[REVS] Attacking Automatic Wireless Network Selection

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



Attacking Automatic Wireless Network Selection
------------------------------------------------------------------------


SUMMARY

Wireless 802.11 networking is becoming so prevalent that many users have
become accustomed to having available wireless networks in their
workplace, home, and many public places such as airports and coffee shops.
Modern client operating systems implement automatic wireless network
discovery and known network identification to facilitate wireless
networking for the end-user.

In order to implement known network discovery, client operating systems
remember past wireless networks that have been joined and automatically
look for these networks (referred to as Preferred or Trusted Networks)
whenever the wireless network adapter is enabled. By examining these
implementations in detail, we have discovered previously undisclosed
vulnerabilities in the implementation of these algorithms under the two
most prevalent client operating systems, Windows XP and MacOS X.

With custom base station software, an attacker may cause clients within
wireless radio range to associate to the attacker's wireless network
without user interaction or notification. This will occur even if the user
has never connected to a wireless network before or they have an empty
Preferred/Trusted Networks List. We describe these vulnerabilities as well
as their implementation and impact.

DETAILS

IEEE 802.11 wireless networking has demonstrated explosive growth and
popularity, especially in dense urban areas. This has resulted in
commercial offerings of public access wireless networks (hotspots) in many
airports, hotels, coffee shops, and even some parks. Large hotspot
providers include T-Mobile and Verizon. There are even community-based
projects to provide free hotspots in community areas like
<http://www.nycwireless.net> Manhattan parks.

The prevalence of these hotspots has had an unanticipated effect on the
mechanisms in client operating systems for selecting wireless networks. It
has been a known problem that an attacker can provide a rogue access point
with a common name (such as the default SSID of a popular home-office
access point, such as linksys). If a nearby wireless client has associated
to a similarly-named access point in the past, they may mistake the rogue
access point for their trusted access point. The prescribed solution to
this is to ensure that all networks connected to are encrypted.

While this is possible when the only networks connected to are at the home
or workplace, the use of hotspots (which must be unencrypted to provide
public access) means that users are more likely to have connected to
unencrypted networks in the past.

To read more: <http://www.theta44.org/karma/aawns.pdf>
http://www.theta44.org/karma/aawns.pdf


ADDITIONAL INFORMATION

The information has been provided by <mailto:ddz@xxxxxxxxxxxx> Dino A.
Dai Zovi.
The original article can be found at:
<http://www.theta44.org/karma/aawns.pdf>
http://www.theta44.org/karma/aawns.pdf
The Karma tool can be found at:
<http://www.securiteam.com/tools/5CP0I0KG0W.html>
http://www.securiteam.com/tools/5CP0I0KG0W.html



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.