Wireless is inherently insecure and often the launching pad for larger attacks and breaches. With our Wireless Penetration Testing we gather wireless security information, collect data on the wireless network, analyze wireless implementation, and analyze internal wireless security procedures. We also attempt to capture sensitive data, gain unauthorized access, break wireless passwords, etc.
Our Wireless Penetration Test is a combination of a Wireless Penetration Test against the wireless network itself and a Vulnerability Assessment against the access point if we are able to compromise the wireless network. We alter this approach based on the scope of the engagement. The combination of the Wireless Penetration Test and Vulnerability Assessment against the WAP provides you with a clear understanding of the risk introduced by the wireless network and access point.
Our goal with the Wireless Penetration Test is to determine the security posture of the wireless network(s) by scanning wireless traffic associated with each WAP. During this process, we eavesdrop on wireless traffic to capture authentication handshake(s), determine the type of security, and attempt to gain access using this information. Each WAP is assigned a score as part of our Wireless Penetration Test. The score is determined by how well security controls are configured on the WAP. Our scoring is on a scale of 1 to 10, where 1 = No Security and 10 = Highly Secure.
We also scan for rogue access points and evil twins. We have discovered numerous organizations with rogue access points that enabled an attacker to bypass all security controls by allowing them to connect wirelessly to the internal, “trusted” network.
The Wireless Penetration Test Report covers the SSIDs we assessed and includes a “report card” rating of how secure the wireless access points are in terms of risk. We also outline tactics we used to gain access and provide recommendations to improve the security rating of each access point assessed. Below is an excerpt from a report that shows a a sample of the items we cover for our rating and assessment.
For the Wireless Security Assessment we typically travel to your location and perform this service onsite. To leverage the fact that we will be traveling to your location, we offer to bundle (at a discount) other services that require us to be onsite, such as our Internal Penetration Test, Internal Vulnerability Assessment, and Physical Security Review.
We can also perform the wireless penetration test remotely, by shipping a device to you.
A rogue access point is an unauthorized access point. Rogue access points typically fall into three categories – malicious, convenience, and accidental. Malicious rogue access points are designed to help an attacker carry out an objective, such as expanding a foothold on your network, stealing passwords, or using your network to attack someone else. Malicious rogue wireless devices can be used to attack any of the following:
Rogue access points set up for convenience are typically configured by users unhappy with corporate wireless access or Bring Your Own Device (BYOD) policies. Users often bring their own WAP from home and plug the wired portion into the corporate network. This allows the user to connect all their personal wireless devices (cell phone, iPad, etc.) to their access point that is connected to the corporate network.
Rogue access points that are accidental are devices, such as printers, that an organization did not realize had wireless enabled or accessible. On a recent wireless assessment we discovered printers on an enterprise environment that were accessible to anyone over the wireless network. We were able to manage these printers over an ad hoc wireless network without the organization ever noticing.
An evil twin is a WAP that with the same “look and feel” as the real WAP. An evil twin is used by an attacker to trick users into connecting to the attacker WAP instead of the real WAP. The attacker then sniffs all of your traffic (passwords, credentials, personally identifiable information (PII), etc.) from your system to the Internet, as the evil twin access point acts as a Man-In-The-Middle (MITM). An example would be an access point called “Starbucks”. How do you know you are connected to the real “Starbucks” access point and not an evil twin?
The number of cybersecurity incidents continues to climb. The variety of attacks continues to grow. It is no longer a question of if you will have a cyber event.