ITS 2110 - Introduction to Network Security

Chapter 8 - Wireless Network Security


This lesson covers chapter 8 in the text. It discusses security in a wireless network. Objectives important to this lesson:

  1. Types of wireless network attacks
  2. Vulnerabilities in IEEE 802.11 security
  3. Securing a wireless network

Chapter 8 really begins on page 324 with the discussion about wireless attacks against several types of wireless systems.

Bluetooth - A Bluetooth system is meant for short range, temporary communication between devices no more than ten meters (33 feet) apart. The text tells us that it is for Personal Area Networks (PANs), that use two topologies. Let's learn some terms along with the two topology types.

  • master - the device controlling the flow of data through a Bluetooth connection
  • slave - a device connected to a Bluetooth master
  • active slave - a slave that is transmitting data
  • parked slave - a slave that is not transmitting data
  • piconet - a Bluetooth connection between at least one master and one slave; typically the connection is automatic and data is shared between the devices
  • scatternet - if a device is attached to two or more overlapping piconets, it forms a link between them and the resulting network is a scatternet; this is one way to extend the size of a Bluetooth network

Two Bluetooth attack types are described:

  • Bluejacking - this attack can send messages (text, images, sounds) to Bluetooth devices on a LAN; has been used for advertising in the past
  • Bluesnarfing - harvesting information from Bluetooth devices; the attacker may be able to copy any kind of information on the device; the text suggests that setting a device to undiscoverable status may prevent an attacker from finding that device and attacking it

Near Field Communications (NFC) - This technology requires devices to bee close enough to touch each other. The text illustrates the idea by showing a person holding their smart phone near a Point of Sale (POS) device that is pulling credit information from the phone. One of the points of such a short range technology is that is meant to be used only for trusted exchanges of information. The text lists four vulnerabilities and a defense for each of them on page 330.

NFC Problems
Vulnerability What it means Defense
Eavesdropping a transaction may be intercepted Use encryption where possible; do not use NFC when near anyone else.
Data Theft physically bumping the victim's phone with a reader to steal payment information Turn off NFC until you intend to use it.
Man in the middle attack attacker intercepts both sides of the transaction, impersonates one or both Use active-passive pairing, so each device can only send or only receive. (Note that this does NOT defeat an attack that buys more from the POS, which could be staged by the vendor.)
Device Theft a thief who steals the device can use it for purchases, or whatever it is configured to do Configure the device to require a PIN or password for the transaction.

Wireless LAN attacks are the next topic, but the text builds up to that for a few pages. The author begins with some history of wireless standards, most of which come from the Institute of Electrical and Electronic Engineers (IEEE) project 802. The standard for wireless LANs was approved in 1997 as standard 802.11.

The text lists seven significant additions to the 802.11 standard, each tagged with one or more letters. The table of data on page 333 in the text is arguable. Different sources provide different values for some of its numbers. This is another version:

channels, channel bandwidth
data throughput range
5 GHz band
12, 8 not overlapping, 20 MHz each
up to 54 Mbps 25-75 feet
2.4 GHz band
14, 3 not overlapping, 22 MHz each
up to 11 Mbps
100-150 feet
2.4 GHz band 14, 3 not overlapping, 22 MHz each 54 Mbps 100-150 feet
2.4 or 5 GHz bands, or both with multiple antennas 14, 3 not overlapping, 20 or 40 MHz each
65 to 600 Mbps 100-150 feet
5 GHz band 5, up to 80 MHz wide
78 Mbps to 433 Mbps/data stream
115-460 feet

Because the facts about these technologies vary from installation to installation, you will want to treat the claims of vendors with some skepticism. Be aware of the names of the standards, their frequencies, and their relative shortcomings.

  • 802.11a never became popular due its short range
  • 802.11b was replaced by 802.11g due to g's improved throughput
  • 802.11n increased throughput again, as does 802.11ac.
  • As the text states, 802.11ad has a limited range, so it is not a major improvement.

The text explains that typical wireless LAN adapter does not have a standard LAN jack (an RJ-45 is standard for Ethernets), but does have some kind of radio antenna, which may not be visible. A Wireless Access Point (WAP or just AP) typically has three components, listed on page 334:

  • one or more antennas and one or more radio transceivers, depending on the standard being used
  • software to connect devices attached to the network of the WAP to each other; devices that join the WAP's network are assigned IP addresses from the WAP
  • a network port to connect the WAP to a wired network, bridging the two networks

The text makes an argument that wireless networks are harder to defend because they can have many points at which a device may join or contact the network, as opposed to the more controlled number of entry points on a wired LAN. Each WAP becomes another switch from which an intruder may join the network. Each wireless device becomes a potential vulnerability that an attacker might exploit. We are warned specifically to configure the security settings for WAPs to reject unknown devices and users. The text discusses several wireless exploits that might be used:

  • rogue access point - a wireless access point that a user or an attacker has added to the network because he or she wanted to have wireless access to the company network. The label "rogue" means that it is unauthorized. The problem is that it is unprotected, unsecured, and provides access to the network like an open network jack would.
  • evil twin - a rogue access point that masquerades as a real, legitimate access point; the text calls this a wireless phishing attack; it seems to me that it is more like a man in the middle attack; see this story about a Dutch hacker doing a variation of this technique
  • intercepting wireless data - as described above, attackers can examine any packets they can capture, leading to their learning useful information about our network and our data
  • wireless replay - a wireless version of a standard replay attack, in which the attacker harvests an ID, credentials, and possibly a session ID from a network to impersonate a real user and device at a later time
  • wireless Denial of Service - the text makes a good point that we only have to deny users access to the radio frequencies involved in order to deny their access to a wireless network; page 339 lists several devices that typically cause radio interference on the 2.4 GHz bands: using this technique can be called RF jamming
    The text also describes another DoS technique unique to wireless: the attacker can send frames to the WAP that spoof the addresses of devices already on the system, each frame asking to have the device dropped from the network (disassociation frames).

The text mentions some techniques that are more useful against wireless LANs that have no security configurations. This seems less prevalent than in the recent past, but it is still possible here and there. Be aware of the terms war driving (driving around looking for unprotected access points) and war chalking (marking the location of known access points for other intruders).

The text turns to wireless vulnerabilities on page 341. A classic encryption method that is typically still offered on most equipment is Wired Equivalent Privacy (WEP). It should no longer be used due to some major problems:

  • Short key length - 64 or 128 bits total, including the 24 bit initialization vector, so the actual key is 40 or 104 bits
  • Detectable patterns - examine the math in the text to get the idea that a system using WEP could be cracked in less than 7 hours, and probably less than 5.
  • When WEP was created, available computing power was unlikely to make it possible to crack it. That is no longer true.

The text tells us never to use Wi-Fi Protected Setup (WPS). The bottom line is that its security is also hackable, and it should be added to our "do not use" list.

You might think that MAC address filtering, limiting access to devices having specific MAC addresses might be a good idea. For wireless connections, this turns out to be less secure than we would like. MAC addresses are sent in clear text when associating (making a connection to a WAP), so they are easily discovered, then the attacker pretends to be an approved device. Controlling access by MAC address also becomes more difficult the more devices you allow to attach to the network. This is like the standard recommendation to use host files only if you have fewer than 10 hosts in your LAN. So this method becomes hard to manage as well as being less than secure.

It has been a standard recommendation for several years to configure your WAPs so they do not beacon. Beaconing is broadcasting your Service Set Identifier (SSID) which is the name of your WAP's wireless network. The concept has been that if there is no beacon, a user must actually know the SSID to request access through it. The problem is that network management packets are typically sent in clear text, and they will include the SSID, so a hacker can harvest it anyway.

The text turns to some methods of providing better security to wireless networks than we would have with the methods above. Students will want to know about these methods, but also remember that all security measures eventually become outmoded and must be replaced with something better. I will try to summarize the important points of this section.

WPA Personal Security

WPA is Wi-Fi Protected Access, developed in 2003. It contains two components to improve on WEP. They are:

  • PSK authentication - Preshared Keys are generated by running a pass phrase through an algorithm that turns out a 64 bit hexadecimal number (the key). This key must be coded into every access point and device that will use this WPA route into the network.
  • TKIP encryption - Temporal Key Integrity Protocol uses a 128 bit key. A new key can be generated for each packet. Keys can be sent to the devices that will use them. Uses Message Integrity Check (MIC) instead of CRC for better assurance of data integrity.
WPA2 Personal Security

WPA2 is a 2004 revision of WPA. It became mandatory for new equipment in 2006. One of its two components changed:

  • PSK authentication - Preshared Keys are still used. The text lists some areas of concern where this method is weak. The worst point, in my opinion, is the guest user having to use the same key as everyone else. A good administrator should change the key when the guest left the network, but how many would do it? Remember, when you change the key, you have to change every device's copy of it.
  • AES-CCMP encryption - The algorithm for this encryption method is intensive, incorporating several submethods. This is an improved level of encryption.
WPA Enterprise Security

The personal version of WPA uses PSK for authentication, but this enterprise version uses 802.1x for authentication, and requires an authentication server (such as a RADIUS server). It uses TKIP for encryption. IEEE 802.1x uses port blocking methods. Ports are not opened until a device authenticates as one allowed to join the network.

Summary of Access Methods
Methodology Authentication Encryption
WEP open system;
MAC filtering

shared secret keys

WPA personal PSK TKIP
WPA2 personal PSK AES-CCMP
802.11i 802.1x AES-CCMP
WPA enterprise 802.1x TKIP
WPA2 enterprise 802.1x AES-CCMP;
(TKIP clients allowed)

The chapter ends with a discussion of several methods of detecting rogue access points. It comes down to monitoring your premises with mobile or non-mobile devices, looking for radio signals that are coming from unapproved devices.