Writing

Software, technology, sysadmin war stories, and more. Feed
Friday, May 1, 2020

Bad times in corporate wireless networks

I've seen some real craziness on corporate networks. Sometimes, packets go in circles. Other times, 1/8 of the (IPv4) Internet gets caught up in a bad route.

Those are temporary things. Today's story of pain and suffering is one of those things which tends to stick around for a very long time. And, as a bonus, there's a way for evil readers (or just people with really bad attitudes) to find out if their own company is one of these.

Here's the basic premise: if you give someone your wireless network name and WPA2 passphrase ("pre-shared key", if you must), they can get on your network. You knew that already. What you might not have realized is that they can now create a perfect clone of the network. Most of us don't actually have that "threat model" to worry about with our homes, and so giving out login details to friends is not a problem.

Companies don't have that option. Our beekeeping friends from a previous story and many others like them have a life-or-death struggle going on, particularly now that the world is caught up in this whole Twilight Zone quarantine thing. Some of them would totally do nefarious stuff to find out what the other one is up to... and have.

But, you say, companies aren't supposed to be in that situation! They're supposed to be using the "enterprise" versions of this wifi stuff where you have network certificates and client certificates and actually use login names and passwords and RADIUS and stuff like that! I agree with you, companies aren't supposed to be in that situation. Of course they aren't. But they tend to be there more often than you might think.

Think about it. If your company would turn off STP and induce a business-ending switch loop just to fix the toilet tunes (literally, music in the bathrooms), would it run a coffee-shop grade wireless network? You better believe they would. (And apologies to actual coffee shops.)

How can you prove it? That's easy. Grab your corporate Mac and fire up Keychain Access. Then go over to Category, pick Passwords, and sort by Kind. Then look for "network password". Look for the usual network name that your Mac would be on when you're at the office. (I get that almost nobody is there right this moment due to the craziness. Go with me here.)

Do you see an entry in there? Try opening it. There'll be a form that pops up with a little check box to display the password. Does it work? It might ask you for your login credentials, and then does it accept them and show them to you? That's the whole company's wifi password. Every single device is probably configured with it. This could be thousands or tens of thousands of machines across dozens or hundreds of physical locations.

Bad news...

Now here's where the real fun comes in. With that information, you or anyone else could grab any access point made in the past few years and configure a network with the same settings, down to the SSID (network name) and passphrase. If you then turned it on and left it near a device configured for your company network, there is a very good chance you would "capture" it.

What now? Use your imagination. Spoof DNS. Set up phony web sites that look like vendors they are likely to use. Run fake login pages.

"But we use https", you think. Sure you do, sometimes. But I bet you can find something goofy that doesn't, or where someone's browser hasn't found out that site prefers https yet. Remember, all you really need to do is convince one person to type their credentials into your fake page, and now you can go in and explore much more.

Imagine doing this on a rush-hour Caltrain or BART car where a bunch of people from the targeted company are commuting. Their phones would normally use the cellular, but if presented with a matching wireless network, would probably hop on it, particularly in the tunnels.

This is why we don't use home grade wifi setups for multi-million-dollar businesses, assuming we want them to remain multi-million-dollar businesses and not a smoking crater of Aeron chairs. If this is your company, go scream at your IT people until they do something about it. Then consider finding a way onto the hard-wired network and stop using the company wireless network by default until they fix it.

If they go "oh yeah, we know" when you show up, ask them how long they have known about it. Their answer should tell you whether there's any chance of it ever being fixed.

...

Bonus tip: try searching your intranet or even the public Internet for the password you find. If you find it on a public wiki page, send out for some stiff liquor.