Rogue Access Points: Back doors into your Network
Let's say that an employee in your company gets a new laptop. He's excited about the laptop's WiFi capabilities, but the company he works for doesn't have wireless capabilities. What's he do?
One option is to bring in his own wireless router. He goes down to the local computer store, picks up a router for $39.95, and brings it to work. He plugs it in, boots up his laptop, connects to the network called "default," and is happy to use his laptop from anywhere in the building.
Another possibility is that he opens up the "wireless connections" panel of the laptop and sees a list of possible networks to join. He may not realize that the access points are on networks belonging to other individuals or companies. In the unlikely scenario of a targeted attack, he may even see an official-looking access point named after his company. In either case, he connects to somebody else's wireless work, finds that he can access the Internet, and continues on with his life. Both of these situations cause a number of potential security issues, and can be dangerous to the company's network.
First, an access point installed by an end user may be completely unencrypted, which opens a back door on the company's network to any attacker within range. Additionally, the default encryption that most people use, WEP, is fairly insecure and may be no better than an unencrypted connection. In addition to being able to eavesdrop on the employee's traffic, potentially snarfing his passwords or other useful information, the attacker can join the network with his own laptop. This instantly puts the attacker behind the company's firewalls, potentially exposing vulnerable servers to attacks.
Another serious concern when connecting to an untrusted wireless router, either one belonging to somebody else or one with a weak password set, is the trustworthiness of the DNS server it uses. As I wrote in a recent blog, an untrusted DNS server can have potentially dangerous consequences, which may include redirecting trusted Web sites to malicious servers. If a malicious user has or gains access to a router, he can change the DNS server that the router uses to a malicious DNS server that can give fraudulent responses.
There are a number of ways to prevent this type of back door from appearing, including:
- running software on your network to identify any new or unknown devices
- routinely checking for any new wireless networks in your offices, and investigating any that appear
- implementing a wireless network for laptop users in a secure fashion, and educating users on best practices for connecting to it
By following one or more of these guidelines, you may close up a back door into your network.