Despite increasingly effective WIPS, wireless attacks are rapidly increasing due to several factors, most notably the proliferation of enterprise usage, the frequent changes in standards and the common misconception that Wi-Fi security is nothing more than an afterthought. Today there are also many well-written applications, platforms, operating systems and hardware modifications designed to simplify the setup and execution of sophisticated wireless attacks. Most of the commonly known types of network threats traditionally seen in wired network environments have been redesigned to exploit wireless systems; sniffing, probing, scanning, spoofing and cryptographic attacks, to name a few, have all been effectively executed.
The multipot attack takes the evil twin concept a step further and presents a more significant threat to enterprises. Coined from the term "multiple honeypots", a multipot employs the use of two or more malicious access points configured as clones of a legitimate access point.
The multipot's use of multiple rogue access points, however, creates a unique and difficult situation for an enterprise WIPS. In this scenario, when session containment is attempted, the client receives the WIPS's deauthentication packets, which force network disconnection. But when the client restarts the 802.11 reconnection process, it associates itself to the second rogue access point and resumes communication attempts. Although the sensors again detect improper activity and transmit deauthentication packets, the WIPS is presented with a temporal obstacle. Its sensor is a transceiver and is responsible for channel-frequency scanning and packet broadcasting for session containment. While the time required to complete these tasks is in the order of seconds, it is much longer than the millisecond process of client reconnection.
So in a scenario with only one rogue access point, the process of connecting to and being disconnected from a single access point would result in a cycle causing packet flooding, yet with two rogue access points, the client effectively "outruns" the deauthentication packets by hopping back and forth between the rogue access points. Again, this vast difference in the time that each device needs to perform its job -- the WIPS sensor requires seconds while the client just milliseconds -- allows for client communication to proceed without perception of any disruptions.
There are a number of steps that can be incorporated into an enterprise security strategy to mitigate these types of threats. Site surveys to maintain a current database of network elements allow for monitoring WLAN changes via access point characteristics such as channel signal strengths associated with each SSID, physical access point location, RF triangulation, vendor consistency via MAC addressing, and access point firmware versions. Since the 802.11 standard only defines Layer 1 (physical) and Layer 2 (data link layer/MAC address sublayer) segments, multilayered protection should be implemented with additional upper-layer authentication, encryption, network access control and vulnerability management. Knowledge of the geographic coverage area, physical mapping of wireless threat exposure, identifying areas of high risk probability, dense sensor deployment, 24x7 real-time monitoring, effective threat classification and increasing physical access to office premises and surrounding areas are also essential for secure enterprise WLAN deployment. Finally, employee education and enforcement of a well-defined security policy remain the cornerstones for maintaining a secure network environment.
About the author:
Noah Schiffman is a reformed former black-hat hacker who has spent nearly a quarter century penetrating the defenses of Fortune 500 companies. Today he works as an independent IT security consultant specializing in risk assessment, pen testing, cryptography and digital forensics, predictive analysis models, security metrics and corporate security policy. He holds degrees in psychology and mechanical engineering, as well as a doctorate in medicine from the Medical University of South Carolina. Schiffman is based in Charleston, S.C.
This was first published in October 2007