Evil Twins, Eavesdropping & Password Cracking: How OIG Successfully Attacked DOI’s Wireless Networks

Our evaluation revealed that the U.S. Department of the Interior did not deploy and operate a secure wireless network infrastructure, as required by National Institute of Standards and Technology (NIST) guidance and industry best practices. We conducted reconnaissance and penetration testing of wireless networks representing each bureau and office using assembled portable test units we assembled for less than $200 and easily concealed in a backpack or purse. We operated these units with smartphones from publicly accessible areas and locations open to visitors.

Our attacks simulated the techniques of malicious actors attempting to break into departmental wireless networks, such as eavesdropping, evil twin, and password cracking. These attacks went undetected by security guards and IT security staff as we explored Department facilities and were highly successful—we intercepted and decrypted wireless network traffic in multiple bureaus.

We also found that several bureaus and offices did not implement measures to limit the potential adverse effect of breaching a wireless network. Because the bureaus did not have effective protective measures in place, such as network segmentation, we were able to identify assets containing sensitive data or supporting mission-critical operations. Further, we found that the Department:

• Did not require regular testing of network security

• Did not maintain complete inventories of their wireless network

• Published contradictory, outdated, and incomplete guidance

These deficiencies occurred because the Office of the Chief Information Officer (OCIO) did not provide effective leadership and guidance to the Department and failed to establish and enforce wireless security practices in accordance with NIST guidance and recommended best practices. Without operating secure wireless networks that include boundary controls between networks and active monitoring, the Department is vulnerable to the breach of a high-value IT asset, which could cripple Department operations and result in the loss of highly sensitive data.

We make 14 recommendations to strengthen the Department’s wireless network security to prevent potential security breaches, which could have a severe adverse effect on Department operations, assets, or individuals. In response to our draft report, the OCIO concurred with all 14 recommendations and stated that it is working to implement them.