Wednesday, 30. January 2008
PermaLink Viral wireless
You will doubtless have noticed that often, when you are connecting to a wireless network, more than one wireless network is available and many of these additional wireless networks are obviously people's home access points with default SSID and no security.

Have you also noticed an increasing number of ad-hoc wireless networks named "Free Public Wifi"?

I have. And I've now seen "Free Public Wifi" in many different locations in several countries too.

They can't all be the same network. And why the name Free Public Wifi? And why ad-hoc, not access point infrastructure?

Well, curiosity finally got the better of me and I asked Google to explain it to me.

Did you know that Windows, when connecting to an ad-hoc WLAN of the sort that you might deliberately, if transiently, create for the purpose of a one-off file transfer between two wireless capable systems, remembers the SSID of that ad-hoc WLAN and broadcasts it itself later? No user intervention required? This is presumably to make it easier for non-technical users to re-create ad-hoc wireless networks, regardless of the order in which peer systems boot, but it has an unintended consequence.

It can behave in a viral manner. Consider this scenario.
  1. User A creates an ad-hoc network named "Bear Trap for the Unwary" and sits in a public place somewhere where his bear trap can be discovered.
  2. User B, a stranger to User A, scans for available WLANs, discovers "Bear Trap for the Unwary" and connects to it.
  3. Nothing happens and User B thinks nothing more of it. User B is unaware that, from now on, his PC will broadcast an ad-hoc network named "Bear Trap for the Unwary".
  4. Some time later, User B is in a different location using his laptop, User C, a stranger to User B, scans for available WLANs, discovers "Bear Trap for the Unwary" and connects to it.
  5. Go to step 3. Lather, rinse and repeat.

Now, what if the name of that ad-hoc network is something very tempting, like "Free Public Wifi"?

Do you think that a non-technical user looking for a free ride might be tempted to give it a try?

I do.

Here's what I think happened.

A few months or perhaps a year or so ago, either as a prank to see how far this WLAN virus could travel or possibly with more sinister motives such as a desire to lure a specific victim to connect and receive some malicious payload, someone created the first "Free Public Wifi" ad-hoc wireless network.

Several people connected to it - and some may have suffered as a result if it was indeed an attempt to break in - but most just moved on also carrying with them laptops which would continue to advertise ad-hoc networks named "Free Public Wifi". And so the viral cycle began.

It is the in the nature of this type of phenomenon to grow exponentially.

The first recorded sightings happened in the middle of last year and these things are now everywhere.

This advisory explains the Windows silent ad-hoc network advertisement phenomenon in more detail.

This advisory documents an anomaly involving Microsoft's Wireless Network Connection. If a laptop connects to an ad-hoc network it can later start beaconing the ad-hoc network's SSID as its own ad-hoc network without the laptop owner's knowledge. This can allow an attacker to attach to the laptop as a prelude to further attack.

My favourite part?

There is a warning about using Link-Local with wireless LANs due to the lack of physical security in RFC 3927 section 5 paragraph 3, but unfortunately Microsoft failed to properly heed this warning in spite of co-authoring the RFC.

Why does this not surprise me?



Update: This phenomenon is a year or more older than I first thought. According to this post, Free Public Wifi was being seen in early 2006.



Category: Viruses and Worms
Technorati:

Comments :

1. Peter30/01/2008 13:57:35


In looking at the link, I notice it is dated Jan. 2006.

It does say that, "Microsoft has scheduled to include the fix in the next service packs."

Are you saying that this is still an issue with the current release / patch level? (Granted - there are probably LOTS of laptops floating around out there that haven't been patched in two years...)



2. Chris Linfoot30/01/2008 15:14:38


Note carefully what the advisory says.

"Microsoft has scheduled to include the fix in the next service packs."

Service pack 2 for Windows XP was released on August 25, 2004, some 17 months before this advisory was published. Service pack 3 isn't out yet.

So yes. Fully patched XP systems exhibit this behaviour.

I'm not sure whether Vista does, though I would certainly hope not.



3. Peter30/01/2008 16:27:15


I missed that little detail - my bad.

It did make me poke around the M$ site, though. They just released Service Pack 3 last month:

http://www.microsoft.com/downloads/details.aspx?FamilyID=68C48DAD-BC34-40BE-8D85-6BB4F56F5110&displaylang=en

I've not had a chance to search through the details yet to see if they actually fixed this problem.

Thanks again for the heads up.



4. Chris Miller30/01/2008 19:20:32
Homepage: http://www.IdoNotes.com


I see that ad hoc network everywhere in the world I travel. Tethered modem saves me the pain from that one.



5. Ted Hardenburgh31/01/2008 00:21:05
Homepage: http://dominothoughts.com


Funny you should write about this. Saw one on my flight home from the 'sphere at 32K feet.



6. Rod Stauffer31/01/2008 08:39:24


I could be wrong on this (networking is not my area of expertise), but I think the "Wireless Client Update for Windows XP with Service Pack 2" just might have addressed the issue. See:
http://support.microsoft.com/kb/917021



7. Simon Scullion31/01/2008 08:44:08
Homepage: http://simonscullion.com/


Another reason to dump Windows for Ubuntu? As if we haven't enough good ones already!



8. Chris Linfoot31/01/2008 09:33:56


@6: No, that is a fix for an unrelated and somewhat less serious issue.

If a Windows system has preferred WLANs in its list, it will first try to find their broadcast SSID but if that fails it will probe for non-broadcast networks with the names of its preferred networks. This potentially exposes the names of that Windows system's preferred networks to anyone suitably equipped to sample WLAN signals.

This is not the bug which causes a Windows client of an unsecured ad-hoc network to assume that network's identity later.

@7: Got a working Ubuntu driver for my WLAN adapter? (not NDIS wrapper)

I haven't.



9. Fabian Robok05/02/2008 10:37:40


Just to make this clear: Service Pack 3 for Windows XP has not been released, yet. There obviously is a Release Candidate 1 available to beta testers.



Unable to post a comment? Please read this for a possible explanation...
Add Manual Trackback
Please enter the details of the trackback post. Your trackback will not appear on the site until it has been verified. This won't be immediate, as trackbacks are validated on a scheduled basis. Be patient.











Search
Hot Categories
Domains
IPv6
Internet
Malware
Monthly Archive
2009
2008
2008
2008
2008
2008
Full Archive
Links
CircleID
Anti-Spam Tools
Misc Links
Land banking information
Contact Me
email - Chris Linfoot
Subscribe
Subscribe to articlesArticles

Subscribe to commentsComments