ELEVEN Myths about 802.11 Wi-Fi Networks series 1

It seems that Wi-Fi networks have been misunderstood by much of the IT community since their inception.
Even the reasons for this misunderstanding are kind of hard to understand. It could be that the rising popularity of Wi-Fi caused demand to surge ahead of the supply of professionals ready to manage networks. Maybe it’s that networking folks and radio frequency folks both had to learn the other side’s technology on a fairly intimate level. Maybe it’s just that engineers cooped up in an RF chamber all day have a hard time explaining themselves. Whatever the reason, the result has been that myths about 802.11 (better known as Wi-Fi) networks have grown almost as fast as the technology itself.

Being wireless networking instructors allows us a unique perspective in sampling the Wi-Fi myths that are believed by a wide variety of IT professionals. In this series we examine 11 such myths and explore ways to use correct information about wireless LANs to make your networks scalable, secure and satisfying to your users.


Myth #1: If you leave your Wi-Fi adapter turned on, someone could easily hijack your notebook and take control of your computer.

The most widely publicized presentation at the 2006 Black Hat hackers convention revolved around a vulnerability in certain wireless device drivers1. Though the chipsets that use these drivers were left unnamed, the end result was that intruders associated to the same Wi-Fi network as your notebook computer could potentially gain access to your machine through a command line interface.

This is a severe vulnerability, and it strongly emphasizes the point that Wi-Fi stations should be kept from associating to unknown networks. Unfortunately, the people responsible for creating the application that performs this intrusion also ended up perpetrating one of the most widely spread myths concerning Wi-Fi security.
As part of the promotion of their presentation, the authors of this attack tool claimed that Wi-Fi stations were vulnerable to attack just by leaving their Wi-Fi adapters enabled. They could be correct to an extent, as there may be heretofore unknown flaws in Wi-Fi device drivers that could allow an attacker to disengage normal login protections that are in place for today’s operating systems.

Where the presenters of this attack went wrong is in suggesting that a full active attack—one where a victim’s entire machine is overrun—is possible against any poor sap that has a Wi-Fi adapter turned on. In certain situations, this line of thinking ends up being accurate but, like many network intrusions, it would take an extremely negligent end user for such a diabolical attack to be successful.

Let’s put one semi-myth to bed right away: Attackers cannot access your computer without first establishing a connection to the same network you are associated to. This is a fundamental truth of networking. Any peer-topeer attack—such as the CLI attack touted at Black Hat 2006—requires that data be transferred from station to station. Since a Wi-Fi association is necessary for a notebook computer to have a data link layer (layer 2) connection, perpetrating this attack on an unassociated machine is simply impossible.

Now let’s look at the more widely propagated myths. Many people believe that unassociated stations are vulnerable because your notebook computer can be easily hijacked on to a nearby network by an attacker. It is also widely held that associated stations could surreptitiously roam to nearby APs set up by attackers (we’ll call these “hijacker APs”). These myths are tricky because there is some truth to both of them. Let’s differentiate, shall we?

Concerning unassociated stations, many of them are indeed vulnerable to hijacking. Specifically, stations that are controlled by Wi-Fi client utilities that use a Preferred Networks list are vulnerable to hijacking. If the attacker creates an AP with a non-encrypted SSID that is in the station’s Preferred Networks list, the station will connect to the hijacker AP.
There are a couple of solutions to the problem of hijacker APs. Users could eliminate this threat by removing all non-encrypted SSIDs from their list of Preferred Networks. This becomes difficult because every time a user connects to a Wi-Fi network, the SSID and encryption settings (or lack of encryption settings) are automatically added to their Preferred Networks list. A more comprehensive solution is to disable the Wi-Fi adapter when it
is not in use. Sure, this is a great solution in theory but, in practice, often times users are forgetful or negligent when it comes to network security.

Solving the hijacker AP problem may be getting easier. Applications like NetOaats can be configured to disable a user’s wireless network adapter upon the connection to a wired network. It can even be configured to work the same way if a notebook establishes a connection to a Broadband wireless network (like the EvDO networks from Sprint and Verizon). By having users simply run the NetOaats application, they become much less susceptible to peer-to-peer attacks.

Another item that could counteract the attack from Black Hat 2006 is the preponderance of security protocols that prevent Wi-Fi stations from accessing each other. Protocols such as Cisco’s Public Secure Packet Forwarding (PSPF) prevent a wireless user from accessing another wireless user’s station when they are connected to the same AP. This is known as wireless client isolation. Virtually every commercial public Wi-Fi Internet service uses some kind of wireless client isolation protocol. The end result is that users remain safe as long as they stay connected to the network of the Wi-Fi Internet access provider.

There are several other mini-myths that are related to this fundamental myth about the ease of hijacking users. One is that users will connect to an ad-hoc (peer-to-peer) Wi-Fi network that is configured with the same SSID as an AP. This is false because Beacon frames from APs always indicate whether the network is a BSS (network with an AP) or an IBSS (ad-hoc network).

Another myth is that users will automatically connect to any access point in the area if their Wi-Fi adapter is left enabled. While some very old client utilities did have this flaw, today’s client utilities usually only allow a Wi-Fi station to associate to SSIDs that are configured with proper security settings in the list of Preferred Networks.

The truth about the flaw that was presented at the Black Hat 2006 conference is that it appears to be a very real device driver flaw dressed up in a Wi-Fi vulnerability to peer-to-peer attacks that has been known and understood for years by well-versed network security professionals. It is true that if the following conditions are met, users are vulnerable to the full attack:

1. The user has an enabled Wi-Fi adapter.
2. The user’s Wi-Fi adapter is not associated to a network that uses encryption.
3. The user has a non-secure SSID configured in their list of Preferred Networks.

If any of these three conditions are not met, the Black Hat 2006 wireless attack becomes just another vulnerability on the periphery of Wi-Fi that perpetrates one of the most common myths about Wi-Fi security.