I am on a work placement with SURFnet’s Network department until August 2017 and am investigating how we can make the access points of SURFnet’s SURFwireless service even more secure.
Monthly security scan
SURFnet launched SURFwireless in 2016. Every month SURFnet performs a security scan at institutions that use SURFwireless, which indicates how vulnerable the central components are to known threats. However, this scan does not test all parts of the Wi-Fi chain: the access points located at the institution are shielded by the institution’s firewall. SURFnet wants more insight into what is happening in the access points and how vulnerable they are as a result.
Misuse of access points
Access points can be misused in many different ways: to gain access to the wireless network or to shut the network down, for example. This applies to all access points, including those of SURFwireless. The box at the bottom of this blog gives an overview of possible methods of attack. Access points currently have a Wireless Intrusion Prevention System (WIPS) to protect them against attacks, but the question is whether this module offers sufficient protection.
Tools for hackers
During my work placement I will investigate the precise nature of the security risks run by access points. Firstly, I will consider which common tools can be used to compromise Wi-Fi access points. One example is Kali Linux, a Linux distribution containing some 300 penetration testing tools, including a number of tools that can be used to compromise wireless networks. Take tools that can create rogue (unsecured) access points or execute man-in-the-middle attacks, for example. I will pay particular attention to potential vulnerabilities associated with the offering of IPv6 on Wi-Fi. I will use separate toolkits for this: SI6 toolkit and THC.
I will then create a test setup with around 5 physical access points, the same as those used by SURFwireless. I will use them to test these tools. Fortunately, I do not have to test all 300 tools: we already know that many of these tools cannot be used to attack SURFwireless. Some tools, for example, focus on obsolete technology that is not used in SURFwireless, such as WEP and WPA encryption. I can also disregard any tools that focus on open (unsecured) Wi-Fi hotspots, since clearly SURFwireless is secured, with WPA2 Enterprise authentication.
Detecting and addressing vulnerabilities
The outcome of my research will be an overview of methods of attack that could compromise the access points of SURFwireless. I will also make recommendations with regard to how SURFnet can detect and address these vulnerabilities, and I will indicate in what respects the access points are already well secured, by the built-in WIPS, for example.
I will be working for SURFnet until August. I will present my findings in a subsequent blog before I leave.