At RSA last week, a small US company called Immunity rolled out a new product "Silica" that allows hand held penetration testing for wireless devices surreptitiously. The sleek hand held device allows:
"* Tell SILICA to scan every machine on every wireless network for file shares and download anything of interest to the SILICA device. Then just put it in your suit pocket and walk through your target's office space.
* Tell SILICA to actively penetrate any machines it can target (with any of Immunity CANVAS's exploits) and have all successfully penetrated machines connect via HTTP/DNS to an external listening port running Immunity CANVAS Professional.
* Mail SILICA to your target's CEO, then let it turn on and hack anything it can as it sits on their desk.
* Have SILICA conduct MITM attacks against people on a wireless network."
The CEO of the firm, the former CIO of Bloomberg, is quoted in eweek's article "Wireless Hacking Tool Makes Splash at RSA":
"The former CIO cooked up the idea for the mobile hacking device while at Bloomberg, where she was constantly worried about the use of rogue access points and unprotected wireless networking systems.
Whether being used to carry out man-in-the-middle attacks against unguarded wireless users or to seek out file shares sitting on people's desktops, the device is a convenient platform for proving the need for stronger access protection, according to the executive.
"People can ship this to their operations anywhere in the world to help test the vulnerability of their corporate networks," the CEO said. "We think there's a real market for this type of device."
I think that not only should enterprises use the device to test their network but also be aware that hacking their untested wireless devices just got a lot easier. It's time to strengthen the authentication on enterprise wireless devices.
Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com
del.icio.us