As the second largest access point (AP) supplier by market share, Aruba Networks, a HPE company, has worked hard to provide worldwide businesses with enterprise-grade Wi-Fi connectivity.  You’ll see the company’s APs in many schools, retail locations and airports, among other places. Want a fun scavenger hunt idea? Look up at the ceiling next time you’re in a building and try to identify the AP brand.Be forewarned, this activity is addicting.

Without a doubt, Aruba is an expert in Wi-Fi connectivity.  But, is the company also an expert in cyber security? Do Aruba APs effectively protect businesses from the six known Wi-Fi threats categories?  These six threats operate at Layer 2 of the OSI model and are the entry point of all Wi-Fi attacks. If a business is effectively protected from these six low-layer Wi-Fi threats, then the organization is safe from countless Wi-Fi hacks (even the ones that novice techies can learn to perform in minutes on YouTube). These hacks have been around for more than twenty years and expose a flaw in the foundational invention of Wi-Fi where client devices (phones, laptops) have no way to determine if the Wi-Fi SSID is being broadcasted from a legitimate AP (for example an Aruba AP), or from a hacker’s device such as the totally legal Wi-Fi Pineapple penetration testing tool.

Wi-Fi professionals at Miercom recently took on the challenge of testing whether or not Aruba’s AP-303 AP is capable of automatically detect and prevent the six known Wi-Fi threats.  The test report shows that the AP-303 was able to automatically detect two of the six threats (Evil Twin AP and Ad-Hoc). However, the APs failed to automatically detect the other four. The AP-303 also failed to automatically prevent all six threats.  To prevent a Wi-Fi threat means that the Aruba AP would send a combination of wireless frames and wired frames out to render the threat useless while the threat is within range.

Results are seen in the table below and full test details can be downloaded here. Note the first two columns show the Aruba AP-303 operating alone, and the green columns show it when a WatchGuard AP125 is added to the network to protect the AP-303 from Wi-Fi hacks. Did you know that there is no vendor-neutral standard that defines exactly what features and capabilities an AP must have to claim it has a Wireless Intrustion Prevention System (WIPS).  As a result, the WIPS offering from Aruba and WIPS offering from WatchGuard end up being totally different in their level of comprehensiveness and protection. This is one of the main reasons why the Trusted Wireless Environment framework was created to bring transparency to the industry and raise awareness on the seriously overlooked problem of Wi-Fi hacking.

As with the Ubiquiti UniFi WIPS test results, you’d have to dig a bit deeper into Aruba’s website to see what Wi-Fi security features are advertised (and keep an eye out for asterisk footnotes indicating a claimed feature could actually still be under development).  At first glance, the advertised RFProtect (unique brand name for WIPS) feaures sound solid:

RFProtectTM software prevents denial-of-service and man-in-the-middle attacks and mitigates over-the-air security threats. You’ll never need to purchase and install separate RF   sensors or security appliances if you have an Aruba wireless LAN.

 

No obvious asterisk footnote there. But wait! A rather omnious sounding warning is located deep on page 35 of the Aruba Central User Guide:The Federal Communications Commission (FCC) and some third parties have alleged that under certain circumstances, the use of containment functionality violates 47 U.S.C. §333. Before using any containment functionality, ensure that your intended use is allowed under the applicable rules, regulations, and policies. Aruba is not liable for any claims, sanctions, or other direct, indirect, special, consequential or incidental damages related to your use of containment functionality.

That might not exactly embolden an organization to turn on the WIPS settings in Aruba. It is true that interfering with your neighbor’s legitimate Wi-Fi signal is illegal in most countries.  However, you have every right to neutralize a Wi-Fi attack against you.  Likely part of the reason why vendors such as Aruba and Cisco Meraki list these kinds of warnings is that certain variations of WIPS can suffer from false positives and false negatives.  A false positive for example could be that a WIPS feature accidentally flags a neighbor’s legitimate AP as a Rogue AP and prevents connections to it.  One such implementation of WIPS that suffers from this false positive/negative situation is wired/wireless MAC address correlation. Miercom describes this and explains why an Apple Airport AP can bypass most every vendor’s Rogue AP detection WIPS feature in their report:

Many Wi-Fi security solutions utilize MAC address correlation to identify devices on the same network. The Apple AirPort AP used as the Rogue AP in this test has a differential of more than 5 bits between the wired and wireless interfaces. This variance could potentially cause correlation algorithm to fail, making the AP undetectable on the wire and therefore undetectable as a rogue AP. Products unable to detect that the AP is connected to the same network as the DUT will result in a “Fail” outcome and imply susceptibility to attackers utilizing products similar to the Apple AirPort or who have altered their MAC address with a customized tool. WatchGuard has overcome this issue with its patented “Marker Packets” technology which identifies same network devices with a more reliable detection method.

If You Use or Deploy Aruba APs: Protect Them From Hacking with WatchGuard

Miercom test professionals recognized that WatchGuard has been gearing its Cloud-managed AP roadmap with unique security feature sets. To determine how existing Aruba Wi-Fi networks can become Trusted Wireless Environment compliant, Miercom configured a WatchGuard AP125 AP as a security sensor dedicated to protecting the AP-303 from the six known Wi-Fi threats. The results show that Aruba was 100% protected once a WatchGuard AP125 APs was added.  From a deployment perspective, network and security administrators will find a simple solution where the Aruba APs continue to connect Wi-Fi users as usual and the WatchGuard APs act as a sort of WIPS sentry, constantly monitoring the air space and wired network for presence of any of the six threats.

If you have an Aruba Wi-Fi network and are wondering how many WatchGuard APs you need to add to your existing Aruba network to protect it, any WatchGuard reseller has access to a professional service from WatchGuard that will provide you with a predictive simulation survey that determines the recommended number of WatchGuard APs, installation locations, and WIPS/Wi-Fi coverage range.

Testing Your Own Wi-Fi Network for Wi-Fi Hacking Vulnerability

Those interested in testing their own Aruba Wi-Fi networks for Trusted Wireless Environment compliance can follow the Trusted Wireless Environment test guide, and contact Miercom via their website for a more thorough test involving live client workloads.  The Evil Twin Test procedure is provided below and the five other tests are included in the test guide:

Evil Twin Access Point

An Evil Twin is a type of AP where a malicious user duplicates and broadcasts the same SSID name of a legitimate AP within the range of the network. The Evil Twin can also spoof the MAC address of the legitimate AP. Wi-Fi clients connect to the Evil Twin AP unaware that this is not a legitimate AP. When the unsuspecting Wi-Fi client is connected to an Evil Twin AP, the malicious user can execute various man-in-the-middle attacks to intercept the client’s communications and data.

Requirements:

  • An AP to operate as the Evil Twin AP
    • This can be a WiFi Pineapple device, or any hardware or software-based access point or mobile hotspot with MAC spoofing capabilities.
      Note: The WiFi Pineapple Nano only operates on 2.4 GHz. For best results, consider the WiFi Pineapple Tetra for 2.4 and 5 GHz operation.
  • Authorized AP
    • An AP connected to your wired network that is known and trusted by your Wi-Fi security system as a legitimate AP.
  • One authorized wireless client.
  • A host connected to your wired network that can accept a ping request.

Test Steps:

  1. Configure an SSID on the Authorized AP. This SSID will act as the legitimate SSID. Note the subnet of your authorized network (for example: 192.168.x.x).
  2. Verify this legitimate SSID is detected as an authorized AP by your Wi-Fi security system.
  3. Enable the prevention (containment) measures of your Wi-Fi security system.
  4. On the AP that will operate as the Evil Twin AP, configure the Evil Twin AP to spoof and broadcast the same SSID as the Authorized AP (case sensitive). Configure the subnet of the Evil Twin AP to be different than your authorized network (for example: 172.16.42.x).
  5. Configure the Evil Twin AP to only allow associations from your own wireless client (MAC filtering). This is important to avoid disruption to the legitimate Wi-Fi network you are testing.
  6. Use the NetSpot or inSSIDer software to make sure you can see the Evil Twin AP’s SSID on the network.
  7. Start a timer so that you can see how long it takes for your Wi-Fi security system to detect the presence of the Evil Twin AP.
  8. Periodically refresh the management user interface of your Wi-Fi security system and note the approximate time it takes for the system to detect the Evil Twin AP.
  9. From the authorized wireless client, connect and associate to the Evil Twin AP’s SSID. Note the subnet of the DHCP assigned IP address that the client has received from the Evil Twin AP (for example: 172.16.42.50).
  10. Note the approximate time it takes for the authorized wireless client to have its IP address subnet changed from the Evil Twin subnet (172.16.42.x) back to the legitimate authorized AP’s sub net (192.168.x.x). This indicates when your Wi-Fi security features have detected and automatically prevented the authorized client from associating to the Evil Twin’s spoofed SSID, and forced the client to re-associate to the legitimate authorized AP.

Evil Twin AP Test Pass/Fail Summary:

  • Detection: If the Evil Twin AP is detected in step 7, the Wi-Fi security system has passed the test.
  • Prevention: If the authorized client’s IP subnet automatically changes from the Evil Twin subnet to the authorized AP subnet, the Wi-Fi security system has passed the test.

To learn more about protecting your AP installations from Wi-Fi hacks visit https://www.watchguard.com/wifi-wips-report