ndiswrapper + wpa_supplicant

Dan Williams dcbw at redhat.com
Thu Dec 6 09:34:26 EST 2007


On Thu, 2007-12-06 at 09:20 -0500, Bryan Kadzban wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: RIPEMD160
> 
> George N. White III wrote:
> > 2.  Iwlist wlan0 scan often shows multiple "dlink" AP's, but only one
> > "dlink" appears in the NetworkManager list.  Even if I give my AP a
> > name, an evil perp could use the same name and NM might well use that
> > AP. NM needs a way to present multiple AP's with the same name.
> 
> If you're worried about so-called "rogue APs", then simply splitting out
> each BSS from the ESS in the UI isn't going to help at all.  As Dan said
> in response to this, most people don't know (or care) which BSSID
> they're connecting to -- but even apart from that, it may be possible to
> fake a BSSID.  (I don't know for sure.)

If the driver & firmware allow dumping raw frames through, then you can
certainly spoof any BSSID just like you can spoof MAC addresses today
with ethernet.  So it's quite possible to clone an access point.  The
only way to 99% ensure that you are using the AP you expect is to use
TLS or TTLS and check the certificate returned from the EAP exchange
against a verified CA certificate that you have locally, or use WPA2-PSK
(with only CCMP) with a really secure key and low key rotation times.
The BSSID means nothing in the paranoid world.

Dan

> The only secure way to fix this is to either (a) ensure your PSK can't
> be guessed, *and* that nobody writes AP firmware/software that will let
> people connect even if their PSK is wrong (though I don't know if that's
> possible), or (b) use a RADIUS server, ensure your RADIUS shared secret
> can't be guessed, use some kind of certificate to authenticate the
> server (e.g. PEAP, TTLS, or TLS), and configure the client to only trust
> a root certificate that you control.
> 
> The last part is the critical one: a rogue AP can probably spoof just
> about everything, but not knowledge of the root cert's private key.  And
> the unguessable shared secret ensures that the rogue AP can't just use
> your existing RADIUS server.  (Although if someone has the ability to
> plug into your network already, it's a bit of a moot point -- but whatever.)
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.7 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> 
> iD8DBQFHWAUpS5vET1Wea5wRA3G0AKC4D4fGQkxnWLI3V8o01wqb5ZacsgCeIY3u
> PvTgX13oTU7pWoFx3WVbw8I=
> =qeLM
> -----END PGP SIGNATURE-----




More information about the HostAP mailing list