Regulatory Silliness

Susan just pointed me to a "Self-assessment questionnaire" for the Payment Card Industry Data Security Standard (PCI/DSS). While, on the whole, the intent of that standard is good, there are some areas of it that, as usual, stray into the realm of regulatory silliness.

For example, on page 6, under the requirement to "Do not use vendor-supplied defaults for system passwords and other security parameters" we find 2.1.1.a "Are SSID broadcasts disabled?" The PCI/DSS Security Standard version 1.1 actually requires disabling broadcast of the SSID in requirement 2.1. As Wikipedia says "SSID is broadcast in the open in response to a client SSID query…" When a client asks for the access point, the SSID is always broadcast. Thus, to find the SSID of any network, all you have to do is listen when a client associates to the network. The Wi-Fi Alliance actually points this out in its Enterprise Solutions for Wireless LAN Security document. That document also recommends broadcasting the SSID as a security best practice to ensure that users have the information they need to select the right network.

The really bad part about the advice to hide the SSID, however, is hinted at in the WPA Deployment Guidelines for Public Access Wi-Fi Networks, from the Wi-Fi Alliance: "A radio signal with a familiar SSID does not ensure that the user will be connected to equipment operated by a service provider that the subscriber trusts." The same document also points out that the client will connect to the closest AP for purposes of data transport. To see how that would work, assume that a network has a hidden SSID, and the client has been pre-provisioned to connect to that SSID. In this case the client may actually end up connecting to a fake network if the fake network is perceived to be closer. The client will connect to the one with the stronger signal, and will not be able to tell that one of them is rogue. If the remaining security parameters differ between the real network and the rogue one the client will not automatically connect; the user will have to accept the connection. However, the user has no simple way to tell rogue from fake either. If the networks broadcast their SSIDs the conflict would be much more easily detectable. Some clients may even automatically downgrade the security and connect to the fake, but visible, network, without user interaction. This would not work if the real network were broadcasting its security parameters. The client would detect that there were two networks with the same SSID and different parameters.

Curiously, the PCI/DSS Security Standard version 1.1 does not require use of WPA2 or even WPA for security on wireless networks. It only recommends that they be used "when WPA-capable." In other words, it permits use of the completely discredited "Wired Equivalent Privacy" (WEP) protocol, which provides no security at all, and requires use of security theater measures that actually reduce the security of your wireless network. One is left to wonder when the next TJX disaster will happen.

Leave a Reply

Your email address will not be published. Required fields are marked *