Wireless security question

[Mortimer]

On BBC1's science/technology programme "Bang Goes the Theory" a few weeks
ago they did an item about security of wireless networks.

Leaving aside the problem of enticing people to connect to a network (eg in
a public place such as a café) where the hacker is monitoring the IP
traffic, what is the situation with Windows PCs connecting to a duplicate
network of one that has already been set up in the PC?

They seemed to be suggesting that if a PC had been configured to connect to
another network (eg at home) it would periodically broadcast that SSID
(network name)? Is this the case? I thought it was only the router which
broadcast its SSID.

And if a hacker can grab a list of SSIDs that a PC has connected to, can
they set up a spoof network with the same name so the PC will automatically
connect to it? Obviously it would have to be one with no password (otherwise
the punter would be prompted to enter one when he wasn't expecting to), but
if the real network had a password (let's say WPA2 or some similar level of
encryption, ie not merely WEP) and the PC was configured to supply that
password, would it connect automatically to another password-free network
with the same SSID? Or would the user get a warning in this case?

Now the item was confined to smartphones and surprisingly didn't mention
laptops (eg Windows or Mac) - maybe the OSes on smartphones behave
differently and *would* connect automatically to a password-free network
that was the same as one that was already configured in the phone.

 

[Wolf K]

On BBC1's science/technology programme "Bang Goes the Theory" a few
weeks ago they did an item about security of wireless networks.

Leaving aside the problem of enticing people to connect to a network (eg in
a public place such as a café) where the hacker is monitoring the IP
traffic, what is the situation with Windows PCs connecting to a duplicate
network of one that has already been set up in the PC?

They seemed to be suggesting that if a PC had been configured to connect to
another network (eg at home) it would periodically broadcast that SSID
(network name)? Is this the case? I thought it was only the router which
broadcast its SSID.

And if a hacker can grab a list of SSIDs that a PC has connected to, can
they set up a spoof network with the same name so the PC will automatically
connect to it? Obviously it would have to be one with no password
(otherwise
the punter would be prompted to enter one when he wasn't expecting to),but
if the real network had a password (let's say WPA2 or some similar level of
encryption, ie not merely WEP) and the PC was configured to supply that
password, would it connect automatically to another password-free network
with the same SSID? Or would the user get a warning in this case?

Now the item was confined to smartphones and surprisingly didn't mention
laptops (eg Windows or Mac) - maybe the OSes on smartphones behave
differently and *would* connect automatically to a password-free network
that was the same as one that was already configured in the phone.

Try:

http://www.cio.com/article/681170/Home_Wi_Fi_Network_Security_4_Ways_to_Avoid_Big_Trouble

http://www.pcworld.com/article/130330/how_to_secure_your_wireless_network.html

HTH,
Wolf K.

 

[Yousuf Khan]

They seemed to be suggesting that if a PC had been configured to connect to
another network (eg at home) it would periodically broadcast that SSID
(network name)? Is this the case? I thought it was only the router which
broadcast its SSID.

I don't think a client PC would broadcast a list of SSID's that it has
ever connected to, what reason could it have to broadcast something like
that? Only the router needs to do that. Or if the PC is running an
ad-hoc network, then it will be acting as its own router. That's about
the only time it'll broadcast its own SSID.

And if a hacker can grab a list of SSIDs that a PC has connected to, can
they set up a spoof network with the same name so the PC will automatically
connect to it? Obviously it would have to be one with no password
(otherwise
the punter would be prompted to enter one when he wasn't expecting to), but
if the real network had a password (let's say WPA2 or some similar level of
encryption, ie not merely WEP) and the PC was configured to supply that
password, would it connect automatically to another password-free network
with the same SSID? Or would the user get a warning in this case?

Now, regarding completely open Wi-Fi networks, a hacker can guess the
names of previous open networks that a client PC might have connected
to, even if the client PC doesn't broadcast those names out to the
hacker to make his life easier. A lot of networks just use their
default, out-of-the-box SSIDs, such as "dlink", "linksys", "netgear",
etc. A lot of people never change those default names when they setup
their home networks. So it's fairly easy for a hacker to guess those
SSIDs. However, you'll notice that client PC's can still tell different
networks apart even if they have the same SSIDs. That's because there's
an unique numerical identifier for each network, it's likely based on
the router's MAC address, which is also unique. Using this unique
numerical id, the PC can tell two "dlink" networks apart, or two
"netgear" networks, etc.

So the PC will still give you the choice of either connecting to another
open network with the same name.

Now the item was confined to smartphones and surprisingly didn't mention
laptops (eg Windows or Mac) - maybe the OSes on smartphones behave
differently and *would* connect automatically to a password-free network
that was the same as one that was already configured in the phone.

I think even smartphones are able to tell different open networks apart
with the same name, using the unique-id. The logic behind it is not too
difficult to implement even in a smartphone.

Yousuf Khan

 

[Mortimer]

Now, regarding completely open Wi-Fi networks, a hacker can guess the
names of previous open networks that a client PC might have connected to,
even if the client PC doesn't broadcast those names out to the hacker to
make his life easier. A lot of networks just use their default,
out-of-the-box SSIDs, such as "dlink", "linksys", "netgear", etc. A lot of
people never change those default names when they setup their home
networks. So it's fairly easy for a hacker to guess those SSIDs. However,
you'll notice that client PC's can still tell different networks apart
even if they have the same SSIDs. That's because there's an unique
numerical identifier for each network, it's likely based on the router's
MAC address, which is also unique. Using this unique numerical id, the PC
can tell two "dlink" networks apart, or two "netgear" networks, etc.

So the PC will still give you the choice of either connecting to another
open network with the same name.

I'm amazed at the number of wireless networks that are left at the default
SSID of DLINK, NETGEAR or whatever. It gets very difficult when someone's
got a wireless connection problem if there is more than one network with the
same SSID! I've done it myself, unwittingly: set up one router with a given
SSID and password and then set up another the same way, intending to move
the old router to another location but leaving it plugged into the mains by
accident. As long as the PC knows about both networks (distinguished by MAC
address) and doesn't go through the "new network" menus, then there's no way
to tell which network you are connected to - and one is plugged into ADSL
and so will work whereas the other isn't so "for some strange reason" isn't
working. It's pure chance which one a given PC will connect to. I felt a
right pillock when I realised what I'd done!

I think even smartphones are able to tell different open networks apart
with the same name, using the unique-id. The logic behind it is not too
difficult to implement even in a smartphone.

Mmm. So as long as people are alert to "new network" messages (and many
people will ignore or not notice these) then you should be safe from a spoof
duplicate network.

If I'm using a network other than my own, I *always* choose "public network"
to avoid problems with other PCs on the network accessing shared drives on
my PC.

 

[Yousuf Khan]

I'm amazed at the number of wireless networks that are left at the
default SSID of DLINK, NETGEAR or whatever. It gets very difficult when
someone's got a wireless connection problem if there is more than one
network with the same SSID! I've done it myself, unwittingly: set up one
router with a given SSID and password and then set up another the same
way, intending to move the old router to another location but leaving it
plugged into the mains by accident. As long as the PC knows about both
networks (distinguished by MAC address) and doesn't go through the "new
network" menus, then there's no way to tell which network you are
connected to - and one is plugged into ADSL and so will work whereas the
other isn't so "for some strange reason" isn't working. It's pure chance
which one a given PC will connect to. I felt a right pillock when I
realised what I'd done!

In the end, the SSID is not really all that important to the low-level
security of the network, it's really just a human-readable name, of
usefulness only to people. So the part of the network security procedure
which involves people not blindly connecting to the wrong networks is
helped by changing this name, but it's not actually useful beyond that.

Mmm. So as long as people are alert to "new network" messages (and many
people will ignore or not notice these) then you should be safe from a
spoof duplicate network.

If I'm using a network other than my own, I *always* choose "public
network" to avoid problems with other PCs on the network accessing
shared drives on my PC.

This type of spoof is also only effective in an open, unsecured network.
It'll never work if the network is password protected in any way, even
the deprecated & much maligned WEP security will screen out this spoof.
A hacker may be able to duplicate the SSID name very easily, but it's
much harder to randomly duplicate a password. So really, the only thing
you have to be aware of is that when you're connecting to an open
network, you are careful to be aware if your device is warning you that
it's a different open network than what you're used to.

Yousuf Khan

 

[Char Jackson]

If I were going to spoof a network, I would spoof the SSID, the MAC
address, and if it's WEP-protected, also the password. You wouldn't
receive any prompts or notifications in that case.

This type of spoof is also only effective in an open, unsecured network.
It'll never work if the network is password protected in any way, even
the deprecated & much maligned WEP security will screen out this spoof.
A hacker may be able to duplicate the SSID name very easily, but it's
much harder to randomly duplicate a password. So really, the only thing

Now that WEP passwords can be discerned in as little as 30 seconds, it
would be trivial to get the password from the target system and apply
it to a spoof system. Duplicate the target MAC and SSID at the same
time, and I think you'd have a good chance of catching a few systems
automatically connecting. I wouldn't expect to see any warnings in
that case.

 

[J. P. Gilliver (John)]

hacker to make his life easier. A lot of networks just use their
default, out-of-the-box SSIDs, such as "dlink", "linksys", "netgear",
etc. A lot of people never change those default names when they setup

[]
I'm amazed at the number of wireless networks that are left at the
default SSID of DLINK, NETGEAR or whatever. It gets very difficult when

[]
Strange; here in UK, the default SSID often does include the make of the
router, but in all cases I've seen, it has some random characters added
to the end: for example, from here I can see BTOpenzone-H, BTHub3-X4NP,
and BTHomeHub2-57CM, and elsewhere I've seen BTVOYAGER2100-D9, SKY63398,
and SKY08013 - i. e. always with a random string on the end. I assume
these are all the default ones.

 

[Yousuf Khan]

Strange; here in UK, the default SSID often does include the make of the
router, but in all cases I've seen, it has some random characters added
to the end: for example, from here I can see BTOpenzone-H, BTHub3-X4NP,
and BTHomeHub2-57CM, and elsewhere I've seen BTVOYAGER2100-D9, SKY63398,
and SKY08013 - i. e. always with a random string on the end. I assume
these are all the default ones.

That's because you're using combined router/modem from your ISP. Those
are usually setup by a technician in home, or preset in a distribution
center before being sent out to you. I was talking about the situation
where someone just buys a router from a store oneself, and installs it
oneself.

Yousuf Khan

 

[J. P. Gilliver (John)]

That's because you're using combined router/modem from your ISP. Those
are usually setup by a technician in home, or preset in a distribution
center before being sent out to you. I was talking about the situation
where someone just buys a router from a store oneself, and installs it
oneself.

Yousuf Khan

Hmm, I'm not sure: if that was the case, I'd expect to see the name of
the ISP (as indeed is the case for the SKY examples above, and _some_ of
the BT ones). The BTVOYAGER2100-D9 is my blind friends' one, which they
did _not_ get from their ISP (lineone or talktalk); I've seen others
similar - router-maker name plus random string, rather than ISP name.
(Actually my blind friends' router is no longer a BT Voyager 2100,
though they've kept the SSID so as not to have to change details in all
their computers.)