Bad Karma for Wi-Fi on Windows?

At the recent SchmooCon conference in Washington, D.C., Mark Loveless (aka Simple Nomad) described an interesting behavior of Wi-Fi connectivity in Windows Server 2003, Windows XP, and Windows 2000. In a subsequent advisory (at the URL below), Loveless points out that "If a laptop connects to an ad-hoc network it can later start beaconing the ad-hoc network's SSID as its own ad-hoc network without the laptop owner's knowledge. This can allow an attacker to attach to the laptop as a prelude to further attack."

http://www.nmrc.org/pub/advise/20060114.txt

There are workarounds to help ensure this doesn't happen to your users' computers. The best solution is to configure the network connections (by using the Wireless Network Connection applet) so that they connect only to Access Points (APs), which will prevent any connections to ad hoc networks. You'll find step-by-step instructions in Loveless's advisory.

Loveless checked during various airplane flights to see how many laptops were available via Wi-Fi connectivity and how many of those were vulnerable to remote compromise or were open enough to allow files to be copied to and from their drives. On one flight, 12 laptops were available, and of those 12, 5 were broadcasting ad hoc networks and 4 were completely vulnerable to intrusion.

These numbers suggest that many people might have had their personal data copied during in-flight use of their laptops. Of course, a decent firewall would make such intrusion much more difficult to accomplish. But many people don't have adequate protection in place.

I recently learned about a new Wi-Fi client security assessment tool called KARMA. KARMA clearly shows the dangers of wireless networking given today's technology. Dino A. Dai Zovi, one of the developers of KARMA, wrote that "Windows and Mac OS X probe for every network in the preferred/trusted networks list upon boot up and [when] waking from sleep. Under Windows the entire list is [probed continually] when the machine is not currently associated to a wireless network." And that's bad news for Windows users when a tool like KARMA is in use, even if you use the workarounds described in Loveless's advisory.

Here's why: KARMA uses a modified Wi-Fi driver on Linux and FreeBSD systems to establish a wireless AP. KARMA operates in stealth fashion--it doesn't send out beacons advertising its presence. Instead, it monitors the airwaves listening for wireless client probes that are looking for a particular AP by its SSID. When KARMA detects a probe, it responds to the client as if it were the sought-after AP. That is to say, KARMA changes its SSID on the fly and mimics a host AP. This effectively lures unsuspecting Wi-Fi users into KARMA's wireless network. KARMA also includes a framework that can be used to develop exploits for use against vulnerabilities in connected client systems.

According to Zovi, "[KARMA] revealed vulnerabilities in how Windows XP and Mac OS X look for networks, so clients may join even if their preferred networks list is empty." Zovi also said that Apple already issued an update (at the URL below) to correct the problem. Microsoft intends to correct this behavior in an upcoming service pack or update rollup package. For XP, that could mean Service Pack 3 (SP3), due out sometime in late 2007.

http://docs.info.apple.com/article.html?artnum=301988

In the meantime, you might want to get a copy of KARMA (at the URL below) and try it out on your wireless clients. As best I can tell, right now the only way to defend against a tool like KARMA is for wireless clients to require authentication when connecting to APs.

http://www.theta44.org/karma