WiFi: What threat?

Annalee's written a generally good debunking of the gub'ment's alarmist warnings about WiFi in her latest Techsploitation column, but in so doing, she says:

The ever resourceful publisher O'Reilly even has a new book out on the issue called 802.11 Security, which underscores my point by arguing that most WiFi networks — which use the 802.11 transmission protocol specified by the Institute of Electrical and Electronics Engineers – are wide open to attack.

I have to quibble with this. Connecting to a WiFi network is not "attacking" it. A successful attack against a network should do some damage to it, or at least reduce its availablity to the detriment of its operator. Most home WiFi networks don't even have a computer on them much of the time (since WiFi net operators either take their machines with them or shut them down — don't believe me? Take nstat with you on your next warstumble! Most of the nets I connect to don't have any hosts on them!). So connecting to the network doesn't constitute any kind of attack per se.

Now, there are a couple of actual "attacks" imaginable: one is a DoS attack on the network itself, putting so much traffic on the net that you shut it down. This one is much bandied, but I've never actually seen it take place. The 802.11b spec takes pretty good care to enforce good neighborship on connected hosts. It's like DoSing a hub — theoretically possible, but not very likely, since hubs are, by nature, built to manage multiple hosts sending and receiving traffic.

Another attack is intrusion: either on the router or on another host. Router intrusion is surprisingly easy, since many operators don't change the default router password. Any time you associate with a network called "linksys", try pointing your browser at: http://:admin@192.168.1.1 — if you get a configuration screen, congrats, you 0wn that AP. But this certainly isn't an attack that's made simpler by flaws in WEP; rather, it's a UI failure in the configurator, which should force a password change on setup. Indeed, this attack is not specific to WiFi nets — routers connected to cablemodems are just as vulnerable.

Intrusion into systems is a much graver case. In the case of MacOS X/9 machines, this is not much of a risk, since neither of these machines have default-on IP-addressable services, and activating such services generally requires some savvy that would, one hopes, also include enough smarts to set up a decent password (maybe a poor assumption). Win* machines are much more vulnerable — this is a well-understood phenomenon, of course, and it has to do with major failings in MSFT's security engineering. The incremental vulnerability of a Win* machine on a WiFi net is high, but only because Win* and orthodox security engineering make the fallacious firewall assumption, that hosts inside your network are trusted and hosts outside your network are not. In truth, your security perimeter should be drawn around each host, not around the network, since hosts on the network can go rogue (0wned via a trojan, say), and hosts outside of the network can be highly trusted, as when you carry your laptop to some other place and need to connect to machines back home.

Now, there is a real-live attack possible due to the failings of WEP: packet-sniffing. In the cases where you are sending sensitive info (i.e. passwords, mail, http-auth session keys) in the clear, having untrusted parties on your broadcast network is a genuine risk. But this is not a situation that's unique to, or distinctive of, WiFi. Rather, it is the case any time you're sending data in the clear on any network connection that isn't under your control, such as net-connections in airports, hotels, conference centers, classrooms, boardrooms, cable-modems, etc. This is a major flaw in the assumptions that many Internet services make (any ISP that expects you to transmit your POP info in the clear, for example).

WiFi makes these threats more visible, but not graver.

Link

Discuss

(Thanks, Derek!)