At the ShmooCon gathering in Washington, D.C., today, old-school hacker and mischief maker Mark "Simple Nomad" Loveless released information on a staggeringly simple but very dangerous wireless security problem with a feature built into most laptop computers running any recent version of the Microsoft Windows operating system.
Laptops powered by Windows XP or Windows 2000 with built-in wireless capabilities (these includes most laptops on the market today) are configured so that when the user opens up the machine or turns it on, Windows looks for any available wireless connections. If the laptop cannot link up to a wireless network, it creates what's known as an ad-hoc "link local address," a supposed "private network" that assigns the wireless card a network address of 169.254.x.x (the Xs represent a random number between 1 and 254).
Microsoft designed this portion of Windows so that the address becomes associated with the name or "SSID" of the last wireless network from which the user obtained a real Internet address. The laptop then broadcasts the name of that network out to other computers within a short range of the machine (which may vary depending a number of things, including the quality of the laptop's embedded network card and things that may obstruct the signal, like walls, e.g.).
What Loveless found was that by creating a network connection on his computer that matches the name of the network the target computer is broadcasting, the two computers could be made to associate with one another on the same link local network, effectively allowing the attacker to directly access the victim's machine.
I followed Loveless up to his hotel room to get a first hand example of how this attack would work. I set up an ad hoc wireless network connection on my Windows XP laptop named "hackme." Within a few seconds of hitting "Ok," to create the network, my laptop was assigned a 169.254.x.x address. A few seconds later, Loveless could see my computer sending out a beacon saying it was ready to accept connections from other computers that might also have the "hackme" network pre-configured on their machines. Loveless then created an ad hoc network with the same name, and told his computer to go ahead and connect to "hackme." Viola! His machine was assigned a different 169.254.x.x address and we both verified that we could send data packets back forth to each other's computer.
Here's the really freaky part about all this: No more than five minutes after I had deleted the "hackme" network ID from my laptop, Loveless and I spotted the same network name being broadcast from another computer that didn't belong to either of us. Turns out, someone else at the hacker conference was trying to join the fun.
As Loveless pointed out, this "feature" of Windows actually behaves somewhat like a virus. Think of it this way: If you connect your Windows laptop to the wireless network at the local Starbucks, for instance, your computer will indefinitely store the name of the Starbucks network (invariably these are named "T-Mobile" for the wireless company that provides the service). Should you at a later date happen to open up your laptop in the vicinity of another Windows user who also had recently gotten online at Starbucks, those two machines may connect to each other without any obvious notification to either user.
This is precisely what was happening for a client of Bruce Kyes Hubbert, a systems engineer I met at Shmoocon who works for a company called Airmagnet, which develops wireless security products (companies often use Airmagnet and other such tools to ensure employees aren't setting up unauthorized wireless networks that could compromise the organization's security.) Hubbert said he smacked his forehead while hearing Loveless give his presentation because it explained weird behavior one of his company's clients has been seeing a lot more of lately.
Hubbert said this particular client -- a very large company that he asked me not to name -- was complaining that Airmagnet's products were setting off a bunch of false-positives, detecting rogue wireless networks throughout the client's company. He said the odd thing was that there appeared to be more of these networks being set up every day within the company, at the rate of two or three additional ad-hoc networks each day.
"They kept telling us, 'we've been seeing more ad-hoc networks showing up in our building every day,' and most of them were for local hotel hotspots," Hubbert said. "So we'd see multiple machines all associating with the same network SSID, and meanwhile the user is refreshing their PowerPoint presentation and has no idea this is going on in the background."
As it turns out, the specifications for this Windows feature -- detailed in a technical document entitled "RFC 3927," were actually written in part by a Microsoft employee -- one B. Aboba, according to the document. Strangely enough, the developers of that spec foretold of the dangers of configuring things the way Microsoft ultimately decided to do with their wireless system in Windows. This from section 5, paragraph three of the RFC:
"NOTE: There are certain kinds of local links, such as wireless LANs, that provide no physical security. Because of the existence of these links it would be very unwise for an implementer to assume that when a device is communicating only on the local link it can dispense with normal security precautions. Failure to implement appropriate security measures could expose users to considerable risks."
Whoops. Anyway, you might be wondering now how you can make sure your Windows laptop is protected from this.....er, feature. First of all, if you are running any kind of network firewall -- including the firewall that comes built in to Windows XP -- you won't have to worry about some stranger connecting to your laptop. In fact, I had to shut down my firewall for both of us to successfully conduct our test.
Also, many laptops have a button you can push that disables the built-in wireless feature until you hit that button again. Turning off the wireless connection when you are not using it also prevents this from being a problem.
Another good idea is to change the setting on the computer's wireless card to connect only to "infrastructure networks" -- real wireless access points that actually allow you to surf the Web. To do this, go to "Start," "Control Panel," "Network Connections," and then right click on the entry labeled "wireless network connection" and select "Properties" from the drop down menu. Then click on the "Wireless Networks" tab, and then on the "Advanced" tab at the bottom of that window. A box should pop up that gives you three buttons to choose from: Select the one next to "Access point (infrastructure) networks only."
By the way, Microsoft has acknowledged this vulnerability and says it plans to change the default configuration in the next service packs released for Windows, whenever that will be.
As a sidenote, Loveless described in delicious detail for a rapt audience at ShmooCon how he used the trick on various airline flights to gain access to Windows machines that other passengers were using. Referring to a previous conversation he had with Jennifer Grannick, a lawyer who represents accused hackers (and who also gave this morning's ShmooCon keynote), Loveless said he believes that since the attacks were mostly carried while the plane was over international waters that U.S. law enforcement might have a hard time making the case that he was violating any laws. The real answer to that very interesting question, he said, would probably not be evident until someone gets sued in court for it.
Laptops powered by Windows XP or Windows 2000 with built-in wireless capabilities (these includes most laptops on the market today) are configured so that when the user opens up the machine or turns it on, Windows looks for any available wireless connections. If the laptop cannot link up to a wireless network, it creates what's known as an ad-hoc "link local address," a supposed "private network" that assigns the wireless card a network address of 169.254.x.x (the Xs represent a random number between 1 and 254).
Microsoft designed this portion of Windows so that the address becomes associated with the name or "SSID" of the last wireless network from which the user obtained a real Internet address. The laptop then broadcasts the name of that network out to other computers within a short range of the machine (which may vary depending a number of things, including the quality of the laptop's embedded network card and things that may obstruct the signal, like walls, e.g.).
What Loveless found was that by creating a network connection on his computer that matches the name of the network the target computer is broadcasting, the two computers could be made to associate with one another on the same link local network, effectively allowing the attacker to directly access the victim's machine.
I followed Loveless up to his hotel room to get a first hand example of how this attack would work. I set up an ad hoc wireless network connection on my Windows XP laptop named "hackme." Within a few seconds of hitting "Ok," to create the network, my laptop was assigned a 169.254.x.x address. A few seconds later, Loveless could see my computer sending out a beacon saying it was ready to accept connections from other computers that might also have the "hackme" network pre-configured on their machines. Loveless then created an ad hoc network with the same name, and told his computer to go ahead and connect to "hackme." Viola! His machine was assigned a different 169.254.x.x address and we both verified that we could send data packets back forth to each other's computer.
Here's the really freaky part about all this: No more than five minutes after I had deleted the "hackme" network ID from my laptop, Loveless and I spotted the same network name being broadcast from another computer that didn't belong to either of us. Turns out, someone else at the hacker conference was trying to join the fun.
As Loveless pointed out, this "feature" of Windows actually behaves somewhat like a virus. Think of it this way: If you connect your Windows laptop to the wireless network at the local Starbucks, for instance, your computer will indefinitely store the name of the Starbucks network (invariably these are named "T-Mobile" for the wireless company that provides the service). Should you at a later date happen to open up your laptop in the vicinity of another Windows user who also had recently gotten online at Starbucks, those two machines may connect to each other without any obvious notification to either user.
This is precisely what was happening for a client of Bruce Kyes Hubbert, a systems engineer I met at Shmoocon who works for a company called Airmagnet, which develops wireless security products (companies often use Airmagnet and other such tools to ensure employees aren't setting up unauthorized wireless networks that could compromise the organization's security.) Hubbert said he smacked his forehead while hearing Loveless give his presentation because it explained weird behavior one of his company's clients has been seeing a lot more of lately.
Hubbert said this particular client -- a very large company that he asked me not to name -- was complaining that Airmagnet's products were setting off a bunch of false-positives, detecting rogue wireless networks throughout the client's company. He said the odd thing was that there appeared to be more of these networks being set up every day within the company, at the rate of two or three additional ad-hoc networks each day.
"They kept telling us, 'we've been seeing more ad-hoc networks showing up in our building every day,' and most of them were for local hotel hotspots," Hubbert said. "So we'd see multiple machines all associating with the same network SSID, and meanwhile the user is refreshing their PowerPoint presentation and has no idea this is going on in the background."
As it turns out, the specifications for this Windows feature -- detailed in a technical document entitled "RFC 3927," were actually written in part by a Microsoft employee -- one B. Aboba, according to the document. Strangely enough, the developers of that spec foretold of the dangers of configuring things the way Microsoft ultimately decided to do with their wireless system in Windows. This from section 5, paragraph three of the RFC:
"NOTE: There are certain kinds of local links, such as wireless LANs, that provide no physical security. Because of the existence of these links it would be very unwise for an implementer to assume that when a device is communicating only on the local link it can dispense with normal security precautions. Failure to implement appropriate security measures could expose users to considerable risks."
Whoops. Anyway, you might be wondering now how you can make sure your Windows laptop is protected from this.....er, feature. First of all, if you are running any kind of network firewall -- including the firewall that comes built in to Windows XP -- you won't have to worry about some stranger connecting to your laptop. In fact, I had to shut down my firewall for both of us to successfully conduct our test.
Also, many laptops have a button you can push that disables the built-in wireless feature until you hit that button again. Turning off the wireless connection when you are not using it also prevents this from being a problem.
Another good idea is to change the setting on the computer's wireless card to connect only to "infrastructure networks" -- real wireless access points that actually allow you to surf the Web. To do this, go to "Start," "Control Panel," "Network Connections," and then right click on the entry labeled "wireless network connection" and select "Properties" from the drop down menu. Then click on the "Wireless Networks" tab, and then on the "Advanced" tab at the bottom of that window. A box should pop up that gives you three buttons to choose from: Select the one next to "Access point (infrastructure) networks only."
By the way, Microsoft has acknowledged this vulnerability and says it plans to change the default configuration in the next service packs released for Windows, whenever that will be.
As a sidenote, Loveless described in delicious detail for a rapt audience at ShmooCon how he used the trick on various airline flights to gain access to Windows machines that other passengers were using. Referring to a previous conversation he had with Jennifer Grannick, a lawyer who represents accused hackers (and who also gave this morning's ShmooCon keynote), Loveless said he believes that since the attacks were mostly carried while the plane was over international waters that U.S. law enforcement might have a hard time making the case that he was violating any laws. The real answer to that very interesting question, he said, would probably not be evident until someone gets sued in court for it.