Windows XP machines utilizing wireless LAN automatically search for available access points. If not found, requests are continuously sent for already registered access points available until connection is achieved.
If an access point with the same SSID as of an access point already configured for XP is installed, Windows XP will recognize it as the same access point. Windows XP will then encrypt packets with WEP and start transmission.
Information regarding registered SSIDs can be obtained from available inquiry packets by using a packet monitoring tool for wireless LAN.
Additionally, packets encrypted with WEP of any registered access point for Windows XP machines can also be intercepted by establishing an access point with the same SSID.
As the functions to search for available access points and to send inquiry requests are always enabled, Windows XP machines using wireless LAN feature will leak SSID information of registered access points if they cannot establish a connection with an available access point.
In addition, WEP is susceptible to some already known vulnerabilities. Data encrypted with 40-bit keys can be decrypted through brute force attacks in a short period of time. In the case of 104-bit encryption use, it has been reported that data can be decrypted in approximately two weeks.
Consequently, sending out packets encrypted with WEP is not a recommended security practice in an environment where the original access points are not available.
Solution:
Disable the wireless LAN function of Windows XP and use drivers made from third-parties that are not susceptible to the problem described above.
Vendor status:
After carrying out discussions with the Security Response Team of Microsoft Asia Limited, who was informed about this issue on August 30, 2002, the conclusion drawn was that the problem was related to the software specification. Therefore, consent from the Security Response Team of Microsoft Asia Limited was obtained to publish this advisory.
