What are the most prevalent threats for wireless-enabled laptops?
At the ShmooCon hacker conference in January 2006, the Simple Nomad reminded us all of what many knew but few seemed to be thinking about: wireless clients are at risk not only while connected to an open network but also at risk any time the radio is turned on.
Enterprise wireless networks can mitigate many of the risks to clients, but unfortunately all of this protection goes away the moment a user on the road connects to a hotspot in the airport, or even when the user has a hotspot in his or her network favorites list.
There are many ways a client can be compromised, ranging from user error or ignorance to flaws in the operating system.
Subtler than an evil twin
When a user has an unsecured network in the favorites list, he or she becomes vulnerable to a much subtler attack than the well-known "evil twin" spoofed access point. When no network is available, the system will look for each network it has previously connected to. If the attacker provides a network with that name, the user's system will automatically connect to it.
Connecting to the false network exposes any network services that have not been patched, and it may initiate automatic tasks such as checking for new e-mail or system updates. All the attacker needs is a network service that looks long enough for a client to try to connect and send the login and password information.
Users on any unsecured access point face the additional hidden risk of data injection. By spoofing connections and injecting malicious data, compromising a client can be as simple as replacing an image in an HTTP request with the browser exploit du jour.
Compromised users are a threat to the secured network when they return. Many exploits "phone home" for updates and new code, copy or hide files, or provide hidden channels to control the compromised system. Even malware that doesn't target files can cause network outages or legal liabilities if triggered as part of a denial-of-service botnet.
User education and/or blocking users' access to insecure networks from company laptops with clients that enforce wireless security policies are currently the only ways to prevent this from happening to your network. Make sure your users not only know what not to do, but why it's important. They need to turn off wireless entirely when they're not using it - this will even save them battery life.
Mike Kershaw is author of Kismet, a popular open-source project for 802.11 wireless network detection, sniffing, and intrusion detection as well as an editorial board member of the WVE information source on wireless vulnerabilities.