I don’t learn any more about networking than I have to (and generally not even that), but even I think this is pretty sloppy.
Basically how it works is described in the article this way. Your company wi-fi SSID is say ACME1. If you have your phone set to auto connect to wi-fi networks, when it sees any with that name, it reveals your authentication info.
Once that is intercepted, a hacker can use that to log in to the real ACME1 location.
What’s more, Microstiffie has no plans to fix this security hole.
It’s not clear to me if the weakness is in the WPA2 encryption used by the WAP, or the passing of the workplace domain credentials, or both.
In other words, two things are going on here. The first is the authentication between the Windows phone and the Wireless Access point. This is WPA2, presumably. The second appears to be the effort by Bob to authenticate to his company’s Windows domain with his user name and password. (I suppose, if the company was using WPA2-Radius or something similar, those two credential sets could be identical).
So where is the weak point? I’m confused. Is it the Windows domain credentials or the WPA2 password?
The phone OS isn’t set to use server certificates automatically. When it attempts to authenticate to the rogue AP without using certs, it sends a plaintext hash of the domain credentials. This hash can be broken due to a weakness in the encryption method and the domain credentials revealed, allowing domain login.
It uses domain credentials to attempt to authenticate to a server, which then permits or denies access to the network. Basically personal WPA uses the pre-shared key for both encryption and network access authorization. Enterprise WPA splits them out, and after authorization the encryption key is automatically negotiated by the server and devices. There isn’t a pre-shared key.
In this case the WPA encryption isn’t where the issue lies, it’s in the methods used to encrypt and pass the domain credentials to the authentication server.
How can the device check the server certificate BEFORE it’s negotiated the WPA connection?
Look, let’s say I buy a consumer-grade WAP from a retail store. I set it to use SSID BrickerRulz and WPA2-Personal, and I give it the password GREZveblam487WirdFallNow.
I plug that into my network, a network that contains only the WAP (192.168.50.10/24) and a router for my ISP access (internal interface 192.168.50.1/24; external interface who cares).
Now I use my laptop to connect to wireless network BrickerRulz, and provide the password GREZveblam487WirdFallNow. I’m not even using DHCP; I statically assign 192.168.50.3/24 to my wireless card and give it a default gateway of 192.168.50.1 and tell it to use DNS servers 192.168.50.2 and 8.8.8.8.
(1) Is this setup vulnerable to the flaw discussed above? Why or why not?
(2) Can I browse the Internet successfully?
OK, now I plug my AD domain controller for domain B4EVER into my router; it’s address is 192.168.50.2/24 and it’s running DNS services. My laptop is a member of domain B4EVER.
(3) Is this setup vulnerable to the flaw discussed above? Why or why not?
(4) Can my laptop successfully authenticate to the AD domain controller?
