Network News

X My Profile
View More Activity

Windows Wireless Flaw a Danger to Laptops

At the ShmooCon gathering in Washington, D.C., today, old-school hacker and mischief maker Mark "Simple Nomad" Loveless released information on a staggeringly simple but very dangerous wireless security problem with a feature built into most laptop computers running any recent version of the Microsoft Windows operating system.

Laptops powered by Windows XP or Windows 2000 with built-in wireless capabilities (these includes most laptops on the market today) are configured so that when the user opens up the machine or turns it on, Windows looks for any available wireless connections. If the laptop cannot link up to a wireless network, it creates what's known as an ad-hoc "link local address," a supposed "private network" that assigns the wireless card a network address of 169.254.x.x (the Xs represent a random number between 1 and 254).

Shmoocon_002

Microsoft designed this portion of Windows so that the address becomes associated with the name or "SSID" of the last wireless network from which the user obtained a real Internet address. The laptop then broadcasts the name of that network out to other computers within a short range of the machine (which may vary depending a number of things, including the quality of the laptop's embedded network card and things that may obstruct the signal, like walls, e.g.).

What Loveless found was that by creating a network connection on his computer that matches the name of the network the target computer is broadcasting, the two computers could be made to associate with one another on the same link local network, effectively allowing the attacker to directly access the victim's machine.

I followed Loveless up to his hotel room to get a first hand example of how this attack would work. I set up an ad hoc wireless network connection on my Windows XP laptop named "hackme." Within a few seconds of hitting "Ok," to create the network, my laptop was assigned a 169.254.x.x address. A few seconds later, Loveless could see my computer sending out a beacon saying it was ready to accept connections from other computers that might also have the "hackme" network pre-configured on their machines. Loveless then created an ad hoc network with the same name, and told his computer to go ahead and connect to "hackme." Voila! His machine was assigned a different 169.254.x.x address and we both verified that we could send data packets back forth to each other's computer.

Here's the really freaky part about all this: No more than five minutes after I had deleted the "hackme" network ID from my laptop, Loveless and I spotted the same network name being broadcast from another computer that didn't belong to either of us. Turns out, someone else at the hacker conference was trying to join the fun.

As Loveless pointed out, this "feature" of Windows actually behaves somewhat like a virus. Think of it this way: If you connect your Windows laptop to the wireless network at the local Starbucks, for instance, your computer will indefinitely store the name of the Starbucks network (invariably these are named "T-Mobile" for the wireless company that provides the service). Should you at a later date happen to open up your laptop in the vicinity of another Windows user who also had recently gotten online at Starbucks, those two machines may connect to each other without any obvious notification to either user.

This is precisely what was happening for a client of Bruce Kyes Hubbert, a systems engineer I met at Shmoocon who works for a company called Airmagnet, which develops wireless security products (companies often use Airmagnet and other such tools to ensure employees aren't setting up unauthorized wireless networks that could compromise the organization's security.) Hubbert said he smacked his forehead while hearing Loveless give his presentation because it explained weird behavior one of his company's clients has been seeing a lot more of lately.

Hubbert said this particular client -- a very large company that he asked me not to name -- was complaining that Airmagnet's products were setting off a bunch of false-positives, detecting rogue wireless networks throughout the client's company. He said the odd thing was that there appeared to be more of these networks being set up every day within the company, at the rate of two or three additional ad-hoc networks each day.

"They kept telling us, 'we've been seeing more ad-hoc networks showing up in our building every day,' and most of them were for local hotel hotspots," Hubbert said. "So we'd see multiple machines all associating with the same network SSID, and meanwhile the user is refreshing their PowerPoint presentation and has no idea this is going on in the background."

As it turns out, the specifications for this Windows feature -- detailed in a technical document entitled "RFC 3927," were actually written in part by a Microsoft employee -- one B. Aboba, according to the document. Strangely enough, the developers of that spec foretold of the dangers of configuring things the way Microsoft ultimately decided to do with their wireless system in Windows. This from section 5, paragraph three of the RFC: 

"NOTE: There are certain kinds of local links, such as wireless LANs, that provide no physical security.  Because of the existence of these links it would be very unwise for an implementer to assume that when a device is communicating only on the local link it can dispense with normal security precautions.  Failure to implement appropriate security measures could expose users to considerable risks."

Whoops. Anyway, you might be wondering now how you can make sure your Windows laptop is protected from this.....er, feature. First of all, if you are running any kind of network firewall -- including the firewall that comes built in to Windows XP -- you won't have to worry about some stranger connecting to your laptop. In fact, I had to shut down my firewall for both of us to successfully conduct our test.

Also, many laptops have a button you can push that disables the built-in wireless feature until you hit that button again. Turning off the wireless connection when you are not using it also prevents this from being a problem.

Another good idea is to change the setting on the computer's wireless card to connect only to "infrastructure networks" -- real wireless access points that actually allow you to surf the Web. To do this, go to "Start," "Control Panel," "Network Connections," and then right click on the entry labeled "wireless network connection" and select "Properties" from the drop down menu. Then click on the "Wireless Networks" tab, and then on the "Advanced" tab at the bottom of that window. A box should pop up that gives you three buttons to choose from: Select the one next to "Access point (infrastructure) networks only."

By the way, Microsoft has acknowledged this vulnerability and says it plans to change the default configuration  in the next service packs released for Windows, whenever that will be.

As a sidenote, Loveless described in delicious detail for a rapt audience at ShmooCon how he used the trick on various airline flights to gain access to Windows machines that other passengers were using.  Referring to a previous conversation he had with Jennifer Grannick, a lawyer who represents accused hackers (and who also gave this morning's ShmooCon keynote), Loveless said he believes that since the attacks were mostly carried while the plane was over international waters that U.S. law enforcement might have a hard time making the case that he was violating any laws. The real answer to that very interesting question, he said, would probably not be evident until someone gets sued in court for it.

By Brian Krebs  |  January 14, 2006; 2:53 PM ET
Categories:  Latest Warnings  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: More MS Patch Data
Next: Florida Leads Nation in Sony Rootkit Victims

Comments

The Microsoft co-author of the spec was Bernard Aboba (B. Aboba), not E. Guttman who was from Sun.

Posted by: David Hunter | January 14, 2006 6:44 PM | Report abuse

woops. thanks for catching that, David. I have updated the blog to fix that.

Posted by: Bk | January 14, 2006 7:10 PM | Report abuse

I believe in an airplane or suface vessel in international waters the law of the country of registration applies.

Posted by: McH | January 14, 2006 7:40 PM | Report abuse

Viola! ???? The copyeditor has never been to France, or to French class.

Posted by: Ian Gilbert | January 14, 2006 9:14 PM | Report abuse

That happens when APIPA is enabled. Just disable APIPA en it shouldn't work. That is just plain misconfiguring of a laptop.

How: http://www.petri.co.il/disable_apipa_in_windows_2000_xp_2003.htm

Posted by: Carry van Eijk | January 15, 2006 9:55 AM | Report abuse

The directions you gave to fix this vulnerability breakdown after you right click the network connections and click properties. My computer does not have the following per your instructions:

Then click on the "Wireless Networks" tab, and then on the "Advanced" tab at the bottom of that window. A box should pop up that gives you three buttons to choose from: Select the one next to "Access point (infrastructure) networks only."

Pleas clarify.

Posted by: docvizsla | January 15, 2006 10:10 AM | Report abuse

I want to know why this is considered a Windows flaw when Mac OS X operates the same way as specified in RFC 3927.

http://www.faqs.org/rfcs/rfc3927.html

The RFC *does* cover the security risks of this feature

5. Security Considerations

The use of IPv4 Link-Local Addresses may open a network host to new attacks. In particular, a host that previously did not have an IP address, and no IP stack running, was not susceptible to IP-based
attacks. By configuring a working address, the host may now be vulnerable to IP-based attacks.

[...]

-Chris

Posted by: Chris Wysopal | January 15, 2006 10:25 AM | Report abuse

This has been demonstrated already for some time - at least couple of years. See:
http://www.theta44.org/karma/index.html

Posted by: foobar | January 15, 2006 10:27 AM | Report abuse

I don't understand why this is "very dangerous," or at least any more dangerous than connecting your computer to any network. If you have a computer with any networking hardware in it, you should be prepared for it to be sent packets, period. I can understand this being annoying to network administrators, what with bogus SSIDs popping up everywhere, but to call this dangerous smacks of "your computer is broadcasting an IP address!"

Posted by: AJB | January 15, 2006 10:34 AM | Report abuse

I agree, its not be a flaw, just a total misconfiguration of the system :), maybe what microsoft can do as a fix, is to by default unset the automatically connect to an ADHOC, (in the advanced propoerties), instead default it to "Infrastracture only", like by default enabling the firewall on the machine, but I would likely call it a fix, just an update

Posted by: Josh Nebres | January 15, 2006 11:04 AM | Report abuse

The "Wireless Networks" tab only appears if the interface is enabled.

When you right-click the "Wireless Network Connection", click "Enable" instead of "Properties". Then wait several seconds. Then go through the Start menu to "Wirelss Network Connection" again, right click it again (this time it will say "Disable" instead of "Enable), click "Properties", and the "Wireless Networks" tab will be there. Then continue with the instructions.

Posted by: Barry K. Nathan | January 15, 2006 12:01 PM | Report abuse

Not bragging, but i've been using this 'feature' for quite some time now.

When we work without our accespoint near, we can still communicatie this way without any hassle.

The line between 'feature' and 'bug' is very narrow.

Posted by: hmm | January 15, 2006 1:13 PM | Report abuse

I knew about this a long time before this article came out.

Posted by: Computergeek1200 | January 15, 2006 2:24 PM | Report abuse

Where does it say in RFC 3927 that a machine should automatically create ad-hoc wireless networks based on its last known SSID? It doesn't. People are confusing the issue. This "security flaw" has nothing to do with RFC 3927. Regarding Chris Wysopal's comments, Mac OS X does implement RFC 3927, however, Mac OS X does not automatically create ad-hoc wireless networks. That's why Mac OS X doesn't have this flaw, while Windows does.

Posted by: Snoop | January 15, 2006 3:11 PM | Report abuse

Does this affect the Pocket PC versions of Windows? I have a wireless set on it, and seems to remember all the networks that I have attached to.

Posted by: Bob Morton | January 15, 2006 5:36 PM | Report abuse

This is a bit of a silly article.

For this to be any sort of security issue requires a downright frightening series of misconfigurations and misunderstandings.

1. The user would have to turn on their wireless in a place with no connectable wap, and then leave it on when they couldnt connect to anyone.

2. They (or their sysadmin folks) would have had to left APIPA on for that machine. Many do though, so this isnt completely unreasonable.

3. Your firewall would have to be configured to consider the APIPA subnet a trusted subnet.

4. Even without a firewall, or if you considered the APIPA subnet a 'trusted' subnet, this doesnt give anyone entrance into your system. You still have to have open shares, or easily guessable passwords for local admin accounts.

5. Your wireless configuration would have to be configured to connect to both adhoc and infrastructure points (I'm not sure what the default is).

So at this point, in the absolute worst case scenario, all that the attacker has is effectively being on the same trusted subnet (ie, no firewall) as you. But since there wont be anything else on the subnet of interest, there no interesting traffic to intercept or MITM.

A far more interesting attack would be for the attacker to setup an adhoc site named 't-mobile', and then serve a t-mobile login page on a local webserver, and then MITM all traffic, particularly company email, domain logins, etc.

Of course, even in this scenario, any smart corporation requires a certificate-based VPN to get into the corporate nets, and you cant MITM that.

So where is the security hole here again? I dont see it, I just see someone using fear-mongering to get some free press.

Posted by: Andrew | January 15, 2006 10:58 PM | Report abuse

Andrew,

Not quite sure what you're confused about: this can easily be used against someone sitting within a short distance of you (if there is no wireless network present) to gain an IP address on the same network as that person. Use a tool like Metasploit, and if they are missing any patches an attacker stands an excellent chance of being able to own the target's computer.

Posted by: Bk | January 16, 2006 12:15 AM | Report abuse

I am surprised at this article. How is this a security flaw? It's like saying "A previously unknown security flaw was discovered in Windows! By connecting your computer to the internet, you allow anyone to connect to your machine, possibly with malicious intent"

Posted by: Slashdot reader | January 16, 2006 12:56 AM | Report abuse

Bob - No it doesn't appear to. From the official advisory on this (http://www.securityfocus.com/archive/1/421868/30/0/threaded), this is the default setting in:

Windows 2000 SP 2
Windows 2000 SP 3
Windows 2000 SP 4
Windows XP Home Edition Gold
Windows XP Professional Gold
Windows XP Professional SP 1
Windows XP Professional SP 2
Windows 2003 (unknown patch level)

Posted by: Bk | January 16, 2006 12:20 PM | Report abuse

Even the demo from Loveless to Krebs started with the victim configuring an adhoc network. That's a heck of a head start. Besides the user inadvertantly selecting an adhoc network named "linksys" (and hence creating adhoc Preferred Network) it is not clear how the adhoc network is automagically initiated with the usual SSID. is there techincal merit here?

Posted by: nb | January 16, 2006 11:49 PM | Report abuse

NB, that was just an example. In real life, if I use a linksys wireless router at home, and then sat down in a library and opened up my laptop to type in a word processing document (without intending to use any wireless networks), someone else could still access my machine just by creating an ad hoc network named linksys. in fact, even if the person sitting nearby with their laptop wasn't malicious, and they had a network named linksys cached on their computer (and i'm willing to be 50 percent of laptop users do), our two machines would automagically connect to one another in the case that neither could connect to a real wi-fi network.

the default setting in windows is to connect to both access point and ad hoc versions of a network the machine has seen before. So, my example may not have been the most representative, but I encourage you to read the entire post along with SN's official description of this, which is now linked in the first paragraph.

Posted by: Bk | January 17, 2006 10:13 AM | Report abuse

im cool

Posted by: me | January 19, 2006 10:30 AM | Report abuse

i'm very cool

Posted by: me again | January 19, 2006 10:31 AM | Report abuse

We would be honored if we could be added to this great blog. We are from http://www.worldbusinessforsale.com/

Posted by: Sale | January 30, 2006 4:45 PM | Report abuse

Your site is realy very interesting.

Posted by: Dublin Accommodation | March 22, 2006 10:15 AM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company