p2p news / p2pnet: A high risk wireless security problem exists in the Microsoft Wireless Client for laptops running 2000/XP/2003, says Mark ‘Simple Nomad’ Loveless.

Here’s how it works, he says in his Nomad Mobile Research Centre advisory.

Alice has a wireless access point at home with an SSID of "linksys", which she has successfully set up and connected to with her laptop.

Alice goes to the airport (or train station or coffee shop) and opens her laptop.

Bob, who is sitting next to Alice, has a laptop configured with an ad-hoc network advertising an SSID of "linksys".

Alice’s laptop when started looks for the SSID of "linksys", and attachs to Bob’s ad-hoc network.

The next time Alice boots up the laptop when the Ethernet cable is not attached and there is no "linksys" SSID in range, Alice starts advertising an ad-hoc network with an SSID of "linksys".

It’s lame, Loveless acknowledges. "I know this, don’t email me with that info."

But, "I deem it serious due to the exposure in laptops with wireless. In field tests, it became apparent that if the laptop user fired up their laptop in the airport terminal and was advertising an ad-hoc network, when the same laptop user fired up their laptop during the flight, they would in fact be advertising the ad-hoc network during flight. This has a couple of ramifications.

"The first is that if wireless laptops with the wireless adapter enabled were capable of interfering with the navigational systems as claimed by the airlines then we would be having numerous in-flight incidents due to the high proliferation of wifi-enabled laptops used by business people on flights.

"The second ramification is that users sitting on a plane at 35,000 feet are not going to be suspecting a network attack against the laptop in the lap, and so any odd ’side effects’ from probe and attack attempts (service crashing, blue screen or a restart) will be dismissed as a local system anomaly and not an attack, allowing the attacker to be a little more aggressive."

Loveless shows data collected from four US domestic flights in September and October, 2005. The data were collected using NetStumbler, NMap, and Metasploit Framework from a laptop running Windows XP. ["You should know these tool locations by heart. Netstumbler, Nmap, and Metasploit Framework can be found at www.netstumbler.com, www.insecure.org/nmap, and www.metasploit.com respectively."]

"Microsoft was contacted on October 13, 2005," says Loveless. "After numerous exchanges of emails and a conference call, Microsoft was able to reproduce and isolate the issue within their software. As there are multiple and easy-to-implement workarounds for the issue, Microsoft has scheduled to include the fix in the next service packs."

But until that happens, he suggests three workarounds:

Workaround #1:
Disable wireless when not in use. Simple, eh?

Workaround #2:
Use an alternate Wireless Client Manager, (e.g. for an integrated Intel Wifi connector, use Intel PROSet/Wireless) as all others tested do not seem to have the problem (this testing was not all-inclusive).

Workaround #3 (recommended):
1. Click on the Wireless option in the System Tray and open the Wireless Network Connection window.

2. Click on "Change advanced settings".

3. In the Wireless Network Connection Properties window, click on the Wireless Networks tab.

4. Click on the Advanced button.

5. Click on "Access point (infrastructure) networks only"

"This workaround prevents you from connecting to any ad-hoc network in the first place," says Loveless.

Also See:
Nomad Mobile Research Centre – Microsoft Windows Silent Adhoc Network Advertisement, January 14, 2006

This entry was posted on Tuesday, January 17th, 2006 at 9:49 am and is filed under Uncategorized. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

HOME

Viewed 2851 times