What are Malicious SSIDs
SSIDs are those familiar wireless network names carried by 802.11 beacon and probes frames. A “malicious SSID” refers to an SSID Information Element (IE) that is generated for the express purpose of exploiting a product flaw, either in a wireless AP/client that might receive and fail to parse the SSID, or in a wireless management system that might unsuccessfully attempt to display the SSID.
For example, back in 2006, 802.11b adapters manufactured by Intersil, Lucent, Agere, Orinoco, and Apple were found to react badly upon receipt of null SSID IEs. Also in 2006, overly-long SSIDs received by the NETGEAR WG311v1 PCI card were found to trigger a buffer overflow condition permitting arbitrary kernel-mode code execution. More recently, the popular DD-WRT web interface was found to be vulnerable to an SSID script injection attack.
And so the trend continues. New bug reports (CVEs) are partly the result of tools like Metasploit that make it easy to “fuzz test” Wi-Fi products by sending out a wide variety of SSID values. Eventually, hackers stumble across malicious SSID values that developers weren’t expecting and didn’t code to handle. But of course, Metasploit doesn’t create these bugs – it simply exploits them.
When SSID-handling bugs are exploited in Wi-Fi devices, they can crash the device or result in arbitrary code execution at a low level. When SSID-handling bugs are exploited in web interfaces or management applications, the consequences can be even greater. Attackers may use XSS or CSRF attacks to exfiltrate sensitive information or otherwise compromise systems running vulnerable interfaces.
What you Can Do to Deter Exploitation
Ultimately, best antidote to malicious SSIDs is rigorous pre-release product testing. If developers fuzz-tested their own code as thoroughly as hackers do afterward, those unhandled exceptions caused by malicious SSIDs would be found and fixed before exploitation. Unfortunately, history suggests that testing isn’t likely to weed out all vulnerable products – especially among inexpensive consumer-grade BYODs constantly being rushed to market.
WLAN administrators can turn the tables by fuzz-testing the Wi-Fi-related products they buy (or intend to buy), searching for malicious SSID vulnerabilities. This is a good strategy for WLAN infrastructure and should be part of any organization’s vulnerability assessment regimen. For example, use the Metasploit Wireless Beacon SSID Emulator to generate beacons with random SSID values.
Timely application of application patches and firmware or OS updates to fix newly-discovered SSID vulnerabilities can narrow your company’s risk exposure.
Finally, use a Wireless IPS such as AirMagnet Enterprise to continually listen for signs of malicious SSID activity. Depending upon the attack tools being used, this activity may present as a malformed packet attack, a Device Broadcasting XSS SSID attack, a Karmetasploit attack, a Beacon Fuzzing attack, or Probe Request/Response Fuzzing attack. Spotting such attacks in progress can help protect even new BYODs with unreported flaws that could otherwise leave your WLAN vulnerable to malicious SSIDs.