Many wireless gateways use several means of authentication. This is done to allow the widest versatility in relation to client selection. If the gateway can support a wide variety of clients, it has an edge compared to other non-accommodating wireless security solutions on the market. This led to specific attacks against weaker authentication means. The real threat to gateway systems comes from another strong selling point, being clientless. To have a gateway clientless with the ability to support a wide variety of operating systems, SSL is often used. When SSL is used, the gateway prompts users with a default Web site that they must authenticate to before they can gain access past the gateway. Now one look at how attackers have undermined their security.
Some tools are available to allow for an SSL proxy and can defeat the security of wireless gateways. The first step in performing this attack is to set up a proxy server and place it between the gateway and the client. When the client fires up its wireless connection, it will connect to the proxy and then the client and the proxy will establish an SSL connection. After this takes place, the proxy will establish another SSL connection with the wireless gateway. Once both SSL connections are created, the wireless user or the victim will see the wireless gateway and authenticate to it. This authentication, unbeknown to the victim, is susceptible to eavesdropping. The normally encrypted authentication traffic is briefly decrypted at the proxy server and then is re-encrypted and sent to the gateway. One piece of software that can perform this attack is called Achilles; it is available from DigiZen security group at DigizenSecurity.
Another interesting attack on clientless gateways is the same as in the 802.1x section. Creating a rogue access point and network to look like the gateway can lure clients into authenticating to it. This would be set up the same way, with the only difference being a Web site that looks like the gateway device. Once the first user connects to this attackerowned Web site, his credentials can be stolen and used to access the network.
