Windows Wi-Fi Flaw Lets Others See Your Stuff

Yep, I don't see it as any worse than sniffing for the AP's that the machine is searching for and then setting up a honeypot AP with a matching SSID.

Machine will connect if the security settings are appropriate, typcially blank if the user has visited a hotspot and you're in.

The degree to which files can be viewed will depend on personal firewall settings and password strength which is no different in principle to how securely people leave their car. Most are happy to lock it and walk away with the windows letting people see what's inside. Well ok, not the best analogy but the whole security picture hasn't been portrayed in that article but then if it were, it wouldn't seem as sensational would it? :)

David.

I've seen that happen on XP Pro SP2, thought I was having a flashback to the previous client, I guess I'm just glad it was my computer having a flashback. 8*)

Does the author mention how to configure your way out of it?

Microsoft Windows Silent Adhoc Network Advertisement

Platforms : Windows 2000/XP/2003 Application: Wireless Network Connection (aka Microsoft Wireless Client) Severity : High (albeit lame)

Synopsis

--------

This advisory documents an anomaly involving Microsoft's Wireless Network Connection. If a laptop connects to an ad-hoc network it can later start beaconing the ad-hoc network's SSID as its own ad-hoc network without the laptop owner's knowledge. This can allow an attacker to attach to the laptop as a prelude to further attack.

Details

-------

The following is a sample scenario:

- Alice has a wireless access point at home with an SSID of "linksys", which she has successfully set up and connected to with her laptop. - Alice goes to the airport (or train station or coffee shop) and opens her laptop. - Bob, who is sitting next to Alice, has a laptop configured with an ad-hoc network advertising an SSID of "linksys". - Alice's laptop when started looks for the SSID of "linksys", and attachs to Bob's ad-hoc network. - The next time Alice boots up the laptop when the Ethernet cable is not attached and there is no "linksys" SSID in range, Alice starts advertising an ad-hoc network with an SSID of "linksys".

This is basically a configuration error that spreads virus-like from laptop to laptop. In field tests, numerous ad-hoc SSIDs such as "linksys", "dlink", "tmobile", "hpsetup", and others have been documented.

Yes this is lame. I know this...

Here is collected data from 4 domestic flights within the U.S. conducted during September and October 2005. The data was collected using NetStumbler, NMap, and Metasploit Framework [4] from a laptop running Windows XP:

Aircraft Laptops* Ad-hoc Nets** Live Targets Vulnerable*** -------- -------- ------------- ------------ ------------- MD80 8 2 3 1 MD80 12 5 5 4 757 22 1 3 3 MD80 14 4 4 3

• Number of laptops out and running at approximately the halfway point of the flight. ** In some cases, an ad-hoc network would form and other laptops would attach to it instead of advertising their own ad-hoc network.

*** A system was classified as vulnerable if it could be remotely compromised or it was open enough to allow files to be copied to or from the hard drive. Vulnerabilities included CVE-2005-0059 (MS05-017), CVE-2005-1983 (MS05-039), open shares, and NULL access.

William P.N. Smith wrote:

WinXP-Sp2. Network Connections, right click on the wireless network, properties, "Wireless Networks" tab at the top, "Advanced" in the lower right. Select "Access Point only".

If you are using some client manager rather than ""Use Windows to configure", there should be some corresponding setting.

This would help you with this particular exploit, but as David notes, you might fall prey to some other unsecured network name that you automatically connect to. "tmobile" might be a good guess at a SSID that you would want to connect to with no credentials.

On the page where you clicked "advanced", there is a list of Preferred networks. Things like tmobile should be noted as (on demand), not (Automatic). If you have security enabled, automatic is okay.

from the original article: Solution/Workaround

-------------------

Until Microsoft releases Service Packs for the affected platforms, use one of the following three workarounds:

Workaround #1:

Disable wireless when not in use. Simple, eh?

Workaround #2:

Use an alternate Wireless Client Manager, (e.g. for an integrated Intel Wifi connector, use Intel PROSet/Wireless) as all others tested do not seem to have the problem (this testing was not all-inclusive).

Workaround #3 (recommended):

1. Click on the Wireless option in the System Tray and open the Wireless Network Connection window. 2. Click on "Change advanced settings". 3. In the Wireless Network Connection Properties window, click on the Wireless Networks tab. 4. Click on the Advanced button. 5. Click on "Access point (infrastructure) networks only"

This workaround prevents you from connecting to any ad-hoc network in the first place.

snipped-for-privacy@XReXXW> > Does the author mention how to configure your way out of it?

Thanks!

You don't even need to guess, you can either watch the list of AP's probed for with something like Kismet or if you're feeling really lazy, just fire up hotspotter which is designed to listen to these probes and then assume the SSID accordingly, automatically. It already has a huge list of typical SSID's to listen to. :)

David.

I use Boingo. Does a great job of finding signals.

It doesn't act like an access point though and respond to probing clients does it?

Is

what you are talking about, or some kind of software package?

Thanks!

No, hotspotter that i'm talking about is a util that runs on a linux box which listens for probes from stations and then assumes the SSID of one of those probed stations looking for a hotspot.

It's essentially a hackers tool.

Unsuspecting client connects to T-Mobile for example. Whereas you could easily set up an AP as T-Mobile, hotspotter listens for the ones you are probing for then according to it's long list of typical hotspots, assumes that name.

David.

Ah, OK, I sorta found something at

but I'm getting: /* This account has been suspended. Either the domain has been overused, or the reseller ran out of resources.

*/

Don't suppose there's any way of detecting it, or avoiding it except to ensure that all the SSIDs in your preferred networks are secured with a {WEP,WPA} key, which hotspotter couldn't match.

Plus or minus seeing that you are connected to an unexpected AP...

Well there's the free hotspot defence kit from the Schmoo group but that does require that you accept those hotspots based on MAC address as far as I could see.

Yes but that's the problem. Your typical business user who expects to connect to an open hotspot, sits down with their laptop and finds a hotspot of the type they have connected to before. Why wouldn't they expect that? :)

That's what Intel's tv adverts tell them will happen.

David.