Transparent IP layer Interception on Enterprise 802.11b/g Networks

Many enterprise sites utilise 802.11b/g technology to create an untrusted access network sitting outside their protected institutional IP network, with internal access allowed only through an IP-layer virtual private network (VPN) gateway. Often such networks do not implement link layer security, because of the known weaknesses of the IEEE´s wired equivalent privacy (WEP). This results in a wireless network on which arbitrary people can establish themselves as hosts with arbitrary IP addresses. Although the enterprise IP network is protected by the VPN gateway, users of the wireless network can become victims of unscrupulous (or accidental) interception of their IP communication. Common Windows laptop (mis-)configurations often try and establish communications through a default gateway on the 192.168/16 network. Anyone could configure another host as this default gateway on the enterprise 802.11b/g network and thus hijack a visitor´s network connection without the visitor even realising. In this paper we test and confirm the plausibility of this attack in a University wireless LAN and present results from real world data, confirming the existence of users failing to reconfigure their visiting host and attempting to connect via possible malicious gateways. We then suggest possible mitigation techniques.