Time for a Wireless Checkup
As I mentioned briefly in 30 Steps to a Secure Organization, I recently did a security review for a small business customer. When I arrived, he was on the phone, and had me wait in a side office also used for their server and network equipment. I did an initial survey of their equipment, and found a recent-model wireless access point. This particular manufacturer, in an effort to ensure that customers used good passwords, created a random password and posted it on a sticker on the outside of the unit. Within 30 seconds of walking into the office, I had access to the wireless network. Once in, I looked up the default admin credentials for the model, and within 30 more seconds, I had full control of the access point. I suspect this vulnerability is repeated over and over again in the Small and Medium Organization (SMO) world.
Now, don't blame this customer, or those like him. They lack the experience and training to fully understand the risks. They know only that they need wireless access now, not next week. IT providers who support such customers, many themselves small, often cannot drop everything to handle such a request. Equipment manufacturers have made self-setup easy (perhaps too easy), so one of the SMO employees gets it done.
Wireless networks are unique in that they are accessible outside of the walls of an organization, as compared to a cabled LAN that is only accessible from within the facility (in most cases, but that is a different story). We have been using the industry term "war driving" for years, describing those who drive around looking for (and often finding) vulnerable networks to which that can break in, from the comfort of their cars. I have coined the term "war walking" to describe similar activities walking around in a multi-tenant office building, made possible by the proliferation of handheld devices. This is a huge exposure (if you are not convinced, check out WiGLE.com, or the many sites like it).
Unfortunately, with the growth of successful security breaches, the problem now extends beyond "war driving" and "war walking". Should a hacker penetrate the network of one of your neighbors, they can use a PC on that network with wireless access to look for and break into vulnerable networks. This, some hacker from Russia may have access to your vulnerable wireless network.
Because of the extreme nature of this exposure, and the large number of vulnerable wireless networks that exist, I am suggesting that each SMO conduct a "wireless checkup" at least once a year. This will make up for any new access points installed in haste, and will address new issues that have come up since installation.
I would suggest the following roadmap for such a routine check:
1) Figure out the date the access point was installed. If it is over 1.5 years old, take it home, and apply your largest hammer to the problem. So many changes have occurred in the last 2 years in wireless technology and hacking techniques, it is unlikely that an older unit can be fully secured. Don't take the chance. A replacement is not very expensive, and will likely be faster as well. If you need one, I recommend Engenius, or for larger organizations, Ruckus (full disclosure - I do NOT sell access points, these are simply the ones I am comfortable installing).
For those with larger offices, both of these product lines feature units that work well together when multiple access points are needed for coverage reasons. They include the ability to hand traffic off from one AP to the next when moving around the office.
"If it is over 1.5 years old, take it home, and apply your largest hammer to the problem"
2) If you have a newer unit, check the firmware version. This is usually available somewhere in the admin menu. Check the manufacturer's web site, and look for a newer version. You will probably find one. Quoting a Threat Brief article relating to a known issue with Belkin access point firmware, "The bad news is that approximately nobody installs router firmware updates." Apply the new firmware to your unit.
3) Check your encryption settings. It should be set to WPA2-PSK. WAP, the encryption standard in use for years, was broken some time ago. You can even find tools on the Internet to help you break into a WAP network. I still find WAP in use, and for reasons of compatibility (or laziness), manufacturers continue to support WAP. If you find WAP, change it.
4) Check your admin credentials to ensure that they are not set to the default. Manufacturers often use "admin" as the username, and "admin" or the name of the manufacturer as the password. If it is set to the default, change it to a strong password. There are tools that can be used to check the strength, such as this one from Kaspersky Labs. CAUTION: You should enter a variation of your proposed password just to be safe, or use an anonymous browsing session.
5) Change your wireless access password. Routine changes are a good idea, because employees come and go. Additionally, many SMOs give the password to guests or contractors. These folks may be accessing your network without you even knowing it. On a related note, avoid giving the password to non-employees. Many access points support a guest network, although some back-end network changes are required to fully secure a guest network.
6) Check for rogue access points. Many organizations experience a problem with users setting up their own access points. After all, they are inexpensive, and easily installed. I have heard a variety of excuses for this, and it happens more than you think. Using a wireless device, note the SSIDs to which you have access. If you are in a multi-tenant facility, this can be difficult to do yourself, since you may see your neighbor's APs. Look for networks that have an unusually strong signal, and see if the SSID name might give you a clue. You can also walk around looking for stray antennas. You may also see printers or other devices acting as APs. If you find any of these, disable their access point functionality.
You should also look for counterfeit SSIDs, which can be setup to allow people looking for your network to accidentally end up in the fake one. Any such networks will have names very similar to yours
The above checks are relatively easy, but there are numerous service providers around who will do it for you (us included). I do recommend against having your normal IT service provider handle it. An independent check is best. The bottom line is that it is critical that you perform this type of check on a regular basis. Put it on your calendar now.