Hotspot capability on a Windows 7 machine has added one more risk to the already prevailing list of Wi-Fi risks which a corporate administrator should worry about. Although, Windows 7 penetration inside corporate premises is still very rare, exploitation of hotspot capability of a single Windows 7 machine present at the corporate premises can bring down whole corporate network and can result in theft of confidential data.

With Windows 7 out in the market, now users can turn their Wi-Fi enabled laptops/netbooks into a hotspot using software’s such as Connectify. Connectify and similar other software’s are freely downloadable from the web and takes control of Windows 7 virtual Wi-Fi feature to turn a windows 7 machine into a hotspot. A hotspot, as widely known, is a site that offers internet access over Wi-Fi through the use of a link which has access to internet.

While configuring the hotspot on their Windows 7 machine through Connectify, users just need to put a SSID (identifier of hotspot), a password (to access the hotspot network) and option for network/internet access. A user can have multiple network connections (as in the case where multiple network connected wireless and/or wired adapters are plugged into a machine) through which he can have access to different networks. The option for network/internet access allows user to select a single network connection which the hotspot can access. Also, the same option enables user to disallow any network access to the configured hotspot.

After the hotspot is configured, various Wi-Fi enabled devices can connect to this hotspot using the hotspot SSID and password. After the connection, devices will have access to hotspot network and Layer 3 connectivity with machine on which the hotspot is configured.

This hotspot capability of Windows 7 is rapidly becoming popular among regular Wi-Fi users as it gives them a feel of personal Wi-Fi network which they can carry along with them. With such a personal Wi-Fi network at place, a user can share network access and/or other resources on its windows 7 machine with other Wi-Fi enabled devices which connect to this network.

One major advantage of Windows 7 specific hotspot capability is that the hotspot and Wi-Fi client operation can co-exists simultaneously on the same Wi-Fi adapter plugged in to your Windows 7 machine. Thus, a user can share the network resources accessed as a Wi-Fi client to a Wi-Fi network (Infrastructure or ad hoc) with the Wi-Fi devices connected to the Wi-Fi hotspot (set up by the user) simultaneously using the single Wi-Fi adapter.

Although, Wi-Fi users are very excited about this capability but administrators managing corporate network infrastructure are getting nervous because of this.
This nervousness is coming from the following fact that if a hotspot is set up by a corporate employee or a guest on his Windows 7 machine then this can put the corporate network Infrastructure on risk in following ways:

Access of corporate network to a malicious user: A corporate machine usually has corporate network access through wired adapter or wireless adapter plugged into it. If such a machine is running Window 7 and a hotspot is configured over this machine with option to share corporate network then a malicious user which accidentally or intentionally gets connected to this hotspot will have corporate network access. After the access to corporate network, malicious user can launch a suite of attacks on the network using variety of hacking techniques. This can potentially result in disruption of network services and it is also possible that the malicious user becomes successful in getting the access to some corporate confidential data or personal information related to some employee/guest.

Access of un-authorized network to corporate users: If a corporate machine is running Windows 7 and a hotspot is set up on this machine then there can be a case where this hotspot is configured to share unauthorized network with users connecting to this hotspot. This unauthorized network is neither approved nor managed by the network administrator for the corporate Wi-Fi clients. The configured hotspot on the corporate windows 7 machine can have the access to an unauthorized network through Wi-Fi connection (using the plugged Wi-Fi adapter) to some unauthorized Wi-Fi network. Generally, the unauthorized Wi-Fi network belongs to neighboring establishments or in some case it may be set up in the neighborhood with malicious intent to victimize corporate WiFi clients.  
Apart from unauthorized Wi-Fi connection, the configured hotspot can have the access to an unauthorized network through adapters which can access network through technologies such as 3G and Wi-Max.

Now, when a corporate user gets connected to such a hotspot then he will also have the access to unauthorized network without any restrictions imposed by a corporate Firewall. Thus, corporate user in fact, bypasses the corporate Firewall. After the access, the corporate user might have full blown internet access which is not allowed in most corporate premises. Also such an access, can invite installation of Trojans, malwares and other malicious software’s on the user machine without its knowledge. Further, such malicious software’s could make their way into corporate network if the user machine has access to corporate network also.

Access of corporate machine to a malicious user: This could potentially happen in three cases. First, when user with malicious intent directly connects his Wi-Fi device to the hotpot running on Windows 7 powered corporate machine. In this case, it does not matter whether hotspot shares any network access or not. Secondly, when user with malicious intent is the part of unauthorized network with which the hotspot is configured in order to share the same with its potential users. Lastly, when corporate user who has configured the hotspot on his Windows 7 machine has malicious intent.

In all the cases, malicious user could get direct Layer 3 connectivity with targeted corporate employee or guest machine when such a machine gets connected to the hotspot. With such connectivity at his disposal, the malicious user can launch a suite to attacks over target machine to compromise it in one or more ways which can possibly result in theft of corporate/personal confidential information from the targeted machine.

All the above risks basically surfaces out when a hotspot is configured on Windows 7 machine at the corporate premises. This machine may belong to a corporate employee or a visitor. There can be many reasons for configuring such a hotspot, some of which can be like:

• Extending the corporate Wi-Fi network to other corporate people who are Wi-Fi users and experiencing difficulty in getting the corporate Wi-Fi signal.

• Extending a particular corporate VLAN to other corporate Wi-Fi users when there is no corresponding Wi-Fi network for that VLAN or these users don’t have access to Wi-Fi network corresponding to that VLAN.

• Sharing data residing on hotspot machine with other Wi-Fi devices.

• Sharing corporate network to Wi-Fi devices (such as smart phones) which belongs to corporate people but are not allowed to access corporate network.

• Malicious intent of a corporate employee or a visitor.

Considering these risks which have the potential of disruption of network services, compromising corporate machines and theft of corporate/personal confidential information/data, it becomes important for administrators to actively detect and block all such unwanted hotspots at corporate premises.  The most obvious way to do this is to block all Windows 7 machines at corporate premises which although is not feasible with the growing popularity of Window 7 release. Feasible and most robust way would be the deployment of WIPS, in short for Wireless Intrusion Prevention System at the corporate premises. A well built WIPS solution will catch each and every such Windows 7 based hotspot and block all ongoing communications with it.

—By: Ajay Kumar Gupta. He is currently acting as Tech Lead, Engineering, at AirTight Networks, Inc (A global leader in Enterprise Wi-Fi security products). He is a frequent contributor to some leading security magazines and AirTight’s blog (http://blog.airtightnetworks.com). For more information he can be reached at ajaygupta.hbti@gmail.com.