Thursday, November 4, 2010

SSIDvertisements

[Category- Innovative Ideas]


Number of page view is one the most important factors that decides the popularity of a website or an online business. Let's imagine a complete wireless world. What would be the most viewed page? Of course the page that pops up when we search for available Wi-Fi networks or when we open Wi-Fi network connectivity settings on smartphones.


Figure1: List of Available WiFi Networks
What we see in the list is the name of available wireless networks in the range. In technical terms, it is called Service Set Identifier or SSID. The maximum length of SSID can be 32 characters. Thousands of travelers round the world click and search for the available wireless networks. So can it be used by local businesses to advertise and promote their products? Though it sounds weired, but it is possible. You just need to have SSIDvertisement enabled WiFi networks. What you could do is basically advertise your offerings through SSID name. And this would appear in your potential customer as follows:


Figure2: SSIDvertisement seen on a Smartphone
Figure 3: SSIDvertisements seen on a Windows Laptop
Places like Airports, Stations, Sport grounds etc. its hard to reach people because of the number neither you can advertise through pamphlets. But "SSIDvertisements" technique can help you reach them without putting extra effort. It is that easy. What you need is basically a platform or product using which you can advertise the cool discounts or offers you may be giving.


I am talking about a completely hypothetical idea. I haven't yet seen any platform or product that would allow you advertise ads in a wireless network. If you are a wireless platform vendor want to productize a product, please leave a comment with your contact and I would soon get back to you.

Tuesday, November 2, 2010

IBM Researchers Propose To Fix Security Issues of Open Wi-Fi Networks! Oh Really?

IBM researchers have proposed a solution to solve security problems of open Wi-Fi networks. It has come in light of the release of the Firesheep tool.


Basically, two software developer Eric Butler and Ian “craSH” Gallagher have created and released a Firefox plugin at Toorcon 12 this year using which one can easily capture session cookies and hijack account of other users present in an open Wi-Fi network.


Though, the session hijacking is not a new attack and it has been talked, discussed and demonstrated in various security forums since 2007 (session hijacking was first revealed by Robert Grahm at Blackhat US in 2007), the key contribution is the attack has been made extremely naive for executors. I will use another post to talk about Firesheep tool and how the attack is carried out. In this post, I would like to keep security issues of an open Wi-Fi network as prime focus and would discuss merits and demerits of the solution presented by researchers of IBM'x X-Force group.

There are three major security issues of open Wi-Fi networks:


1. Passive Data Sniffing :
A lot of web services are using http protocol which does not encrypt data exchanged between client and servers. Which means if such sites are accessed in an open Wi-Fi network, any malicious user present in the radio range of wireless client device or AP can passively sniff and capture data flowing to or from client. These data can contain user's private credential or website's cookie which can be further misused to steal user's valuable private information. A few web sites also use HTTPS protocol to provide services to users. Such websites are not vulnerable to passive sniffing. But establishing connection to HTTPS enabled websites is the crux. Sometimes users ignore certificate sent by web servers and hence their chances of getting hacked though they always use HTTPS enabled services are extremely high.


2. Man-in-the-Middle (MiTM) Attack
MiTM attack can be very easily carried out in an open Wi-Fi network. Due to lack of authentication, its very convenient for attacker to attract and establish connection with a wireless client device looking to connect connection with a public Wi-Fi hotspot or any open wireless network. Two attacks are mentioned here. Though they are alike, technically they differ in the way these attacks are launched.


a. Evil Twin Attack: Evil twin is a hacker planted AP present in the proximity of legitimate wireless network having same SSID or network name. Since clients use wireless network name to discover and establish connection. It's very difficult for client to differentiate between legitimate and attacker's AP. So it is very easy for a hacker to victimize client device. Sometimes, DoS attack is also launched to starve clients from connecting to legitimate networks.



b. Honeypot Attack: There is a subtle difference between Honeypot and Evil Twin. Honeypot is also a hacker planted AP but the name of the network is assigned to lure legitimate wireless client device. For example: hacker advertises "open wireless network" service. As soon as wireless client connect to Honeypot AP, hacker takes control of all its traffic.


3. Wireless Client's Preferred Network List (PNL) Poisoning
Whenever a wireless client device connect to open Wi-Fi network, an entry for that network gets created and remains there in the cache of the client. This is known as preferred network list or PNL. So far, wireless client does not automatically purge wireless network profiles present in the PNL. This cause wireless client device to always search for the availability of wireless network in the PNL and make an automatic connection as soon as a matching network is found.  So an unintentional wireless connection (mis-association) is possible causing different other application to become active and start accessing web services. For example email client can start fetching emails from email server without you actually know about the activity or the network through which client has been accessing your private mailbox.


What exactly are they proposing?
The whole security community falls back to the same public key cryptography technique to solve all types of security problems. And the solution proposed by IBM researchers are no exception. As per the solution briefly described in their post, client should be able to receive a certificate which will authenticate the SSID used by a wireless network service provider. After that client and AP will establish a secure channel. This secure channel will be used to access Internet. Though, this is a wonderful idea and has potential to solve passive sniffing problem as well as Evil Twin, it might not be able to solve Honeypot attack completely. Further, Client mis-association will still remain a problem until and unless open cached profile of open Wi-Fi network is removed from each and every wireless client device.


The solution proposed is impractical in the sense that it requires software upgrade of wireless access points and clients. Now you may guess the number of wireless client devices being used in an open Wi-Fi network that would be required to undergo software upgrade. Essentially, the solution proposed is a subset of WPA2/802.1x. As per the proposal, the certificate can be used to differentiate between an authorized and a rogue wireless network. If you take out inner authentication from WPA2/PEAP, what you are left with is the same what is being proposed by IBM researchers. The fact of the matter is even private enterprises have not been able to adopt this security even after six years of finalization of the standard as the biggest bottleneck is managing and maintaining certificates. Here, they are proposing solution to one of the burning and most serious security threat of wireless networks. It would take at least few years if not months to implement such a solution. 


The wireless community should put effort in creating a wireless infrastructure that can be trusted like wired infrastructure. Can we achieve that without spending years to solve open Wi-Fi network problems? Think!