If your organization allows employees to bring their own devices (BYOD) to use for work, then your IT service desk is well aware of the fine line you have to tread between employee flexibility and maintaining the security of your network.
Many enterprise networks are protected by a protocol called the WPA2-Enterprise Protected Extensible Authentication Protocol, or PEAP.
However, there are ways attackers can gain unauthorized access by using devices that have specific vulnerabilities.
Fortunately, the technology for coffee-delivered Wi-Fi is too experimental to be a problem. So far.
On these devices, including Apple iOS devices prior to iOS 8, an attacker can capture Lightweight Extensible Authentication Protocol (LEAP) credentials, and convert them to PEAP credentials using a rogue access point. This is a man in the middle vulnerability, and has been found to exist in iOS operating systems prior to iOS 8. It is possible that this vulnerability affects other devices too. Here’s how the attack can work, how iOS 8 addresses it, and why you may want to consider requiring iOS 8 on BYOD devices.
How the Vulnerability Can Be Used to Breach a Network
This type of attack is fairly sophisticated, and plays on two specific vulnerabilities:
• Some devices accept the older, less secure LEAP authentication method.
• When a user joins a PEAP network, some devices reuse supplied credentials for all supported EAP methods, so LEAP credentials do not have to be explicitly entered by a user. Existing man in the middle attacks attempt to capture LEAP credentials using a rogue authentication server and crack them with “dictionary” attack tools.
PEAP combines transport layer security (TLS) with the Microsoft Challenge-Handshake Authentication Protocol, version 2 (MS-CHAPv2). Capturing MS-CHAPv2 handshakes first requires breaking TLS encryption. But Apple devices running older versions of iOS and Mac OS X additionally support LEAP, which doesn’t use TLS, and uses MS-CHAP version 1. Turns out that MS-CHAPv2 server-to-client challenges can be converted into MS-CHAPv1 challenges. Moreover, MS-CHAPv1 challenge responses can be converted to MS-CHAPv2 responses.
Say an attacker creates a rogue wireless network with the same SSID as the enterprise network they’re targeting, but requires only LEAP authentication rather than PEAP. When you have two wireless networks with the same SSID, devices automatically try to connect with the one with a stronger signal, another behavior attackers exploit.
Then, say an Apple device tries to connect to the attacker’s access point. The attacker, or man in the middle, initiates connection to the real access point with a separate wireless client. Then he takes the PEAP MS-CHAPv2 challenge from the legitimate access point, converts it to a LEAP MS-CHAPv1 challenge, and relays it to the apple device through the rogue access point.
The Apple device uses its stored credentials to generate a valid MS-CHAPv1 response, which then is sent back to the rogue access point. The attacker captures this response, converts it to an MS-CHAPv2 response, and authenticates himself on the access point of the target network.
How iOS 8 Addresses This Vulnerability
iOS 8, available for iPhone 4s and later, 5th generation iPod Touch and later, and iPad 2 and later, addresses this vulnerability. With iOS 8, LEAP is disabled by default, so that attackers cannot authenticate using LEAP, break the MS-CHAPv1 hash, and use derived credentials to authenticate to the target access point.
Should the IT Service Desk Insist on iOS 8?
If BYOD users have Apple devices that support iOS 8, upgrading will fix this vulnerability. However, Mac OS X devices are also vulnerable, and researchers were able to create a successful attack on machines with Mac OS X 10.8.2. They suspect, however that all current versions of Mac OS X are affected, since they share the same wireless implementation as iOS.
A suggested workaround for Mac OS X environments involves use of different TLS-based WPA2-Enterprise authentication that requires validation of client-side certificates. EAP-TLS is an example. While this would prevent an attacker from impersonating a client, it would also require that separate TLS certificates for all authorized devices be installed on the access point. A simpler workaround would involve using a wireless intrusion prevention system that could scan for LEAP requests, which might indicate the presence of rogue access points.
The IT service desk is integral to successful implementation of a BYOD policy, particularly when the IT service desk solution is integrated with powerful IT asset management tools. Samanage offers a unified IT service desk and IT asset management interface that helps your team quickly and efficiently account for every device that connects to your network, including BYOD devices.