Lately I've been wondering if there is really a secure way to get uncontrolled mobile devices onto the wireless network. I have no problem extolling the security virtues of wireless networks once clients are properly configured, but there is an increasing need to examine that short period of time starting when end-users decide they want to access the WLAN, and the moment when they are actually authenticated.
I don't really have deep concerns with wireless clients that are already under the control of IT. For these devices, there are tools like MDM and GPO that can make sure that supplicants get configured consistantly and securely. What about those uncontrolled devices though?
The use of captive portals is already a point of contention with wireless engineers. Some people see a real use for them and other dislike them because of the negative impact they tend to have on user experience. I'm still on the fence with regards to that discussion, but lately I've really started to dislike them for security reasons.
In 2009, Moxie Marlinspike spoke about the underlying issues with having a web that supports both HTTP and HTTPS. He went further and released a tool called sslstrip which demonstrated the problem. Essentially, and I'm really paraphrasing here, because web servers and browsers accept HTTP as a valid channel, it is possible to intercept client traffic and rewrite all of the HTTPS links and locations and present HTTP versions to the client. The end result is the attacker gets to see all of the usernames and passwords in cleartext.
It is now 2013, that's 4 years later for those of you keeping score, and we are still in the same boat. In fact, I would argue that we are worse off because the wireless industry has adopted captive portals as both a means for user authentication and as a method for provisioning credentials. Let's pause for a demonstration of this attack:
These are all tools that I would normally run directly on a BT image but I was recently loaned a WiFi Pineapple Mark IV so I figured I would see how well it worked. I honestly had no idea how much the Pineapple had evolved (I used to have a Mark II) and just how easy it was for anyone with just over $100 to launch these attacks. With only a basic level of skill, anyone can easily harvest credentials from people authenticating to a captive portal.
Worse still, the industry has started to use captive portals as a method to securely provision credentials to end-users. It is quite possible to strip SSL out the provisioning session and record the provision procedure. This is my main concern with captive portals. Given how easily any kid can strip out all of the security, do we really want to use them as our secure channel for provisioning credentials?
What's the Solution?
This is the part I've been struggling with and I'm hoping that someone can show me the light. I'm not really sure what the solution is. We could start by ensuring that the captive portal provisioning only occurs after you've authenticated to a EAP-PEAP protected network. That would at least ensure that all data is encrypted at layer 2 instead of cleartext by default. However, as I mentioned in my previous blog post, there are risks that come along with expecting end-users to properly configure a supplicant for EAP-PEAP. Thus, the viability of this as a solution rests in the hands of the end-user; that's not a good thing.
Beyond PEAP, we could ensure that we have proper rouge detection and alerting in place. This should, at least, give us that heads up when this type of attack is occuring. Unfortunately, this is not a preventative measure since you are only notified once the attack has already taken place. Also, I don't see single-AP coffee shops deploying and configuring WIDS all the time.
Like I said at the beginning of this section, I am not really sure what the answer is. As an industry, we have done our best to adapt existing authentication methods to cope with the BYOD onslaught. Is the answer that we need a new authentication method that is design with BYOD in mind? If so, what does that solution look like? Or, is there an easy solution to this that I'm just not seeing?
What are your thoughts on the subject? I'm really interested in hearing different approaches to tackling this issue so please leave your comments below and be sure to share this post with others.