than ever. One of the biggest threats facing wireless LAN users is SSID probing which is forced by the reckless usage of SSID broadcast suppression. Unfortunately, many users and security professionals are being taught that SSID broadcast suppression is a good thing and security standards bodies like PCI standard v1.1 require you to disable SSID access point broadcast and thus insecure.
I’ve had a difficult time trying to reverse this horrible dogma in many security circles and many have it ingrained in their minds and resist change. Fortunately I’ve at least gotten the CISSP organization (I am a member) to update their teachings on wireless security though I still need to follow through on that. Getting the PCI standards body to agree to remove this destructive setting is also on my agenda though FreeRADIUS-WPE author and researcher Joshua Wright hasn’t had much luck with them in the past. I’ll keep banging the drum here until I get them to reform their ways.
Whenever I tell people SSID “hiding” or broadcast suppression is dangerous, the immediate reaction is “isn’t broadcasting SSID beacons on an access point leaking information unnecessarily and therefore bad”? No because you can’t really “hide” the SSID just by suppressing the beacons because there are four other routine mechanisms in normal wireless LAN usage that disclose the SSID. Trying to hide the SSID broadcast beacons is like trying to hide the location of a large permanent military base.
So not only is it useless to suppress the SSID beacon broadcasts on your permanent infrastructure, it forces your clients to constantly reveal their presence and broadcast your company SSID everywhere they go. So because you insist on using a useless mechanism on your infrastructure side, your tens, hundreds, or thousands of wireless clients broadcast the SSID in probe requests where ever they go making them ripe targets for the picking. As FreeRADIUS-WPE has shown, an attacker can hear the SSID probe request and pose as the infrastructure and harvest authentication requests for quick offline cracking. Once that happens, your infrastructure and applications are wide open since the user credentials have been compromised.
Some may ask “but can’t we suppress the client-side probe requests too”? No because someone has to call out to the other to start the wireless association process so it might as well be infrastructure. If neither the infrastructure nor client declares their presence, both sides will assume the other isn’t there. By broadcasting the SSID through beacons on the access point, the clients can operate in stealth mode and this is crucial when they go on the road.
Starting with the Windows XP wireless client patch which is an add-on to XP service pack 2 and Windows Vista, Microsoft has wised up and they will suppress client-side SSID probes by default. However, Microsoft is forced to enable SSID probes if the network infrastructure doesn’t broadcast the SSID. Once you enable “Connect even if this network is not broadcasting” which is off by default, Windows XP and Vista will enable SSID probe requests making them a sitting duck for user credential hijacking and other forms of exploitation.
George Ou is Technical Director of ZDNet. See his full profile and disclosure of his industry affiliations.
