A security study released last month sounded another call to arms for network administrators to secure wireless networks, showing how hackers can use traditional methods to attack otherwise secure fixed networks from a wireless entry point.
Computers don’t discern if data comes from a wireless network or a fixed network – once it hits a modem, it’s all the same. Hackers don’t care what kind of network they penetrate, either. Once they get past the modem, the same kinds of exploits can be used to harvest data, either from machines on the wireless network or the landlines.
Security consultants from Reston, Va.-based Cigital Inc. asserted the point in its research report. Cigital conducted a study showing how a hacker could use an attack called ARP (address resolution protocol) poisoning or ARP spoofing to fool computers on the wired portion of the network into sending data to the hacker. The attack creates a fake network address that the network treats as a legitimate destination.
Networks use a table called an ARP cache to match IP addresses to hardware addresses. Data packets coming into a network router ask the ARP program, which is responsible for managing the ARP rules that control the cache, to find a MAC (media access control) address on the cache that matches the packet’s IP address so it can be sent to the right machine. If no match is found, the ARP program asks every machine on the network for a match to the IP address, then updates the table if it finds it.
A hacker can exploit ARP by forging data packets from within the network that ask for an IP address which doesn’t exist. When the ARP program broadcasts a request for a match to the network, the hacker again forges a positive response from the hacker’s computer for the fake IP address. The ARP program then updates the ARP cache table, adding the hacker’s computer to the official list of trusted computers on the network.
“ARP poisoning has been around for some time, but it hasn’t been employed in this respect,” said Robert Fleck, Cigital’s security consultant for the study. Wireless networking is relatively new compared to landline networks, making much of the security research a matter of theory rather than experience. “I don’t think there’s much research in applying other (traditional) attacks” to wireless networks .
Hacking into a wireline network through a wireless access point requires that a hacker have knowledge of wireless technology – but not much. A hacker with the proper wireless hardware – a laptop with a wireless modem in range of a wireless network – can crack WEP in 15 minutes using off-the-shelf gear and programs available on the Internet, said Kevin Walsh, director of product management at Cambridge, Mass.-based wireless security company Funk Software Inc. It’s a short step from access to the wireless environment and the wired network connected to it, he said.
“The medium that you’re using to get access is new, but once you get access, all the same rules apply,” he said. Like WEP-cracking applications, automatic ARP poisoning applications are also readily available on the Internet.
Cigital, Funk and other security groups have proposed that organizations treat their wireless network as external to their wired network, by placing a firewall or router between every point at which the two networks touch. This approach mitigates the threat of an ARP poisoning attack, as well as other kinds of attack from an external threat, Walsh said.
Security groups are equally concerned about a lackadaisical attitude about wireless security among network administrators. A single unsecured wireless access point leaves the entire network vulnerable to a hacker sitting in a parking lot, said Allan Carey, a senior analyst for International Data Corp.
“In the wired world we put in safeguards like firewalls to protect the network from attack,” he said. The ARP attack is well known, but “many companies think that if they have the security precautions in place in their wired network…then they’re safe.”
