Wow, this is probably one of the worst security exploits in a series of recent massive security exploits. Matt Solnik at Accuvant Labs broke the news on this OTA exploit. This was a few months ago, but I’ve only really recently heard of it.
It’s possible to exploit bad carrier management client software and remotely compromise most smartphones on the planet. Seriously, scary stuff.
Listen to the Risky Business podcast where he talks about the exploit
(The interview starts at 29:15)
APs IN HALLWAYS - DON’T DO IT! -from Eddie Forero (@HeyEddie) on Vimeo.
*A caveat on the video:
These APs are using omni-directional antennas. This does not account for using some type of directional antenna, or putting real thought into the design. But, in reality, most hotel “designs” are just drop APs in hallways and crank up the volume.
Also, I recorded this in a coffee shop using a bluetooth headset, because when inspiration hits you move!
I’m on my way to the CWNP Conference in Raleigh, North Carolina, and I’m currently stuck in Charlotte for two hours waiting for my connection. :-( But, it gives me a little time to make this blog post, so at least there’s that! :-)
I’m really looking forward to this first of hopefully many CWNP conferences. The biggest thing I’m looking forward to is catching up with friends from WLPC and making new ones there in Raleigh. Putting faces to Twitter handles is becoming a new hobby!
One thing I’ve found is that the wireless community is very generous with their knowledge (and their opinions) :-). Most of the people I’ve met via Twitter, conferences, and various projects have been very supportive of me and my ignorance as I make my way through the labyrinth of 802.11. It’s been this support that has helped me grow in knowledge and confidence as I voyage through my chosen profession.
Of course I’m also looking forward to the sessions that will be going on - particulary the sessions on stadium design, healthcare, Zaib’s session on cloud Wi-Fi performance testing, and whatever GT Hill will be talking about!
I encourage anyone who’s involved in wireless - be it as a VAR, if you work for a vendor, or it’s part of your job responsibility - to not just look at the CWNP certification path, but also get involved in the community. Questions can be answered, ideas validated, methods questioned, and techniques shared. Whether it’s through social media, or conferences, I can only see it as a plus for anyone looking at a career in wireless.
See you at CWNP 2014!
* Posted on iPhone 6, Silver. ™ 😜
Wi-Fi scanning can now be performed. You can see SSIDs, even hidden ones, and view RSSI. For now, it’s only available via the Apple Airport Utility and it needs to be manually enabled in settings.
Sorry, no API access for 3rd party developers (yet), but at least WLAN aficionados can finally scan wi-fi on iOS devices!
Download Apple Airport Utility:
In this webinar, CWNP offers suggestions and information on the hardware and software available in the fall of 2014 to perform analysis of 802.11ac WLANs. Hardware demonstrated includes the Linksys WRT1900ac, the Cisco WAP371, the Edimax EW-7822UAC, the NETGEAR A6200 and the Wi-Spy DBx. Software includes Omnipeek, Commview for WiFi, Airmagnet, and Wireshark.
I was recently at a customer site upgrading an Aruba controller and doing some basic WLAN “best-practices”. During this I was asked by the customer if there was a way to keep mobile devices off the corporate network. Without something like Aruba’s ClearPass it’s not easy to identify and restrict these devices
My initial thought was with their current solution (Microsoft NPS) they couldn’t easily keep 802.1X capable devices from connecting to the corporate WLAN if they had valid AD credentials. Then as I was working it occurred to me that Aruba mobility controllers use DHCP fingerprinting to profile devices. I could leverage that ability to help keep mobile devices off the corp WLAN. It’s not 100% accurate *(and should not be considered a complete security solution), and I let the customer know this, but it identifies iOS and Android devices pretty well.
Essentially, a DHCP fingerprint is an “almost” unique identifier for OSes, or device types. The DHCP protocol (RFC 2132) allows for information other than just IP requests and acknowledgments to be sent. These DHCP “options” includes vendor specific information which makes it possible to identify devices and even OSes by their unique signature. That being the case we can use the fact the ArubsOS supports this to create roles for these various devices and OSes and thus provide some level of management of these devices.
For example, we can create a rule that says if a device is an iPhone it will be placed in the “Mobile_Device” role. This role can than be restricted to Internet only with no access to internal resources, placed in another VLAN, or just sandboxed altogether. *Not the best overall solution, but it works well enough.
Step one is to identify the DHCP fingerprint for that specfic device. There are several ways to do this and a simple Google search will give you plenty of options. You can also search for the specific fingerprint as well and hopefully someone will have posted it. In this post we’ll just focus on using Aruba OS to find the fingerprint. But here is a list I’ve compiled so far from various blog-posts and from the Aruba Airheads community:
- Android_device - (3C64686370636420342E302E3135)
- Android 2.X - (3c6468637063642034)
- Android 2.2 - (3701792103061c333a3b)
- Android 2.3.X - (0c616E64726F69645F)
- Android 4.0.X - (37012103060f1c333a3b)
- Android 4.0.X(2) - (37012103061c333a3b)
- Blackberry 2 - (3C426C61636B4265727279)
- Blackberry(2) - (370103060F775ffc2c2e2f)
- iOS Device - (370103060F77FC)
- iPad - (37011c02030f06770c2c2f1a792a)
- OS X 10.6 - (370103060f775ffc2c2e2f)
- OS X 10.7 - (370103060f775ffc2c2e)
- Win Mobile6 - (370103060f2c2e2f)
Log in to the CLI of your Aruba controller and go to enable mode. Once there go to configure mode and enable logging level debug for DHCP by entering:
(config)# logging level debugging network
Connect your device to the appropriate WLAN and then use the show command to view all the recent network entries. Search for the MAC address of the device and locate the DHCP option:
(config)#show log network all | include options
You should then see a output like this:
Sep 7 12:54:43 :202536: |dhcpdwrap| |dhcp| Datapath vlan10: REQUEST b8:e8:56:xx:xx:xx Transaction ID:0xb78173e6 reqIP=192.168.15.6 Options 37:0103060f77fc 39:05dc 3d:01b8e856f1e09c 33:0076a700 0c:46697265666c79 Sep 7 12:55:15 :202536: |dhcpdwrap| |dhcp| Datapath vlan1: REQUEST 00:60:2e:xx:xx:xx Transaction ID:0x464bcafb reqIP=192.168.15.248
Options 3d:0100602e024a08
3c:756468637020302e392e392d707265
37:0103060c0f1c Sep 7 12:57:20 :202536: |dhcpdwrap| |dhcp| Datapath vlan10: REQUEST b8:e8:56:xx:xx:xx Transaction ID:0xb78173ef reqIP=192.168.15.6 Options 37:0103060f77fc 39:05dc 3d:01b8e856f1e09c 33:0076a700 0c:46697265666c79
You’re looking for options that start with 37, 0C, 32, or 33. These are hex for DHCP options 12, 55, 60, and 81. In the above example the fingerprint for my device is 37:0103060f77fc, an iPhone. So, what I would use is that value without the colon (:) - just 370103060f77fc. Now that we have found the DHCP fingerpring we can create our rules and start enforcing policy.
A user role us just a set of policies for the user/device in that role. This role can simply be an “allow-all” policy that does not restrict access, or it can be very specific like only allowing DHCP, DNS, and http/hhtps to the Internet. Or, as stated previously, placing the device in a different VLAN. It can even just be a role that denies access altogether. Regardless, the role needs to be created first so we can apply it in the User Rules for the devices later on. Since roles are pretty common usage in ArubaOS I’ll just say create the roles you want how you want. You can call it “iPhones”, or “MacBooks”, or “Android”, etc. If don’t know how to create roles page 265 in the Aruba OS User Guide walks you step-by-step.
Finally, click “add” and you’ve created your first rule!
Now connect your fingerprinted device to the appropriate SSID. If your device was recently connected it may still have same role it had before. This is because it has not yet aged out of the database. To ensure that the device gets the correct role you should delete it from the database. The best way to do this is from the CLI. SSH into the controller, go to enable mode, and enter the following:
(Master-7010) #aaa user delete mac [device mac address]
Now you should reconnect and see that your device has been given the new mobile device role that you assigned in your User Rule for that specific devices DHCP fingerprint. The controller matched the DHCP fingerprtint of your device with the rule you created and assigned the appropriate User Role.
Now, as I said in the beginnig this isn’t 100% fool-proof, but it catch most modern devices. It’s already part of the OS and short of purchasing ClearPass this is a great way to manage devices on your WLAN.
*UPDATE: As one reader has already mentioned this should not be considered as a high-security solution. At best it allows you maybe keep some devices off, or keep others from using ip DHCP space, etc. For a more comprehensive way to secure and manage BYOD you should look at products such as Aruba’s ClearPass.
In any case, if all you have is an Aruba WLAN this is another useful tool to have in your tool bag.
From the, “Because this is awesome” files…
Please, don’t drag race your evaluation Access Points. Test them like you’re going to operate them.
The Expert
Estimated reading time: 4 minutes, 22 seconds. Contains 874 words
A few days ago Andrew Von Nagy tweeted an article by Patrick Moorhead on Forbes.com, "How LTE-U In Unlicensed Spectrum Helps Carriers Make Money". He was not positive on the article:
How LTE-U Helps Carriers Make Money http://t.co/rIcxokOeEp < Wreckless journalism @PatrickMoorhead @Forbes! Regurgitating marketing.
— Andrew von Nagy (@revolutionwifi) March 23, 2015After I read the article I replied on Twitter about the apparently one-sided nature of the article and went on to make insinuations of being in the industry's pocket and such. Mr. Moorhead was not amused and replied with his assertion that we were just trolls.
Learned today that there are WiFi Twitter trolls. Thank you @HeyEddie @revolutionwifi
— Patrick Moorhead (@PatrickMoorhead) March 23, 2015Well, such is the life on the Interwebs. I felt bad and replied assuring him the intent wasn't to troll. We were just venting our frustration that there was no real mention of the concerns regarding LAA-LTE co-existing with Wi-Fi. And that it seems that all we see in the media about LAA-LTE is how it's going to solve all the carriers problems and will even improve everyone's wi-fi. So, after some back and forth - he DM'd me his e-mail and asked me send him my concerns and I took him up on it. I'm thankful the rather than dismissing me he was genuinely interested in my opinion.
So, here is the gist what I put together in the e-mail explaining why as a wireless guy I have serious concerns about the this:
Wi-Fi/802.11 is a "polite", but inefficient protocol. It's half-duplex, only one client can transmit at a time, has inherent overhead that will only be exacerbated by non-wifi interference, etc. Sometimes I'm amazed it works at all!
Here are the main concerns I have with the introduction of LAA-LTE:
The mobile carriers are looking to grab all the spectrum they can possibly use. There is nothing that will keep them from running over any other users. In the end it's all about making money for the carriers. The same ones that spend billions on licensed spectrum that is theirs alone to use as they please. Nothing wrong with making money, but not at the expense of a useful and expanding technology that is now - even in the nascent stages of 802.11ac - growing rapidly.
04-06-2015 UPDATE:
Tell me again how we can trust the carriers to make LAA-LTE work as a "good neighbor" with Wi-Fi?
Thank you again @VerizonWireless for polluting Wi-Fi spaces everywhere. pic.twitter.com/Ydo78IYmKG
— Lee Badman (@wirednot) March 26, 2015