About The Editor

This author has not yet filled in any details.
So far The Editor has created 26 blog entries.

Do You Trust Your Home Wi-Fi?

We’ve been talking a lot lately on how crucial it is for organizations to enable a Trusted Wireless Environment. Now that working remotely is our “new normal,” and not every company is able to send an AP225W wall plate access point home with everyone, we covered 5 tips that would keep remote workers safe and Wi-Fi hackers away in a previous blog, but here’s a refresher:

  1. Connect to your company’s network via VPN (virtual private network).
  2. Change the SSID (service set identifier) in your home cable model or router to ‘hide’ to keep Wi-Fi hackers away.
  3. Use a WPA2-, or if you can, WPA3-protected modem/router.
  4. Change the password to your Wi-Fi network frequently. Don’t use the default settings.
  5. Create a guest network for people in your household, so that they can connect to it without getting access to your company’s network.

Although these Wi-Fi tips will keep you and your loved ones safe, they won’t always protect you against the six known Wi-Fi threat categories.

  • Rogue Access Point: Allows attackers to bypass perimeter security.
  • Rogue Client: Delivers malware payloads to the network after connecting to malicious APs.
  • Neighbor Access Point or Client Misassociation: Risks infection from connecting to other SSIDs while in range of the authorized AP.
  • Ad-Hoc Network: Uses peer-to-peer connections to evade security controls and risk exposure to malware.
  • “Evil Twin” Access Point: Lures users to connect to it so as to spy on traffic, steal data and infect systems.
  • Misconfigured Access Point: Opens networks to attack as a result of configuration errors.

All these threats are not new and have been around since Wi-Fi went mainstream 21 years ago. But one thing that has remained the same and is so shocking to me – there are no security standards around Layer 2 Wi-Fi to keep Wi-Fi users like you and me safe. This is why I’m advocating for change. We all deserve to connect to Wi-Fi we can trust. I want to be able to connect to Wi-Fi at home or in my favorite coffee shop and not have to look around wondering if the person sitting next to me on their laptop is a hacker. Hackers prefer to go after Wi-Fi because it’s the weak link in the security chain and it doesn’t take much to hack into a Wi-Fi network.

So, what can we do today to help build the future of a secure Wi-Fi standard across the world? Everyone can join the Trusted Wireless Environment movement and advocate for global security standard for Wi-Fi. Visit www.TrustedWirelessEnvironment.com today! Every signature we collect will help us partner with organizations such as the Congressional Wi-Fi Caucus, WiFiForward, PCI Security Standards Council, Wi-FiNOW, IEEE, and Wi-Fi Alliance to name a few. These organizations help build security standards for businesses around the world and we want to join forces by collaborating with them to make this world a safer place.

Stay safe, everyone!

#TrustYourWiFi

Top Cyber Threats Taking Advantage of the Pandemic Situation

This week, WatchGuard CTO Corey Nachreiner joined our Wi-Fi security experts to discuss top cyber threats that are intensifying in the United States and globally due to the pandemic situation. This trend is not unique to COVID-19. Hackers have always used disasters such as tsunamis and earthquakes, and high-profile events around the world to prey on victims, and this global pandemic is no exception.

Corey offers tips and advice for free tools and online education on email phishing, malware, and pro tips for the hardcore IT professional in organizations of all shapes and sizes on ways to configure VPN policy for various employees.

 

 

Stay safe everyone!

What Should Businesses Anticipate as People Go Back to Work

Business all over the world have been caught by surprise with the sudden demands from employees needing to work from home. This huge change in operations not only puts a strain on the employees but also the company’s network infrastructure.

Was your business prepared to support remote employees at this level? A lot of companies scrambled to keep the employees productive and security may have fallen to the sideline. New business continuity plans and Wi-Fi security training along with updated network infrastructure, could make a transition like this go much easier. The home office will soon be an extension of your business network – so don’t let this shift compromise your business security.

Wi-Fi specialists from WatchGuard, along with a special guest, offer tips on how to best support your remote workforce and what to expect when we all get back to the office.

 

How to Keep Your Work Wi-Fi and Home Wi-Fi Happy

Working from home sounds luxurious – you’re saving time and money on your commute, pajamas and sweatpants are the new haute couture, and doing laundry in the middle of the day makes you feel super productive.

Between the kids playing video games and doing schoolwork online, and you trying to host a video web conference for work – the Wi-Fi may not be as happy. Try these tips to configure your home Wi-Fi for best performance for the family and business needs while you’re working from home.

 

WFH? Now is the Time to Retain Control of Your Wi-Fi Network

The last few weeks have been “interesting” to say the least. The global COVID-19 pandemic has forced much of the workforce to work remotely to help slow the spread of the disease. Working from home can introduce security concerns related to Wi-Fi. With more employees working from home comes the increased vulnerability of people using Wi-Fi, and there is not enough education about the very real threats they’re up against and the need for Wi-Fi security standards.

Now is the time to retain control of your Wi-Fi. I picked up my phone and called Ryan Orsi, director of product management for Wi-Fi at WatchGuard, over FaceTime. He knows Wi-Fi inside out so who else can help provide helpful guidance on keeping your Wi-Fi secure if not him?

Here is a recap of our conversation:

Milena Babayev: I can only imagine how IT departments are being flooded right now with remote worker tickets and most likely don’t have the visibility into their network or device. What do you recommend IT departments do during this time?

Ryan Orsi: Send employees AP225W access points (APs) that are pre-configured with all the necessary security policies. All remote employees have to do is just plug the AP into their home cable modem or router. This will give IT visibility into client performance and network so they can better support the remote workforce and will keep employees secure 24/7 from harmful Wi-Fi hacks.

MB: We’ve been talking a lot lately on how crucial it is for organizations to enable a Trusted Wireless Environment. If sending every employee the AP225W is not an option, is there a way for remote workers to stay safe and keep Wi-Fi hackers away?

RO: Absolutely. Here are some steps you can take at home today to ensure that your Wi-Fi is safe:

  • Connect to your company’s network via VPN (virtual private network).
  • Change the SSID (service set identifier) in your home cable model or router to ‘hide’ to keep Wi-Fi hackers away.
  • Use WPA2, or if you can, WPA3-protected modem/router.
  • Change the password to your Wi-Fi network frequently. Don’t use the default settings.
  • Create a guest network for people in your household, so that they can connect to it without getting access to your company’s network.

MB: Since we’re talking about Wi-Fi security, why do you think the Wi-Fi industry has not adopted any standards around Layer 2 security?

RO: Most all the demand over the last twenty years has been for connectivity and performance. The industry isn’t going to build something if they don’t think their market wants it. I definitely want this to change and I think vendors that normally compete need to come together and design new security into the Wi-Fi standard that solves these hacking problems for the average person without them having to take additional steps beyond what they do today: tap or click to connect.

MB: What can we do today to help build the future of secure Wi-Fi standard across the world?

RO: Everyone can join the Trusted Wireless Environment movement and advocate for global security standard for Wi-Fi. Visit www.TrustedWirelessEnvironment.com today!

Stay safe everyone! #TrustYourWiFi

Don’t Let Kr00k Bend You Out of Shape

Kr00k, a recent vulnerability found by Eset, causes devices sending traffic over Wi-Fi to send unencrypted data, like in the KRACK vulnerability. While a separate vulnerability, KRACK exploits devices by installing an all-zero encryption key, among other vulnerabilities, whereas Kr00k exploits a timing issue where the client or access point (AP) removes the key before finishing its connection leading to an all-zero encryption key. With both vulnerabilities the result leads to traffic sent unencrypted over Wi-Fi. Eset estimated that billions of devices with Broadcom and Cypress Wi-Fi chips send unencrypted traffic over WI-FI when exploited with this vulnerability. We have confirmed that no WatchGuard devices use Broadcom or Cypress chips, so no WatchGuard devices are vulnerable. Connected devices may still fall victim to this attack though.

Wi-Fi communication typically works by having clients and their connected access point take turns speaking and listening. Unless you use an Open Wi-Fi network, the devices communicate securely over the air using standards like WPA2 or WPA3, where the client and AP will create a unique key to encrypt the communication (derived from the pre-shared key (PSK) of your Wi-Fi network, or from extensible  authentication protocol (EAP) parameters in a Wi-Fi network authenticating with 802.1x). While a device waits for its turn to communicate, it stores the chunks of data in a buffer. Then, when the device’s turn comes up, it will encrypt the data using the negotiated key and send it.

This communication can continue with each device taking turns sending and receiving data. The communication between a client and AP stops when one device decides that is wants to disconnect from the network. When this happens, usually one of the devices sends a message to disconnect from the wireless network.

When connecting or disconnecting, the AP and client authenticate or deauthenticate. When the session ends, the client deauthenticates with the AP using Management Frames. Additionally, a client or AP sending Management Frames over Wi-Fi must not encrypt this traffic since they haven’t negotiated a key yet. Therefore, you can spoof a deauthentication packet to disconnect a client. Kr00ck further exploits some devices by timing the deauthentication packet. When some Broadcom or Cypress chips receive a deauthnetication packet with data in the transmit buffer, it will clear the key then send the data in the transmit buffer, leading to traffic in the transmit buffer sent unencrypted.

An adversary could easily exploit this vulnerability with a simple device like a Wi-Fi pineapple. One only needs to send deauthnetication packets and monitor the traffic. Typically, the buffer will hold up to a few kilobytes of data. While that doesn’t sound like a lot, if timed correctly, for example, one could catch login details. Attackers could also repeatedly exploit the issue to build up significant leaked data over time.

We find Kr00k a less severe vulnerably than KRACK since the client would only send a small amount of traffic unencrypted. Additionally, no one could reasonably determine when the client sends traffic with the client personal information. But this attack affects billions of devices and only a minimal amount of knowledge is needed to exploit it. The ease and reliability of this exploit make gathering information simple, even with a low success rate for the exploit, to capture personal details for every try.

Broadcom and Cypress have released patches so venders can implement them. Consumers can mitigate against Kr00k, outside of patches from vendors, by configuring the use of WPA3 only, or enabling 802.11w protected Management Frames on their Wi-Fi SSID. WatchGuard also supports enabling 802.11w protected Management Frames with our Wi-Fi Cloud solution. Also, while Wireless Intrusion Prevention System (WIPS) cannot prevent attackers from sending deauthentication or disassociation frames to clients and access points, WatchGuard’s Wi-Fi Cloud managed access points have the capability of detecting and notifying administrators about deauthentication flood attacks, which happen when an attacker attempts to take advantage of this vulnerability. On the client side, SSL encryption in HTTPS traffic does keep most data safe from this exploit, but for unencrypted traffic you can use a trusted VPN to help protect the traffic.

Ruckus (Commscope) Access Points Put to The Hackers’ Test

Did they pass? You’ll have to read on to find out…

Ruckus, which is now a part of Commscope via acuquisition in 2018, came into the business-class Wi-Fi market in 2002 with a disruptive antenna design.  At the time, the antenna technology was quite novel and utilized multiple electrically-steerable antenna arrays to focus signal to desired targets such as laptops or mobile phones, and reject noisy sources like other Wi-Fi networks and Radio Frequency (RF) interference.  Their technology has helped businesses all over the world offer rock-solid Wi-Fi service, but does it keep hackers out?

What do hackers want with Wi-Fi and who are these people anyway?  First, the desired loot of a Wi-Fi hack is the same as any other cyber attack like ransomware or botnets – information leading to money.  Unsuspecting Wi-Fi victimes can have the majority of there session silently intercepted by attackers looking for obvious information of value like usernames/passwords, credit card numbers, and less-obvious information like hotel room number and last name from a captive portal and web app session cookies.  As to the identity of these attackers…it ranges vastly from curious YouTube watchers in the hotel lobby to nation-state attackers looking to extract high-ranking corporate employee login credentials.

A major portion of today’s population uses Wi-Fi, and a subset of those users likely encounter Ruckus access points (APs). Therefore, Wi-Fi professionals at Miercom recently decided to challenge several AP vendors including Ruckus’ R510, and test if these devices can automatically detect and prevent the six known Wi-Fi threats, which if successfully prevented can keep Wi-Fi users safe from many nefarious hacking activities.  The test report shows that the R510 was able to automatically detect two of the six threats (Evil Twin AP and Ad-Hoc) – and failed to automatically detectthe other four. The R510 also failed to automatically prevent all six threats.

To prevent a Wi-Fi threat means that the Ruckus AP would send some combination of wireless frames and wired frames out to render the threat useless while the threat is within range.  Results are seen in the table below and full test details can be downloaded here.  Note the first two columns show the Ruckus R510 operating alone and the green columns show it when a WatchGuard AP125 is added to the network to protect the R510 from Wi-Fi hacks. Remember, the term Wireless Intrustion Prevention System (WIPS) is heavily abused in the industy because there is no vendor-neutral standard that defines exactly what features and capabilities an AP must have to claim it has WIPS.  That means that WIPS from Ruckus and WIPS from WatchGuard are totally different, even though the same four letters are claimed by both vendors.

This is one of the main reasons why the Trusted Wireless Environment framework was created to bring transparency to the industry and raise awareness on the seriously overlooked problem of Wi-Fi hacking.

Google It

Using the law of ‘Googling it,’ you’ll see approximately the following number of results for these search terms:

In terms of how important the topic of Wi-Fi hacking is to the Internet, it sits higher than ransomware (but lower than fruit).  Mainstream media has had a disproportionately high focus on covering ransomware stories verus Wi-Fi hacks over the past several years. This could likely be driven by the fact that the six Wi-Fi hacks are technically over twenty years old.  Hard to call it breaking news when Wi-Fi has been hackable for a few decades.  It’s also a possible reason why most AP vendors appear not to be making security a priority in their development roadmaps.

Protect Ruckus APs From Hacking with WatchGuard

Fortunately for the market, WatchGuard has been gearing its cloud-managed AP roadmap with unique security feature sets. To determine how existing Ruckus Wi-Fi networks can become Trusted Wireless Environment compliant, Miercom configured a WatchGuard AP125 AP as a security sensor dedicated to protecting the R510 from the six known Wi-Fi threats. The results show that Ruckus was 100% protected once a WatchGuard AP125 APs was added.  From a deployment perspective, network and security administrators will find a simple solution where the Ruckus APs continue to connect Wi-Fi users as usual and the WatchGuard APs act as a sort of Wireless Intrusion Prevention System (WIPS) sentry, constantly monitoring the air space and wired network for the presence of any of the six threats.

If you have an Ruckus Wi-Fi network and are wondering how many WatchGuard APs you need to add to your existing Ruckus network to protect it, any WatchGuard reseller near you has access to a professional service from WatchGuard that will provide you with a predictive simulation survey that determines the recommended number of WatchGuard APs, installation locations, and WIPS/Wi-Fi coverage range.

Testing Your Own Wi-Fi Network for Wi-Fi Hacking Vulnerability

Those interested in testing their own Ruckus Wi-Fi networks for Trusted Wireless Environment compliance can follow the Trusted Wireless Environment test guide, and contact Miercom via their website for a more thorough test involving live client workloads.

Emotet Evolves to Gain the Wi-Fi Attribute

A recent addition to the Emotet botnet, found by Binary Defense, enables this malware to spread through Wi-Fi networks. This differs from previous versions of Emotet where it only targeted local wired networks. The Emotet botnet started off as a banking trojan in 2014. Early on, it spread by email and would resend itself to its victims’ contact lists. Later, the botnet progressed to spreading additional malicious payloads, such as ransomware. Now, it has evolved once again, this time to exploit vulnerable Wi-Fi hotspots. Like many botnets, the criminal hackers behind Emotet can configure it with different modules to do a variety of malicious acts.

Before this update, Emotet already had basic worm-like spreading capabilities. If it detects a connected wired network, it tries to spread to other devices on that network using default passwords or basic password brute-forcing. This updated version, however, includes a new and unique Wi-Fi spreader, which allows the malware to jump onto insecure wireless networks like the ones found at many public Wi-Fi hotspots.

Here’s how it works:

  1. Emotet leverages the victim’s wireless adapter to enumerate the local Wi-Fi signal space, and creates a list of any wireless networks (SSIDs) it finds. The victim’s device doesn’t have to connect to any of the found networks for this Wi-Fi enumeration to take place.
  2. Once the malware identifies potential target networks nearby, it attempts to connect to them using a list of common Wi-Fi passwords. If it’s successful connecting to one, it starts the next phase of its attack.
  3. Once connected to a victim Wi-Fi network, Emotet looks for other connected devices and any publicly shared folders they might expose. If it finds one, it launches a different type of brute-force attack, this time trying to connect to the share with common users and password.
  4. If Emotet succeeds in connecting to any shares found on the Wi-Fi network, it loads a copy of itself onto that share and leverages Windows network commands to try and launch that new copy. If it succeeds, the process starts all over on a new victim.
  5. Finally, the malware also sends information about the Wi-Fi scans and new victim systems to its command and control (C&C) Once the spreading phase is complete, Emotet remains as a bot client connected to the botnet via a C&C. The criminals behind it then have full control of the victim computer and are capable of launching any malicious action depending on what Emotet modules they‘ve installed.

 

You can prevent your wireless networks from succumbing to Emotet’s Wi-Fi spreader using basic Wi-Fi access point (AP) security practices. If you manage a Wi-Fi network, make sure to protect it using the latest WPA3 security and a long password greater than 15 characters. That should prevent a random Emotet-infected computer near your AP from being able to brute-force your SSID password.

WatchGuard’s secure APs, including Cloud Wi-Fi APs, have a number of additional security features that also help protect you from parts of this Wi-Fi attack. For instance, AP client isolation can prevent Wi-Fi clients from communicating directly with one another, even when connected to the same AP. This would prevent an Emotet-infected computer that’s connected to a guest network from being able to find and infect other guests.

Wi-Fi Cloud APs also include powerful Wireless Intrusion Prevention (WIPS) features, including Neighbor AP protection. Enabling this feature prevents your users from connecting to any neighboring wireless networks within range of your office. If one of your wireless users was infected by Emotet, this would prevent that user from connecting to and infecting other Wi-Fi networks nearby. That said, it would keep the infected computer on your network, which may still be at risk, but at least it also prevents collateral damage. If you’d like to learn more about our strong WIPS features, check out our Trusted Wireless Environment page.

Good wireless security practices and WatchGuard’s Secure APs can help, but it’s still best to have security controls in place that prevent Emotet infections in the first place. Remember to implement strong anti-malware solutions (like those found in WatchGuard’s Total Security package) at a network and endpoint level. Our proactive malware detection should prevent the latest Emotet from reaching into your network.

Pass or Fail? Aruba’s WIPS Gets Tested by Independent Lab

As the second largest access point (AP) supplier by market share, Aruba Networks, a HPE company, has worked hard to provide worldwide businesses with enterprise-grade Wi-Fi connectivity.  You’ll see the company’s APs in many schools, retail locations and airports, among other places. Want a fun scavenger hunt idea? Look up at the ceiling next time you’re in a building and try to identify the AP brand.Be forewarned, this activity is addicting.

Without a doubt, Aruba is an expert in Wi-Fi connectivity.  But, is the company also an expert in cyber security? Do Aruba APs effectively protect businesses from the six known Wi-Fi threats categories?  These six threats operate at Layer 2 of the OSI model and are the entry point of all Wi-Fi attacks. If a business is effectively protected from these six low-layer Wi-Fi threats, then the organization is safe from countless Wi-Fi hacks (even the ones that novice techies can learn to perform in minutes on YouTube). These hacks have been around for more than twenty years and expose a flaw in the foundational invention of Wi-Fi where client devices (phones, laptops) have no way to determine if the Wi-Fi SSID is being broadcasted from a legitimate AP (for example an Aruba AP), or from a hacker’s device such as the totally legal Wi-Fi Pineapple penetration testing tool.

Wi-Fi professionals at Miercom recently took on the challenge of testing whether or not Aruba’s AP-303 AP is capable of automatically detect and prevent the six known Wi-Fi threats.  The test report shows that the AP-303 was able to automatically detect two of the six threats (Evil Twin AP and Ad-Hoc). However, the APs failed to automatically detect the other four. The AP-303 also failed to automatically prevent all six threats.  To prevent a Wi-Fi threat means that the Aruba AP would send a combination of wireless frames and wired frames out to render the threat useless while the threat is within range.

Results are seen in the table below and full test details can be downloaded here. Note the first two columns show the Aruba AP-303 operating alone, and the green columns show it when a WatchGuard AP125 is added to the network to protect the AP-303 from Wi-Fi hacks. Did you know that there is no vendor-neutral standard that defines exactly what features and capabilities an AP must have to claim it has a Wireless Intrustion Prevention System (WIPS).  As a result, the WIPS offering from Aruba and WIPS offering from WatchGuard end up being totally different in their level of comprehensiveness and protection. This is one of the main reasons why the Trusted Wireless Environment framework was created to bring transparency to the industry and raise awareness on the seriously overlooked problem of Wi-Fi hacking.

As with the Ubiquiti UniFi WIPS test results, you’d have to dig a bit deeper into Aruba’s website to see what Wi-Fi security features are advertised (and keep an eye out for asterisk footnotes indicating a claimed feature could actually still be under development).  At first glance, the advertised RFProtect (unique brand name for WIPS) feaures sound solid:

RFProtectTM software prevents denial-of-service and man-in-the-middle attacks and mitigates over-the-air security threats. You’ll never need to purchase and install separate RF   sensors or security appliances if you have an Aruba wireless LAN.

 

No obvious asterisk footnote there. But wait! A rather omnious sounding warning is located deep on page 35 of the Aruba Central User Guide:The Federal Communications Commission (FCC) and some third parties have alleged that under certain circumstances, the use of containment functionality violates 47 U.S.C. §333. Before using any containment functionality, ensure that your intended use is allowed under the applicable rules, regulations, and policies. Aruba is not liable for any claims, sanctions, or other direct, indirect, special, consequential or incidental damages related to your use of containment functionality.

That might not exactly embolden an organization to turn on the WIPS settings in Aruba. It is true that interfering with your neighbor’s legitimate Wi-Fi signal is illegal in most countries.  However, you have every right to neutralize a Wi-Fi attack against you.  Likely part of the reason why vendors such as Aruba and Cisco Meraki list these kinds of warnings is that certain variations of WIPS can suffer from false positives and false negatives.  A false positive for example could be that a WIPS feature accidentally flags a neighbor’s legitimate AP as a Rogue AP and prevents connections to it.  One such implementation of WIPS that suffers from this false positive/negative situation is wired/wireless MAC address correlation. Miercom describes this and explains why an Apple Airport AP can bypass most every vendor’s Rogue AP detection WIPS feature in their report:

Many Wi-Fi security solutions utilize MAC address correlation to identify devices on the same network. The Apple AirPort AP used as the Rogue AP in this test has a differential of more than 5 bits between the wired and wireless interfaces. This variance could potentially cause correlation algorithm to fail, making the AP undetectable on the wire and therefore undetectable as a rogue AP. Products unable to detect that the AP is connected to the same network as the DUT will result in a “Fail” outcome and imply susceptibility to attackers utilizing products similar to the Apple AirPort or who have altered their MAC address with a customized tool. WatchGuard has overcome this issue with its patented “Marker Packets” technology which identifies same network devices with a more reliable detection method.

If You Use or Deploy Aruba APs: Protect Them From Hacking with WatchGuard

Miercom test professionals recognized that WatchGuard has been gearing its Cloud-managed AP roadmap with unique security feature sets. To determine how existing Aruba Wi-Fi networks can become Trusted Wireless Environment compliant, Miercom configured a WatchGuard AP125 AP as a security sensor dedicated to protecting the AP-303 from the six known Wi-Fi threats. The results show that Aruba was 100% protected once a WatchGuard AP125 APs was added.  From a deployment perspective, network and security administrators will find a simple solution where the Aruba APs continue to connect Wi-Fi users as usual and the WatchGuard APs act as a sort of WIPS sentry, constantly monitoring the air space and wired network for presence of any of the six threats.

If you have an Aruba Wi-Fi network and are wondering how many WatchGuard APs you need to add to your existing Aruba network to protect it, any WatchGuard reseller has access to a professional service from WatchGuard that will provide you with a predictive simulation survey that determines the recommended number of WatchGuard APs, installation locations, and WIPS/Wi-Fi coverage range.

Testing Your Own Wi-Fi Network for Wi-Fi Hacking Vulnerability

Those interested in testing their own Aruba Wi-Fi networks for Trusted Wireless Environment compliance can follow the Trusted Wireless Environment test guide, and contact Miercom via their website for a more thorough test involving live client workloads.  The Evil Twin Test procedure is provided below and the five other tests are included in the test guide:

Evil Twin Access Point

An Evil Twin is a type of AP where a malicious user duplicates and broadcasts the same SSID name of a legitimate AP within the range of the network. The Evil Twin can also spoof the MAC address of the legitimate AP. Wi-Fi clients connect to the Evil Twin AP unaware that this is not a legitimate AP. When the unsuspecting Wi-Fi client is connected to an Evil Twin AP, the malicious user can execute various man-in-the-middle attacks to intercept the client’s communications and data.

Requirements:

  • An AP to operate as the Evil Twin AP
    • This can be a WiFi Pineapple device, or any hardware or software-based access point or mobile hotspot with MAC spoofing capabilities.
      Note: The WiFi Pineapple Nano only operates on 2.4 GHz. For best results, consider the WiFi Pineapple Tetra for 2.4 and 5 GHz operation.
  • Authorized AP
    • An AP connected to your wired network that is known and trusted by your Wi-Fi security system as a legitimate AP.
  • One authorized wireless client.
  • A host connected to your wired network that can accept a ping request.

Test Steps:

  1. Configure an SSID on the Authorized AP. This SSID will act as the legitimate SSID. Note the subnet of your authorized network (for example: 192.168.x.x).
  2. Verify this legitimate SSID is detected as an authorized AP by your Wi-Fi security system.
  3. Enable the prevention (containment) measures of your Wi-Fi security system.
  4. On the AP that will operate as the Evil Twin AP, configure the Evil Twin AP to spoof and broadcast the same SSID as the Authorized AP (case sensitive). Configure the subnet of the Evil Twin AP to be different than your authorized network (for example: 172.16.42.x).
  5. Configure the Evil Twin AP to only allow associations from your own wireless client (MAC filtering). This is important to avoid disruption to the legitimate Wi-Fi network you are testing.
  6. Use the NetSpot or inSSIDer software to make sure you can see the Evil Twin AP’s SSID on the network.
  7. Start a timer so that you can see how long it takes for your Wi-Fi security system to detect the presence of the Evil Twin AP.
  8. Periodically refresh the management user interface of your Wi-Fi security system and note the approximate time it takes for the system to detect the Evil Twin AP.
  9. From the authorized wireless client, connect and associate to the Evil Twin AP’s SSID. Note the subnet of the DHCP assigned IP address that the client has received from the Evil Twin AP (for example: 172.16.42.50).
  10. Note the approximate time it takes for the authorized wireless client to have its IP address subnet changed from the Evil Twin subnet (172.16.42.x) back to the legitimate authorized AP’s sub net (192.168.x.x). This indicates when your Wi-Fi security features have detected and automatically prevented the authorized client from associating to the Evil Twin’s spoofed SSID, and forced the client to re-associate to the legitimate authorized AP.

Evil Twin AP Test Pass/Fail Summary:

  • Detection: If the Evil Twin AP is detected in step 7, the Wi-Fi security system has passed the test.
  • Prevention: If the authorized client’s IP subnet automatically changes from the Evil Twin subnet to the authorized AP subnet, the Wi-Fi security system has passed the test.

To learn more about protecting your AP installations from Wi-Fi hacks visit https://www.watchguard.com/wifi-wips-report

How To Stop Wi-Fi Hackers Abusing Ubiquiti’s UniFi Access Points

Ubiquiti, a global networking technology company came onto the mainstream marketplace beginning in 2005 with a clever idea of offering products at low prices to mass markets guiding channel players to monetize their services instead of the hardware.  Every strategy has its pluses and minuses and some would say Ubiquiti’s low-price leader concept swung the pendulum too far, reducing their own ability to re-invest profits into their research and development department.  Others would say the low-price leader concept has worked and put the UniFi brand on the map alongside networking names like Cisco Meraki.  Regardless of which viewpoint you align to, the number of businesses with Ubiquiti UniFi access points around the world is impressive and therefore a prime target for cyber criminals as evidenced by vulnerability disclosed last year.

Thinking of how exposed a business would be to eavesdropping, credential theft, and web history/email theft if attackers were to hack past a UniFi access point, Wi-Fi professionals at Miercom, recently tested Ubiquiti’s UniFi Secure HD access point (AP) to determine if it could automatically detect and prevent the six known Wi-Fi threats. The UAP-AC-SHD was only able to automatically detect one of the six threats – the Evil Twin AP – and failed to automatically detect the other five. The UAP-AC-SHD also failed to automatically prevent all six threats.  Results are seen in the table below and full test details can be downloaded here.  Note the blue columns show the UAP-AC-SHD operating alone and the red columns show it when a WatchGuard AP125 is added to the network to protect the UAP-AC-SHD from Wi-Fi hacks.

If you’re a cyber security expert, you’re likely not surprised at these findings as most Wi-Fi equipment makers have put security on the back burner for years mostly because the general market doesn’t have the exposure to how severe of a problem Wi-Fi hacking is and therefore isn’t top of mind to most buyers.  However if you’re not a security expert or if you’re using a Ubiquiti access point right now, you might be a bit shocked.  Especially when the UniFi Secure HD AP contains a dedicated radio that “Constantly monitors and protects against threats” as displayed on the website.

Feeling my electrical engineering roots tugging at me, I had to dig deeper to see if there was some kind  of technical detail footnote could explain away why the dedicated security radio inside the UAP-AC-SHD appeared to be mostly ineffective at stopping major Wi-Fi hacks.  Alas!  On page 5 of the UniFi Secure HD AP datasheet was this text with the ol’ asterisk footnote:

Threat Management The UniFi SHD AP’s dedicated security radio provides persistent threat management to act as a Wireless Intrusion Prevention System (WIPS)* and Wireless Intrusion Detection System (WIDS). Such a dedicated radio affords frequency agility – meaning all available Wi-Fi channels are monitored constantly for threats – not just the channels the AP is using.

* Currently full-time rogue access point detection is the main WIPS feature of the dedicated security radio.

My footnote quest was over but I still feel unfulfilled because the UAP-AC-SHD actually failed the Rogue AP detection test causing me to chalk it up to features still under development at Ubiquiti.

You can protect your UniFi APs from Hacking

Miercom test professionals recognized that WatchGuard has been gearing its cloud-managed AP roadmap with unique security feature sets. To determine how existing Ubiquiti UniFi networks can become Trusted Wireless Environment compliant, Miercom configured a WatchGuard AP125 AP as a security sensor dedicated to protecting the UAP-AC-SHD from the six known Wi-Fi threats. The results show that Ubiquiti Wi-Fi networks that would’ve been vulnerable to the six Wi-Fi threats are 100% protected once a WatchGuard AP125 APs was added.  From a deployment perspective, network and security administrators will find a simple solution where the UniFi APs continue to connect Wi-Fi users as usual and the WatchGuard APs act as a sort of Wireless Intrusion Prevention System (WIPS) sentry, constantly monitoring the air space and wired network for presence of any of the six threats.

Wi-Fi hacking is a hot topic, but one that’s plagued by ambiguous and often contradictory technical terminology. Thankfully, there is a solution to the problem: the Trusted Wireless Environment. The Trusted Wireless Environment framework succinctly defines the six Layer 2 Wi-Fi hacks that affect nearly every business today and provides a simple test criterion to determine if a Wi-Fi network is protected from each type of attack.

Those interested in testing their own Ubiquiti Wi-Fi networks for Trusted Wireless Environment compliance can follow the Trusted Wireless Environment test guide, and contact Miercom via their website for a more thorough test involving live client workloads. Lastly, if you’re wondering how many WatchGuard APs you need to add to your existing Ubiquiti Wi-Fi network to protect it, any WatchGuard reseller near you has access to a professional service from WatchGuard that will provide you with a predictive simulation survey that determines the recommended number of WatchGuard APs, installation locations, and WIPS/Wi-Fi coverage range.