Wireless Attacks

As we have learned, the main function of 802.11 access points is to provide a portal into a wired network infrastructure. The portal must be protected with strong authentication methods so that only legitimate users with the proper credentials will be authorized to have access to network resources.

If the portal is not properly protected, unauthorized users can also gain access to these resources. The potential risks of exposing these resources are endless. An intruder could gain access to financial databases, corporate trade secrets, or personal health information.

Network resources can also be damaged. What would be the financial cost to an organization if an intruder used the wireless network as a portal to disrupt or shut down a SQL server or email server?

If the Wi-Fi portal is not protected, any individual wishing to cause harm could upload data such as viruses, Trojan horse applications, keystroke loggers, or remote control applications.

Spammers have already figured out that they can use open wireless gateways to the Internet to commence spamming activities. Other illegal activities, such as software theft and remote hacking, may also occur through an unsecured gateway.

While an intruder can use the wireless network to attack wired resources, equally at risk are all of the wireless network resources. Any information that passes through the air can be captured and possibly compromised.

If not properly secured, the management interfaces of Wi-Fi equipment can be accessed. Many wireless users are fully exposed for peer-to-peer attacks. Finally, the possibility of denial of service attacks against a wireless network always exits.

With the proper tools, any individual with ill intent can temporarily disable a Wi-Fi network, thus denying legitimate users access to the network resources. In the following you will learn about all the potential attacks that can be launched against 802.11 wireless networks.

Rogue Access Point

The big buzz phrase in Wi-Fi security has always been the rogue access point. In earlier, we learned about 802.1X/EAP authentication solutions that can be put in place to prevent unauthorized access. However, what is there to prevent an individual from installing their own wireless portal onto the network backbone?

A rogue access point is any Wi-Fi device that is connected to the wired infrastructure but is not under the management of the proper network administrators. Any $50 SOHO Wi-Fi access point or router can be plugged into a live data port.

The rogue device will just as easily act as a portal into the wired network infrastructure. Because the rogue device has no authorization and authentication security in place, any intruder can now use this open portal to gain access to network resources.

It is not uncommon for a company to have a wireless network installed and not even know about its existence. The individuals most responsible for installing rogue access points are not hackers; they are employees not realizing the consequences of their actions.

According to some statistics, well over 50 percent of home users have wireless access at home and have become accustomed to the convenience and mobility that Wi-Fi offers.

As a result, employees often install their own wireless devices in the workplace because the company they work for has yet to deploy an enterprise wireless network.

The problem is that, while these self-installed access points might provide the wireless access that the employees desire, they are rarely secured. Every rogue access point is a potential open and unsecured gateway straight into the wired infrastructure that the company wants to protect.

Although only a single open portal is needed to expose network resources, many large companies have discovered literally dozens of rogue access points that have been installed by employees. Ad-hoc networks also have the potential of providing rogue access into the corporate network.

Very often an employee will have a laptop or desktop plugged into the wired network via an Ethernet network card. On that same computer, the employee has a Wi-Fi radio and has set up an ad-hoc Wi-Fi connection with another employee.

Because the Ethernet connection and the Wi-Fi card can be bridged together, an intruder might also access the ad-hoc wireless network and then potentially route their way to the Ethernet connection and get onto the wired network.

Many government agencies and corporations ban the use of ad-hoc networks for this very reason. The ability to configure an ad-hoc network can be disabled on most enterprise client devices.

As stated earlier, most rogue APs are installed by employees not realizing the consequences of their actions, but any malicious intruder can use these open portals to gain access.

Furthermore, besides physical security, there is nothing to prevent an intruder from also connecting their own rogue access point via an Ethernet cable into any live data port provided in a wall plate.

If an 802.1X solution is deployed for the wireless network, it can also be used to secure the network ports on the wired network. In that case, any new access points would need to authenticate to the network prior to being given access.

This is a good way to not only utilize existing resources, but also to provide better security for your wired network by protecting against rogue APs.

Peer-to-Peer Attacks

As mentioned earlier, wireless resources may also be attacked. A commonly overlooked risk is the peer-to-peer attack. As you have learned in earlier article, an 802.11 client station can be configured in either Infrastructure mode or Ad-Hoc mode.

When configured in Ad-Hoc mode, the wireless network is known as an independent basic service set (IBSS) and all communications are peer-to-peer without the need for an access point.

Because an IBSS is by nature a peer-to-peer connection, any user who can connect wirelessly with another user can potentially gain access to any resource available on either laptop.

A common use of ad-hoc networks is to share files on the-fly. If shared access is provided, files and other assets can accidentally be exposed. A personal firewall is often used to mitigate peer-to peer attacks.

Users that are associated to the same access point are typically just as vulnerable to peer-to-peer attacks as IBSS users. Properly securing your wireless network often involves protecting authorized users from each other since hacking at companies is often performed internally by employees.

Users associated to the same access point are members of the same basic service set (BSS). Because they reside in the same wireless domain, the users are exposed to peer-to-peer attacks.

In most WLAN deployments, Wi-Fi clients communicate only with devices on the wired network such as email or web servers and peer-to-peer communications are not needed.

Therefore, most vendors provide some proprietary method of preventing users from inadvertently sharing files with other users. If connections are required to other wireless peers, the traffic is routed through a layer 3 switch or other network device prior to passing to the desired destination station.

Public Secure Packet Forwarding (PSPF) is a feature that can be enabled on WLAN access points or switches to block wireless clients from communicating with other wireless clients on the same wireless segment.

With PSPF enabled, client devices cannot communicate with other client devices on the wireless network, as pictured in Figure below.

Although, PSPF is a term most commonly used by Cisco, other vendors have similar capabilities under different names.

Eavesdropping

802.11 wireless networks operate in license-free frequency bands and all data transmissions travel in the open air. Access to wireless transmissions is available to anyone within listening range, and therefore strong encryption is mandatory.

Wireless communications can be monitored via two eavesdropping methods: casual eavesdropping and malicious eavesdropping. Casual eavesdropping is typically considered harmless and is also often referred to as wardriving.

Software utilities known as WLAN discovery tools exist for the purpose of finding open WLAN networks. Wardriving is strictly the act of looking for wireless networks, usually while in a moving vehicle. The most common wardriving software tool is a freeware program called NetStumbler.

NetStumbler sends out null probe requests across all license-free 802.11 frequencies with the hope of receiving probe response frames containing wireless network information such as SSID, channel, encryption, and so on.

By technical design, the very nature of 802.11 passive and active scanning is to provide the identifying network information accessible to anyone with an 802.11 radio card.

Because this is an inherent necessary function of 802.11, wardriving is not a crime. However, the goal of many wardrivers is to find open 802.11 wireless networks that can provide free gateway access to the Internet.

While the legality of using an open wireless gateway to the Internet remains unclear in most countries, the majority of wardrivers are not hackers intending harm but rather simply wireless users wanting temporary free Internet access.

The legality of using someone else’s wireless network without permission is often unclear, but people have been arrested and prosecuted as a result of these actions.

While casual eavesdropping is considered harmless, malicious eavesdropping, the unauthorized use of protocol analyzers to capture wireless communications, is typically considered illegal.

Most countries have some type of wiretapping law that makes it a crime to listen in on someone else’s phone conversation. Additionally, most countries have laws making it unlawful to listen in on any type of electromagnetic communications, including 802.11 wireless transmissions.

Many commercial and freeware 802.11 protocol analyzers exist that allow wireless network administrators to capture 802.11 traffic for the purpose of analyzing and troubleshooting their own wireless networks.

Protocol analyzers are passive devices that work in an RF monitoring mode that captures any transmissions that are within range. The problem is that anyone with malicious intent can also capture 802.11 traffic from any wireless network and go undetected.

For this reason, a strong dynamic encryption solution such as TKIP/RC4 or CCMP/AES is mandatory. Any cleartext communications such as email and Telnet passwords can be captured if no encryption is provided.

Furthermore, any unencrypted 802.11 frame transmissions can be reassembled at the upper layers of the OSI model. Email messages can be reassembled and therefore read by an eavesdropper.

Web pages and instant messages can also be reassembled. VoIP packets can be reassembled and saved as a WAV sound file. Malicious eavesdropping of this nature is highly illegal; therefore, because of the passive and undetectable nature of this attack, encryption must always be implemented to provide data privacy.

It should be noted that the most common target of malicious eavesdropping attacks is public access hotspots. Public hotspots rarely offer security and usually transfer data without encryption, making hotspot users prime targets.

As a result, it is imperative that a VPN type solution be implemented for all mobile users who connect outside of your company’s network.

Encryption Cracking

The current WEP cracking tools that are freely available on the Internet can crack WEP encryption in as little as 5 minutes. There are several methods used to crack WEP encryption.

However, an attacker usually needs only to capture several hundred thousand encrypted packets with a protocol analyzer and then run the captured data through a WEP cracking software utility.

The software utility will usually then be able to derive the secret 40-bit or 104-bit key in a matter of seconds. Once the secret key has been revealed, the attacker can decrypt any and all encrypted traffic.

In other words, an attacker can now eavesdrop on the WEP-encrypted network. Because the attacker can decrypt the traffic, they can reassemble the data and read it as if there was no encryption whatsoever.

Authentication Attacks

As you have already learned, the 802.11i security amendment defines for authentication either an 802.1X/EAP authentication solution or the use of a pre-shared key for authentication. The 802.11i amendment does not define which type of EAP authentication method to use, and all flavors of EAP are not created equally.

Some types of EAP authentication are more secure than others. As a matter of fact, Lightweight Extensible Authentication Protocol (LEAP), one of the most commonly deployed 802.1X/EAP solutions, is susceptible to offline dictionary attacks.

The hashed password response during the LEAP authentication process is crackable. An attacker merely has to capture a frame exchange when a LEAP user authenticates and then the capture file is run through an offline dictionary attack tool.

The password can be derived in a matter of seconds. The user name is also seen in clear text during the LEAP authentication process.

Once the attacker gets the user name and password, they are free to impersonate the user by authenticating onto the WLAN and then access any network resources that are available to that user. Stronger EAP authentication protocols exist that are not susceptible to offline dictionary attacks.

WPA/WPA2 Personal, using pre-shared keys, is also a weak authentication method that is vulnerable to offline dictionary attacks. Hacking utilities are available that can derive the WPA/WPA2 passphrase using an offline dictionary attack.

Once the attacker has the passphrase, they can associate to the WPA/WPA2 access point. Even worse is that once the hacker has the passphrase, they can also begin to decrypt the dynamically generated TKIP/RC4 or CCMP/AES encryption key.

In earlier, we learned that an algorithm is run to convert the passphrase to a Pairwise Master Key (PMK), which is used with the 4-way handshake to create the final dynamic encryption keys.

If a hacker has the passphrase and captures the 4-way handshake, they can re-create the dynamic encryption keys and decrypt traffic. WPA/ WPA2 Personal is not considered a strong security solution for the enterprise because if the passphrase is compromised, the attacker can access network resources and decrypt traffic.

A policy mandating very strong passphrases should always be in place whenever a WPA/WPA2 Personal solution must be used in situations where there is no AAA server or the client devices do not support 802.1X authentication.

MAC Spoofing

All 802.11 wireless network cards have a physical address known as a MAC address. This address is a 12-digit hexadecimal number that is seen in clear text in the layer 2 header of 802.11 frames.

Wi-Fi vendors provide MAC filtering capabilities on their access points. Usually, MAC filters are configured to apply restrictions that will allow traffic only from specific client stations to pass through.

These restrictions are based on their unique MAC addresses. All other client stations whose MAC addresses are not on the allowed list will not be able to pass traffic through the virtual port of the access point and onto the distribution system medium.

Unfortunately, MAC addresses can be “spoofed,” or impersonated, and any amateur hacker can easily bypass any MAC filter by spoofing an allowed client station’s address.

MAC spoofing can often be achieved in the Windows operating system by simply editing the wireless card’s MAC address in Device Manager or by performing a simple edit in the Registry.

Third-party software utilities can also be used be assist in MAC spoofing. Because of spoofing and because of all the administrative work that is involved with setting up MAC filters, MAC filtering is not considered a reliable means of security for wireless enterprise networks and should be implemented only as a last resort.

In some cases, it is used as part of a tier security architecture to better secure client devices that are not capable of 802.1X or stronger encryption.

Management Interface Exploits

Wireless infrastructure hardware such as access points and wireless switches can be managed by administrators via a variety of interfaces, much like managing wired infrastructure hardware.

Devices can be accessed via a web interface, a command-line interface, a serial port, a console connection and/or Simple Network Management Protocol (SNMP). As we discussed, it is imperative that these interfaces be protected.

Interfaces that are not used should be disabled. Strong passwords should be used and encrypted login capabilities such as Hypertext Transfer Protocol Secure (HTTPS) should be utilized if available.

Lists of all the default settings of every major manufacturer’s access points exist on the Internet and are often used for security exploits by hackers.

It is not uncommon for intruders to use security holes left in management interfaces to reconfigure access points. Legitimate users and administrators can find themselves locked out of their own wireless networking equipment.

After gaining access via a management interface, an attacker might even be able to initiate a firmware upgrade of the wireless hardware and, while the upgrade is being performed, power off the equipment. This attack could likely render the hardware useless, requiring it to be returned to the manufacturer for repair.

Wireless Hijacking

An attack that often generates a lot of press is wireless hijacking, also known as the evil twin attack. The attacker configures access point software on a laptop, effectively turning a Wi-Fi client card into an access point.

The access point software is configured with the same SSID that is used by a public hotspot access point. The attacker then sends spoofed disassociation or deauthentication frames, forcing users associated with the hotspot access point to roam to the evil twin access point.

At this point, the attacker has effectively hijacked wireless clients at layer 2 from the original access point. The evil twin will typically be configured with a Dynamic Host Configuration Protocol (DHCP) server available to issue IP addresses to the clients.

At this point, the attacker will have hijacked the users at layer 3 and now has a private wireless network and is free to perform peer-to-peer attacks on any of the hijacked clients.

The attacker may also be using a second wireless card with their laptop to execute what is known as a man-in-the-middle attack, as pictured in Figure below.

The second wireless card is associated to the hotspot access point as a client. In operating systems, networking cards can be bridged together to provide routing. The attacker has bridged together their second wireless card with the Wi-Fi card that is being used as the evil twin access point.

Once the attacker hijacks the users from the original AP, the traffic is then routed from the evil twin access point through the second Wi-Fi card right back to the original access point from which they have just been hijacked.

The result is that the users remain hijacked; however, they still have a route back through the gateway to their original network, so they never know they have been hijacked.

The attacker can therefore sit in the middle and execute peer-to-peer attacks indefinitely while remaining completely unnoticed. These attacks can also take another form in what is know as the Wi-Fi phishing attack.

The attacker may also have web server software and captive portal software. Once the users have been hijacked to the evil twin access point, they will be redirected to a login web page that looks exactly like the hotspot’s login page.

Then the attacker’s fake login page may request a credit card number from the hijacked user. Phishing attacks are very common on the Internet and are now appearing at your local hotspot.

The only way to prevent a hijacking, man-in-the-middle, and/or Wi-Fi phishing attack is to use a mutual authentication solution. Mutual authentication solutions not only validate the user that is connecting to the network, they also validate the network to which the user is connecting.

802.1X/ EAP authentication solutions require that mutual authentication credentials be exchanged before a user can be authorized. A user cannot get an IP address unless authorized; therefore, they cannot be hijacked.

Denial of Service (DoS)

The attacks on wireless networks that seem to receive the least amount of attention are denial of service (DoS) attacks. With the proper tools, any individual with ill intent can temporarily disable a Wi-Fi network by preventing legitimate users from accessing network resources.

The good news is that monitoring systems exist that can detect and identify DoS attacks immediately. The bad news is that there is absolutely nothing that can be done to prevent denial of service attacks other than locating and removing the source of the attack.

DoS attacks can occur at either layer 1 or layer 2 of the OSI model. Layer 1 attacks are known as RF jamming attacks. The two most common types of RF jamming attacks are intentional jamming and unintentional jamming.

Intentional jamming attacks occur when an attacker uses some type of signal generator to cause interference in the unlicensed frequency space.

Both narrowband and wideband jammers exist that will interfere with the 802.11 transmissions, either causing all data to become corrupted or causing the 802.11 radio cards to continuously defer when performing a Clear Channel Assessment (CCA).

While an intentional jamming attack is malicious, unintentional jamming is more common. Unintentional interference from microwave ovens, cordless phones, and other devices can also cause denial of service.

Although unintentional jamming is not necessarily an attack, it can cause as much harm as an intentional jamming attack. The best tool to detect any type of layer 1 interference, whether intentional or unintentional, is a spectrum analyzer.

The more common type of denial of service attacks that originate from hackers are layer 2 DoS attacks. A wide variety of layer 2 DoS attacks exist that are a result of tampering with 802.11 frames.

The most common involves spoofing disassociation or deauthentication frames. The attacker can edit the 802.11 header and spoof the MAC address of an access point or a client in either the destination address field or source address field.

The attacker then retransmits the spoofed disassociation or deauthentication frame repeatedly. Because these types of management frames are notification frames that cannot be ignored, the stations will constantly be denied service.

Many more types of layer 2 DoS attacks exist, including association floods, authentication floods, PS-Poll floods, and virtual carrier attacks.

Luckily, any good wireless intrusion detection system will be able to alert an administrator immediately to a layer 2 DoS attack. The 802.11w draft amendment is the proposed “protected” management frame amendment with a goal of delivering management frames in a secure manner.

The end result will hopefully prevent many of the layer 2 denial of service attacks that currently exist, but it is doubtful that all layer 2 DoS attacks will ever be circumvented. A spectrum analyzer is your best tool to detect a layer 1 DoS attack and a protocol analyzer or wireless IDS is your best tool to detect a layer 2 DoS attack.

The best way to prevent any type of denial of service attack is physical security. If that is not an option, there are several solutions that provide intrusion detection at layers 1, 2, and 3.