Download from the Session Cookies, and Then Access That Captured Person's Internet, Such a Combination Seems to Constitute a Likely Account Information

RESEARCH PAPERS

THE ROLE OF CLIENT ISOLATION IN PROTECTING WI-FI USERS FROM ARP SPOOFING ATTACKS

By TIMUR MIRZOEV * JOEL STACEY WHITE **

* Professor of Information Technology Department, Georgia, Southern University, United States. ** Office of Information & Instructional Technology at Bainbridge College.

ABSTRACT This study investigates the role of the client isolation technology Public Secure Packet Forwarding (PSPF) in defending 802.11 wireless (Wi-Fi) clients, connected to a public wireless access point, from Address Resolution Protocol (ARP) cache poisoning attacks, or ARP spoofing. Exploitation of wireless attack vectors such as these have been on the rise and some have made national and international news. Although client isolation technologies are common place in most wireless access points, they are rarely enabled by default. Since an average user generally has a limited understanding of IP networking concepts, it is rarely enabled during access point configurations. Isolating wireless clients from one another on unencrypted wireless networks is a simple and potentially effective way of protection. The purpose of this research is to determine if a commonly available and easily implementable wireless client isolation security technology, such as PSPF, is an effective method for defending wireless clients against attacks. Keywords: Wireless Networking, Wi-Fi, Information Security, ARP Poisoning, PSPF.

INTRODUCTION Ransome, 2004). WPA is very commonly supported by most The use of Wireless Networking Technologies to AP hardware. In the WPA scenario, a wireless client is communicate on the Internet continues to rise every year, provided with a temporary encryption key or 'session key' with public hotspots numbering in the tens of millions with which it can communicate securely with the AP and worldwide (WeFi., 2011). Laptop computers and encrypt/decrypt traffic (Cayirci, Rong, 2009). Once a time smartphones using the 802.11 (Wi-Fi) protocols make up a limit is reached or the session has ended the key is expired large number of the millions of wirelessly connected or exchanged for a new one, making any further use of the devices (Kendrick, 2010). Wireless networking is a key invalid (Cayirci, Rong, 2009). This type of protection convenient way to stay connected from remote and prevents an attacker from viewing traffic or capturing a mobile locations (Bowman, 2003). The usage of Wireless client's key and then using it to impersonate the client. There Local Area Networks (WLAN) is widely spread due to the fact are other types of security of this nature, but they all have that computers communicate wirelessly, without the need one thing in common: it is necessary for the client to for physical cable connectivity (Umar, 1993). Unfortunately, authenticate to the AP in some way with pre-shared since the data is transferred over public airwaves where it authentication information. can theoretically be intercepted by others within range, This study determines if one manufacturer's version of client wireless networking creates a unique set of security isolation, Cisco System's Public Secure Packet Forwarding concerns. (Cisco, 2010), prevents wireless devices from launching Connections between Wi-Fi enabled clients and network impersonation attacks. The focus of this study is on the well- access points (APs) can be secured through a variety of known man-in-the-middle IP ARP spoofing attack (Cross, different methods (Ciampa, 2006). One method, Wi-Fi 2008). It is generated using a publically available set of Protected Access (WPA), involves using strong data hacking tools known as Cain & Abel (Oxid, 2011). Since encryption and rotating authentication keys (Rittinghouse, Cisco's Aironet access points are widely used throughout

i-manager’s Journal on Information Technology, Vol. 1 l No. 2 l March - May 2012 11 RESEARCH PAPERS

the world, and Cain & Abel is free to download from the session cookies, and then access that captured person's Internet, such a combination seems to constitute a likely account information. Authentication attack with Firesheep real-world scenario and test of the premise of client scenario has been previously presented by Miller and isolation protection. Gregg (Miller, Gregg, 2011). Although Firesheep is 1. Literature Review designed to allow a quick access to a predefined number of social networking sites, its open source nature also allows In the case of clients using publically available Wi-Fi it to be modified for other uses. This tool uses a hacking connections, authentication is not only inconvenient but is technology known as 'side-jacking' - it does not hijack an impossible due to a large number of unique visitors. The HTTP session; it only captures the session's cookie to allow convenience of attaching to a public Wi-Fi network at will forging of a new 'side' connection (Leonhard, 2010). Many without hassle is what makes the technology inviting to so popular social networking sites, such as Facebook and many people. However, there is a major problem with this Twitter, do not encrypt their communications by default, type of scenario: Public Wi-Fi connections without making this sort of attack possible (Vaughan-Nichols, 2010). authentication transmit and receive traffic in an unencrypted or plain-text fashion. This means that anyone There is another form of attack that is not well known to an listening with a Wi-Fi data capture device can intercept the average wireless user. It is far more dangerous and traffic and read its contents. This is not the only issue disturbing than ones such as Firesheep from a security involved. Well known vulnerabilities could allow an attacker perspective. That attack is known as an ARP spoofing or ARP to place himself/herself in the middle of a user's cache poisoning attack. It is a classic man-in-the-middle conversation, in effect 'becoming' the user on the wireless session hijacking, which can also be executed through network (Ali, 2008). There are ways in which this type of freely downloadable software such as Oxid's Cain & Abel scenario can be avoided: Through the use of a technology (Sanders, 2010). ARP spoofing allows a malicious user on called 'client isolation'. Client isolation works on the premise the network to place their computer's network interface that any wireless device connected to a Wi-Fi access point between a victim and the computer(s) with which they are must communicate through the AP in order to talk to any communicating (Graves, 2007). This insertion allows for a other device, whether that other device is located on the capture, and possible modification, of all data sent; in local area network (LAN) to which the AP is connected or on essence completely hijacking the conversation. A hacker the Internet. Using this fact to their advantage, some Wi-Fi can then pose as the intended recipient, corrupt the data AP manufacturers make it possible to isolate clients from sent, change that data, or simply just capture it for later use each other by preventing any device associated to the AP (Marcus, 2010). The main difference between this attack from talking to any other associated device, using the AP and the Firesheep attack is that the hijacked users have not transceiver as the moderator. This does not prevent Wi-Fi- just inadvertently allowed access to their social networking based attacks on the LAN, or LAN data sniffing, but it does in account; they have placed themselves at the mercy of the theory prevent wireless devices on a particular AP from attacker, possibly giving up credit card numbers and/or directly attacking and impersonating each other. private information, completely unaware of the situation. In recent years, substantial negatives associated with the Since a Firesheep attack and ARP spoofing require open use of wireless communication technologies have come and unsecured wired or wireless communications to to light. Specifically, a simple social networking account operate effectively, there is a need to find proper hacking tool known as Firesheep, released in October of protection against such occurrences. The Firesheep 2010, has made international news (Gahran, 2010). problem is solvable by the web sites that the users are Firesheep is a freely downloadable extension to the FireFox accessing, and some have already taken steps to make web browser developed by Eric Butler (Butler, 2010). the required fixes (Marcus, 2010). Encrypting all Firesheep allows its users to capture other wireless users HTTP communications between users and servers through the

12 i-manager’s Journal on Information Technology, Vol. 1 l No. 2 l March - May 2012 RESEARCH PAPERS

use of web session encryption technologies like SSL 'FREE_WIFI_PSPF', which was secured by PSPF. These two Wi- (Secured Sockets Layer) eliminates the usable capture of Fi connections were accessed by two Dell laptop clients, a session cookies in transit, thereby protecting from Dell Precision M4500 which acted as the victim, and a Dell Firesheep. ARP spoofing attacks on an open access Latitude D420 which acted as the attacker. Both Dell wireless network are much different in nature (Cross, 2008). laptops were configured with the Microsoft Windows 7 Since an attacker can intercept users' data, it is possible for operating system, the latest operating system patches, even encrypted communications to be hijacked (Sanders, and 802.11G Wi-Fi network adapters. The attacking 2010). In such a scenario a different type of security computer was also configured with Wireshark, a data technology is needed. packet sniffing freeware product (Wireshark, 2011), and Cisco Systems, a world-wide leader in the manufacture of Cain & Abel, a freeware ARP spoofing hacking tool (Oxid, networking equipment (Cisco, 2011), has implemented 2011). These and other details are included in Table 1. such a technology in most of its wireless access point The computers used in this study were chosen because hardware; that technology is known as PSPF, or Public they are typical computers which might be used by public Secure Packet Forwarding. Another non-Cisco term for Wi-Fi clients. Dell computers are very commonly used by PSPF exists and it is called Intra-BSS (Putman, 2005). PSPF is a businesses around the world. Windows 7, the operating client isolation technology intended to prevent one wireless system on these computers was chosen for its client from talking to another. This technique is used to commonality on most computers sold today - Microsoft prevent direct client-on-client attacks, but should also Windows is the market leader for operating systems, prevent session hijacking by stopping spoofed ARP packets holding an almost 90% market share (Brodkin, 2011). from reaching the victim. Since Cisco technology is very The freeware tools were chosen based on their popularity, commonly deployed by small to very large businesses, it usability, and availability. Wireshark is a widely known and seems like a logical choice to base this research upon. It is used Ethernet packet capture and analysis tool, once also possible, through the use of third party software named Ethereal, and is freely available to the public for products such as ArpOn (Di Pasquale, 2011), for clients to download (Wireshark, 2011). Cain & Abel is a well-known protect themselves from ARP spoofing attacks. However, and commonly used hacking tool suite, which is also many public wireless users are either not skilled or informed available for download free of charge (Oxid, 2011). The enough to take such precautions. An effort on the part of freeware tools were chosen based on their popularity, the network owners to secure the communications of their usability, and availability. Wireshark is a widely known and users makes more sense, from a security and efficiency used Ethernet packet capture and analysis tool standpoint. Implementing the protective solution inside of (Orebaugh, 2007). Once named Ethereal, it is freely the access point hardware, instead of relying upon the available to the public for download (Brodkin, 2011). Cain users to do it, will secure all users connecting to it, regardless Victim’s Computer Attacker’s Computer Wi-Fi Access Point of their configurations. Manufacturer: Dell Dell Cisco 2. Methodology and Setup System Model: Precision M4500 Latitude D420 Aironet 1232-AG Processor Type: Intel i7 Intel Core Duo PPC 405GP To demonstrate the ability of PSPF to protect Wi-Fi clients Memory Installed: 8GB RAM 2GB RAM 32K NVRAM from ARP spoofing attacks, a test attack was simulated Operating System: Windows 7 Ultimate Windows 7 Pro IOS 12.3(8)JA2 using two Dell Wi-Fi enabled laptops and a Cisco access Network Adapter: Intel Centrino 6250 Dell 1490 Dual Band 802.11-G Radio Web Browser: Internet Explorer 8 Internet Explorer 8 N/A point. The Cisco access point used in this study was a Cisco IP Address: 192.168.13.91 192.168.13.92 192.168.13.1 Aironet model 1232-AG. The access point was restored to MAC Address: 00-23-15-9B-02-38 00-16-CF-B1-51-B1 00-1B-54-AB-04-3B the factory default configuration, and was configured to Firewall: Enabled Disabled N/A provide two open access Wi-Fi connections to public Modifications: None Installed Wireshark None Installed Cain & Abel clients: 'FREE_WIFI', which was unsecured by PSPF, and Table 1. Utilized Hardware and Setup

i-manager’s Journal on Information Technology, Vol. 1 l No. 2 l March - May 2012 13 RESEARCH PAPERS

& Abel is a well-known and commonly used hacking tool suite (Wallingford, 2006). It is also available for download free of charge (Oxid, 2011). 3. Testing Procedure The test began by configuring the Cisco access point, as described above, with two connections, one with PSPF and one without. Both, the attacker and victim computers were connected to the AP using the 'FREE_WIFI' non-PSPF connection. The attacking computer initiated a Wireshark packet capture on the network, which showed ARP broadcast data packets coming from the address of the victim (Figure 1). Knowing that the client was connected, the attacking computer then launched Cain & Abel, and a network scan was performed. There is a Media Access Control (MAC) address assigned to every network card. It is a unique Figure 2. Network MAC Scan without PSPF address by all vendors for every Network Interface Card (NIC). The IP and the MAC address of the victim's computer was discovered, as well as the MAC address of the subnet gateway (Figure 2). Once this information was logged in Cain & Abel, ARP cache poisoning has begun, making the client use the attacker as its network gateway. Internet Explorer was Figure 3. Credentials for Gmail Account Captured launched on the victim's computer, connecting to the Google website. The attacking computer showed instantly The start of the APR table poisoning can be seen on the that web traffic from the victim had been captured. The Figure 4. victim's computer then moved from Google to Gmail, Cain & Abel by default is configured to capture and log where it logged into a test email account, and read a HTTP account credentials and to insert false certificates into message; the SSL encrypted email username and SSL communications in order to capture and relay that password had been captured by the attacker (Figure 3). traffic. This insertion of false certificates will cause certificate warnings on most browsers, since the root certificate

Figure 1. Packet Capture without PSPF Figure 4. Start ARP Table Poisoning

14 i-manager’s Journal on Information Technology, Vol. 1 l No. 2 l March - May 2012 RESEARCH PAPERS

authority of the false certificate will more than likely not be gateway resolved this error, allowing the web session to trusted by the victim computer. The certificate presented continue unhindered. No data packets intended for the by the attacker in this case showed as being valid but victim's computer were captured by the attacker during untrusted; to simulate a user unfamiliar with such the ARP spoofing phase of the test, and the victim technology, the warning was ignored. Figure 5 represents remained invisible to the attacker's network scans and the insertion of the false certificates. packet sniffing. Later, the test computers were attached to 'FREE_WIFI_PSPF', Conclusion a PSPF secured wireless connection. The Wireshark packet The tests performed in this study show the role of a client capture was launched again, but produced no results from isolation technology, such as PSPF, in protecting 802.11 Wi- the victim computer (see Figure 6). Several packets were Fi clients from ARP spoofing attacks. ARP spoofing attacks seen from the gateway, but none of them were from the are dangerous in that they are difficult to detect, allow an victim's computer, not even a broadcast packet. attacker unrestricted access to a victim's network Cain & Able was then launched and a network scan was communications, and can be easily executed over public again performed. The victim's computer, again, did not unsecured wireless connections. Since many people show up in the scan results. Since the IP and MAC of the around the world use publicly available wireless victim were already logged in Cain & Abel from the connections to access the Internet, an attack of this sort previous attack, an ARP spoof was attempted using that could put their personal and confidential information at risk information. The ARP spoofing failed completely (Figure 7), if those connections are not secure. producing only a brief denial of service for the victim It was hypothesized that by implementing a client isolation computer. Eventually the victim computer and the network security technology on the wireless access point, and thereby preventing direct client-to-client communication, such attacks would be rendered useless. Since ARP spoofing attacks require the attacker to send forged ARP- reply information directly to the victim in order to corrupt its ARP cache, the attack would not work because the victim would never receive that information. As an additional benefit, the attacker would not be able to send data of any Figure 5. Example of false certificates injected by attacker kind to other clients, preventing the attacker from scanning the access point for potential victims and probing their service ports. Further, the victim would also be unable to send data of any kind to the attacker, preventing the attacker from sniffing potential victims' broadcasts from the Figure 6. Wireshark capture with PSPF enabled network. The attacker would be effectively isolated on the produces no packets from victim access point, unable to see other wireless users or their network traffic. Without client isolation the attacker easily saw the broadcasts of the potential victim, corrupted or 'poisoned' its ARP cache, and misled the victim into relaying its network traffic through the attacker's computer. With the client isolation technology PSPF enabled on the access point, even though the attacker could not see potential victims, it Figure 7. ARP Cache Poisoning with PSPF was still unable to corrupt the ARP cache of a victim that enabled fails to poison client routes

i-manager’s Journal on Information Technology, Vol. 1 l No. 2 l March - May 2012 15 RESEARCH PAPERS

was known to be active on the network. This suggests that in wireless users less vulnerable. this case, PSPF did in fact prevent an ARP spoofing attack References from taking place, and effectively protected the victim [1]. Ali, F. (2008). IP Spoofing. The Internet Protocol Journal, from the attacker's advances. Volume 10, No. 4. Retrieved January 30, 2011, from Recommendations http://www.cisco.com/web/about/ac123/ac147/archived Client isolation technologies are available on many _issues/ipj_10-4/104_ip-spoofing.html. different wireless access points, depending on the [2]. Bowman, B. (2003). WPA Wireless Security for Home manufacturer and device complexity. Generally, most Networks. Retrieved Februar y 5, 2011, from high-end enterprise quality access points contain a client http://60.250.34.222/windowsxp/using/networking/expert/ isolation option. Unfortunately, many lower-end bowman_03july28.mspx. commodity products do not. As technology becomes [3]. Brodkin, J. (2011). Windows drops below 90% market more affordable and the thrust for information security share. Network World, January13, 2011. Retrieved January becomes more widespread, security features such as 29, 2011, from http://www.networkworld.com/community/ client isolation will become more commonplace in the blog/windows-drops-below-90-market-share. access point market. The feature is generally easy to [4]. Butler, E. (2010). Firesheep. Codebutler. Retrieved implement, and can normally be turned on simply by January 28, 2011, from http://codebutler.com/firesheep. checking the appropriate box under the wireless connection's configuration page on the access point [5]. Cayirci, E., & Rong, C. (2009). Security in Wireless Ad Hoc management interface. and Sensor Network. The Atrium, Southern Gate, Chichester, West Sussex, United Kingdom: John Wiley & Sons Ltd. Client isolation does have one drawback - it will prevent users of an access point from connecting to wireless [6]. Ciampa, M. (2006). CWNA Guide to Wireless LANs, peripherals such as wireless printers or storage devices. The Second Edition. 25 Thompson Place, Boston, MA: solution to this problem is to directly connect these devices Thompson Course Technology. to a switch, along with the access point, so that client [7]. Cisco. (2010). Chapter 6 – Configuring Radio Setting. isolation will not affect them. Since most home or small Enabling and Disabling Public Secure Packet Forwarding. business wireless access points are connected to a Cisco IOS Software Configuration Guide for Cisco Aironet broadband router which contains a switch, this problem Access Points Cisco IOS Releases 12.4(10b)JA and can be solved if the need arises. 12.3(8)JEC. Retrieved Januar y 30, 2011 from Despite the fact that the security benefits of wireless access http://www.cisco.com/en/US/docs/wireless/access_point/1 point with PSPF configuration are strong, most 2.4_10b_JA/configuration/guide/scg12410b-chap6- manufacturers that provide client isolation leave it turned radio.html#wp1038494. off by default. This trend needs to change, or a different [8]. Cisco. (2011). Cisco Unified Wireless Network Solutions form of security for public wireless users needs to be Guide: The Benefits of Cisco Unified Wireless Network developed. In the future, it may be reasonable to design Mobility Services for Educational Institutions. Cisco Aironet some sort of transport layer security into the wireless access 1500 Series. Retrieved January 30, 2011, from point which allows a public user to have his or her wireless http://www.cisco.com/en/US/prod/collateral/wireless/ps56 data encrypted without authentication. This may require a 79/ps6548/prod_brochure0900aecd80565d2d.html#wp major change in the 802.11 wireless technology standard, 9000004. and switching costs may be too high for most current users. [9]. Cross, M. (2008). Scene of the Cybercrime, Second Implementing this type of solution in future Wi-Fi hardware Edition. 30 Corporate Drive, Burlington, MA: Syngress solutions is not beyond the realm of possibility. Publishing, Inc. For now, client isolation can be used to make public [10]. Di Pasquale, A. (2011). ArpOn – Arp handler

16 i-manager’s Journal on Information Technology, Vol. 1 l No. 2 l March - May 2012 RESEARCH PAPERS

inspectiON. ARPON. Retrieved January 30, 2011, from Protocol Analyzer Toolkit. 800 Hingham Street, Rockland, http://arpon.sourceforge.net/. MA: Syngress Publishing, Inc. [11]. Gahran, A. (2010). Using Wi-Fi? Firesheep may [18]. Oxid. (2011). Cain & Abel.OXID.it. Retrieved February endanger your security. CNNTech, November 01, 2010. 2, 2011, from http://www.oxid.it/cain.html Retrieved January 28, 2011, from http://articles.cnn.com/ [19]. Putman, B. (2005). 802.11 WLAN Hands-On Analysis: 2010-11-01/tech/firesheep.wifi.security_1_firesheep- Unleashing the Network Monitor for Troubleshooting and firefox-wi-fi-social-networking-sites-firefox-extension- Optimization. 1663 Liberty Drive, Bloomington, IN: Authorhouse. security?_s=PM:TECH. [20]. Rittinghouse, J. W., & Ransome, J. F. (2004). Wireless [12]. Graves, K. (2007). CEH: Official Certified Ethical Operational Security. 200 Wheeler Road, Burlingtton, MA: Hacker Review Guide: Exam 312-50. 10475 Crosspoint Digital Press. Blvd., Indianapolis, IN: Wiley Publishing. [21]. Sanders, C. (2010). Understanding Man-In-The-Middle [13]. Kendrick, J. (2010). Smartphone Wi-Fi Usage on the Attacks - Part 4: SSL Hijacking. WindowSecurity.com, June Rise. GIGAOM, August 24, 2010. Retrieved February 29, 0 9 , 2 0 1 0 . R e t r i e v e d M a y 3 , 2 0 1 1 , f r o m 2011, from http://gigaom.com/mobile/smartphone-wi-fi- http://www.windowsecurity.com/articles/Understanding- usage-on-the-rise/. Man-in-the-Middle-Attacks-ARP-Part4.html. [14]. Leonhard, W. (2010). 'Sidejacking' browser add-on [22]. Umar, A. (1993). Distributed Computing and Client- stumps security experts. InfoWorld, November 10, 2011. Server Systems. Englewood Cliffs, NJ: PrenticeHall PTR, Retrieved March 20, 2011, from http://www.infoworld.com/ Prentice-Hall, Inc. t/endpoint-security/sidejacking-browser-add-stumps- [23]. Vaughan-Nichols, S. (2010). Herding Firesheep. security-experts-790. ZDNet: Networking, November 1, 2010. Retrieved January [15]. Marcus, D. (2010). I'll take the Firesheep with a side 28, 2011, from http://www.zdnet.com/blog/networking/ order of ARP Poisoning please. McAfee Labs Blog Central, herding-firesheep/293. October 25, 2010. Retrieved January 28, 2011, from [24]. Wallingford, T. (2006). VoIP Hacks. 1005 Gravenstein http://blogs.mcafee.com/mcafee-labs/ill-take-the- Highway North, Sebastopol, CA: O'Reilly Media. firesheep-with-a-side-order-of-arp-poisoning-please. [25]. WeFi. (2011). About WeFi. WeFi. Retrieved January 30, [16]. Miller, D., & Gregg, M. (2011). Security Administrator 2011, from http://www.wefi.com/about/. Street Smarts: A Real World Guide to CompTIA Security+ [26]. Wireshark. (2011). Wireshark – Go Deep. Wireshark Skills, 3rd Edition. 10475 Crosspoint Blvd., Indianapolis, IN: Foundation. Retrieved February 2, 2011, from Wiley Publishing. http://www.wireshark.org/about.html. [17]. Orebaugh, A. (2007). Wireshark and Ethereal Network

ABOUT THE AUTHORS

Timur Mirzoev is currently working as a Professor of Information Technology Department at Georgia Southern University, College of Information Technology. Dr. Mirzoev heads the International VMware IT Academy Center and EMC Academic Alliance at Georgia Southern University and has over 10 years of experience in Information Technology, Administration and Higher Education. Some of Timur's research interests include cloud computing, server and network storage virtualization, disaster recovery. Dr. Mirzoev holds the following certifications: Vmware Certified Instructor (VCI5,4,3), VMware Certified Professional (VCP5,4,3), EMC Proven Professional, LefthandNetworks (HP), SAN/iQ, A+.

Stacy White works for the Office of Information & Instructional Technology at Bainbridge College in Bainbridge Georgia. He has been employed there as the Network Administrator / Information Security Officer for the past 12 years. Stacy's Professional interests include Network System Design, Network Security, Risk Assessment, Policy Development, and Industrial Automation and Controls.

i-manager’s Journal on Information Technology, Vol. 1 l No. 2 l March - May 2012 17