NET 211 - Wireless Networking

Chapter 9, Wireless LAN Security Vulnerabilities

Objectives:

This lesson discusses security from the perspective of someone managing a wireless network. Objectives important to this lesson:

  1. Information security
  2. Types of wireless attacks
  3. Legacy security protections
  4. Wireless vulnerabilities
Concepts:
Chapter 9

The author introduces the topics of this chapter with a story of a neighbor hacking a residential wireless LAN, and victimizing its owners. In this case, the attacker was traced and prosecuted but that is not always possible.

The text continues with some background on information security. It begins with the standard listing of the three classic elements of IT security:

  • confidentiality - only those who are supposed to access information may do so
  • integrity - only those who are allowed to change, add to, or remove information may do so
  • availability - those who are supposed to have access to information may access it as needed

The author expands on these classic points by explaining that we must ensure that protective measures are implemented and that we must protect the devices and software processes that we use to store, transmit, and manage our information. The element of security for transmissions is the one that wireless technology is most concerned with.

The text offers some bullet points about problems that make attacks easier, more successful, and more numerous than in the past. The reasons are not as important as simply realizing that security is an issue and it will only get worse as technology improves, connections become more common, and bad motives exist.

On page 324, the text begins a section about wireless attacks which is broken into categories that don't help us as much as they might. Let's try it again for the author. His first point is that there is a difference between wired LANs and wireless LANs that affects their vulnerability to attack. A wired LAN is protected by the actual walls of its buildings, and the need for a wired connection to the LANs themselves to access their networks. Wireless networks do not have those "hard edges". In theory, they can be accessed by any device in range of an access point. Are you afraid yet?




Let's move on to the first bullet list in this section, and consider the author's list of attack vectors, paths or means by which attackers might launch their attacks, that apply to enterprise LANs (e.g. commercial, corporate, government, or educational).

  • open or misconfigured AP - An AP with no security set on it (an open AP) is an invitation to an attacker; improper configuration (such as choosing an encryption method that is easily defeated) can be almost as inviting.
  • rogue AP - It is very common for people who understand a little about networks to become responsible for compromising networks to which they have legitimate access. I don't mean that all users do this, but a significant number think it is fine to buy a wireless access point, bring it to work, plug it into the network, and use that WAP to provide wireless access for themselves and their friends. This is not fine because such APs are typically unprotected, unmanaged, and provide easy access to an attacker who finds the AP whether it is beaconing an SSID or not. Attaching such a device to the network is a violation of security policy in every environment where I have worked.
  • evil twin - When an attacker monitors broadcast transmissions, one thing that the attacker will collect will be the identifying information about real APs. In an ideal exploit, the attacker sets up their own AP that masquerades as a real AP. It then solicits connections from mobile users and collects their information. This real information can be passed on to the real AP, with the evil twin acting as a go between. What's the point? The evil twin collects data from the network and the users it is acting for, making this a man-in-the-middle attack; see this story about a Dutch hacker doing a variation of this technique

The text changes topics slightly to describe types of wireless attacks (exploits) on the WLAN itself, based on their objectives:

  • reading data - As the text explains, an attacker who finds an open or misconfigured AP and probably read or decode and read its transmissions. An attacker who gains access through a rogue AP can also read many transmissions from the wired network to which the AP connects.
  • hijacking wireless connections - The text elaborates on the man-in-the-middle attack described above, mentioning that such an attack can be active or passive. In a passive attack, the attacker simply gathers information from transmissions. In an active attack, the attacker may alter information that it passes along, or it may add its own payload (such as a virus) to the packets it is passing.
  • inserting network traffic - Although the topic in the name of this mission is covered in the bullet above, the text actually means that the attacker inserts network routing commands to send traffic to a server or router of its choosing (and one the attacker presumably has compromised).
  • Denial of Service (DoS) - In this famous kind of attack, the attacker prevents some device or devices from performing their proper function. In the classic example, the attacker floods a network with requests to log in, so that legitimate requests have no chance to be processed.
    • The text describes a variation in which so many wireless packets are sent to the network that all signals are effectively blocked. It calls this RF jamming.
    • A DoS attack that is unique to wireless systems has the attacker sending disauthentication and disassociation packets to the AP that seem to be from devices that are currently part of the network. As the text explains, this is possible because the AP does not require proof of identity when it processes a packet, believing the address that the packet contains must be true. The spoofed packets effectively act as messages to the AP that each of these devices has requested to leave the wireless network, leaving them unable to transmit or receive any data across it.
    • Another attack that is unique to wireless systems has the attacker sending requests for long reservations to the AP. The attacker can once again spoof a device already on the WLAN, and while doing so, it sends an RTS packet with the maximum duration value allowed: 32767. The attacker may send such packets as each of the devices on the WLAN, establishing long transmission times for each of them that they do not need to use. This will make all the other stations on the WLAN wait to send requests themselves until those reservations have expired.

The next topic is about attacks from the point of view of the stations using a wireless LAN. There is no discussion of these attacks, perhaps because they have already been discussed, but the author lists five different tools that would be used to stage these attacks and the sort of threat that a station faces from each of them. In the table on page 329, the locations listed are not relevant. One could use each of these approaches equally well in each of the suggested locations.

Tool Used Action or Attack What should a user do?
Wireless protocol analyzer Capture unencrypted packets Don't send sensitive data across a channel that is not secure.
Computer with wireless NIC Pretend to be an AP, entice uses to join your WLAN, capture their information Connect to an AP you should be connecting to, not to another station in an ad hoc set.
Computer with wireless NIC and software-based wireless AP (see pages 73 through 77 Evil Twin exploits: pretend to be a specific AP Know the AP you should be connecting to. This is unlikely to be possible.
Access Point in a general area Evil Twin exploits: pretend to be an alternate AP in an expected area Watch out for APs with SSIDs similar to real wireless networks. This is more possible, but the attacker only has to move up one row in this table.
Computer with wireless NIC Capture broadcast and multicast packets sent by mistake Use wired or wireless connections, not both at the same time.

 

The author remarks that most home users fail to protect their home networks. This is less common than it once was. I have noticed while probing the area around my home that most home LANs are now using WPA or WPA2 encryption instead of WEP, which is more easily hacked. I note that Comcast is the most common provider in my area, and that there are a number of unencrypted xfinitywifi SSIDs in the area. This is not as dangerous as it sounds. These are typically guest accounts that will not have rights to change anything on the network. However, since such connections are unencrypted, anyone using them would have to know that, and know that one should not send credit card numbers or other sensitive data across such a connection.

Note that in the image below we only see one strong signal, on channel 6. It is my printer, and even it is expecting wireless signals to be encrypted with a shared key using WPA2.

The author points out several dangers to having an unprotected access point. They are the same at home as they are at work, but his point is that users tend to protect their home equipment less often and not as well as a professional might. Regardless of the improved default protection on APs from most vendors, the author's point about protecting other equipment on a home LAN is valid. If your network AP is your only point of protection, you had better make sure it is as good as you can make it.

There are two more sections of this chapter, discussing legacy security features in all 802.11 versions, and their vulnerabilities. Perhaps the author did it this way so we could skip ahead to the vulnerabilities section. Let's try to combine the two sections, since the author scrambles their order in the second one.

  • access control - As the text states, the phrase access control means to allow or deny rights or privileges. With regard to network access, it means that we will choose to allow certain devices access to our network, and deny access by other devices.
    • Since every device trying to access a network has a MAC address, those addresses have often been used to filter requests to join a network. The text illustrates a common way to display MAC addresses. Each MAC address can be written as 12 hexadecimal digits. The method shown in the text uses dashes between consecutive pairs of digits. In the graphic displayed above, a similar method is shown that uses colons between pairs of characters.

    • The first MAC address we see in the graphic above is 70:54:D2:08:56:E0. In any MAC address, the three pairs on the left are a sequence assigned to a NIC manufacturer. No other manufacturer is supposed to use them. That is why the text refers to that series of characters as the Organizationally Unique Identifier (OUI). The three pairs on the right are the serial number of the NIC itself, which the text calls the Individual Address Block (IAB).

    • MAC address filtering in a wired or wireless network is typically done by an administrator who configures a switch (wired network) or an AP (wireless network) to allow access to particular MAC addresses and to deny it to all other addresses. This is called an implicit deny: if you are not on the list, you can't come in.

    • The process can be done another way. If we are using an implicit allow, the addresses we add to the filter list are those we wish to deny access, and any other address is allowed. In either case, the feature is activated by turning on MAC address filtering, and making a list with the software of the switch/AP itself.

    • Vulnerabilities of MAC address filtering are discussed on page 337.
      • The larger a network is, the more it will change, and maintenance of MAC address filters become time consuming.
      • MAC addresses and SSIDs are broadcast in unencrypted form when devices are negotiating access. This means that an eavesdropper can pick up valid addresses by reading such traffic for a short while. An attacker can harvest this information to disassociate devices from the WLAN, to spoof those addresses for entry to the network, or both.

  • Wired Equivalent Privacy (WEP) - The text spends three pages on a method that no one uses any more. Do you see WEP in the image above? No one uses it because it was cracked and most hackers could use a download to hack into the network of anyone using WEP. The important part about WEP, other than not to use it, is that it is an early attempt to use encryption of data. The author uses WEP as a reason to explain cryptography in general, which I hope you have an idea about, since we have been using the concept of encryption for some time in this text. In case this is still new to you, here is some background:
    • plaintext, cleartext - a message that has not been encrypted or has been decrypted
    • encrypt, encipher - to change an ordinary message with a code or cipher system so that the message is unreadable
    • decrypt, decipher - to change and encrypted message to plaintext
    • cipher or code - the difference between a cipher and a code is that a cipher uses one symbol to stand for another, while a code can use a symbol to stand for several symbols or words
    • Caesar cipher - Gaius Julius Caesar was real, not just a character in one of Shakespeare's plays. He is famous for several things, one of which is the creation of a substitution cipher that is incredibly easy to crack: he wrote down the Latin alphabet on one line, then wrote it again on a second line, probably offset by three characters (we can't be certain he did not vary the offset value), which was used as an encrypting/decrypting tool. The two lines below show what this would look like in English:
      abcdefghijklmnopqrstuvwxyz
      defghijklmnopqrstuvwxyzabc
    • key - This word can mean two things. One is the method that is used to encrypt or decrypt a message. The other is an alphanumeric string of characters that is used in such a method to perform the encryption. The second is the kind of key that is shared between devices in most wireless encryption systems. In the graphic above (glad I captured it) WPA and WPA2 are two methods. PSK-CCMP and PSK-TKIP are two variants of those methods.

    • There is a long discussion of WEP in the two sections of the text. The bottom line is that technology has moved on, and WEP has not. When it was implemented, computers were less powerful than they are now, or will be in the future. The complexity of the method used in WEP is no longer sufficient. It uses keys that are small enough analyze in a relatively short time, which has been done. It is cyclic: it uses a number as part of its key, and the length of the number allows fewer than 17 million versions of it. That sounds like a lot, but in terms of encrypting packets on a network, we could expect to see repeats within 5 to 7 hours on most networks. Analyzing that data takes us to a way to crack the keys, which makes WEP transparent to a persistent hacker. This bullet list summarizes its problems:
      • Short key length - 64 or 128 bits total, including the 24 bit initialization vector, so the actual key is 40 or 104 bits
      • Detectable patterns - examine the math in the text to get the idea that a system using WEP could be cracked in less than 7 hours, and probably less than 5.
      • When WEP was created, available computing power was unlikely to make it possible to crack it. That is no longer true.

  • authentication - As previously explained, authentication is done either by the open system method or the shared key method. As you know, there is no security measure applied to the open system method. It is often implemented as the default method by the vendors of APs because the shared key method uses WEP encryption, which you now know is flawed. As the Cisco discussion behind the link in the last sentence explains, the best choice is to use the open system method, because it does not expose the shared key that can actually be used in a better layer of authentication once the device is associated with the WLAN.