ITS 4550 - Fraud Prevention and Deterrence


Chapter 8, Wireless Vulnerabilities

This lesson presents material from chapter 8. Objectives important to this lesson:

  1. Need for wireless security
  2. Wireless history
  3. Short range wireless
  4. WLANs
  5. Threats to WLANs
  6. Wireless hacking tools
  7. Protecting wireless
Concepts:
Chapter 8

The text begins with a discussion of the use of wireless technologies. As I write this, the immediate example that occurs to me is a general outage of cell service that took place yesterday in the Lansing area. Customers of Verizon Wireless were without service from around 11 am until about 6 pm. This made it clear to all of us who use such services how much we have learned to rely on them. (The outage was caused by a fibre optic line that was cut by accident. This illustrates that every wireless network eventually connects to a wired network, where it becomes vulnerable to the usual threats.)

Radio frequency illustrationIn addition to equipment and media failures, wireless networks are vulnerable to eavesdropping by their very nature. Wired networks bleed signals, if their media are copper based. This is what the text means by emanation. Fiber optic cables do not emanate. All wireless networks emanate signals: that's how they work.

The text reviews some history of wireless networking, including some Wireless LAN standards. This is a list of various IEEE standards and the years they were adopted. The six shown in bold below are the ones that have dominated the field. This article on Wikipedia lists several others, including standards that are pending. Most wireless standards come from the Institute of Electrical and Electronic Engineers (IEEE) project 802. The standard for wireless LANs was approved in 1997 as standard 802.11, clarified in 1999.

  • IEEE 802.11, 1997, 1999
  • IEEE 802.11a, 1999
  • IEEE 802.11b, 1999
  • IEEE 802.11d, 2001
  • IEEE 802.11g, 2003
  • IEEE 802.11h, 2003
  • IEEE 802.11i, 2004
  • IEEE 802.11j, 2004
  • IEEE 802.11e, 2005
  • IEEE 802.11n, 2009
  • IEEE 802.11ac, 2013

The significant additions to the 802.11 standard, each tagged with one or more letters, appear in the table below. Different sources provide different values for some of its numbers.


frequency
channels, channel bandwidth
data throughput range
802.11a
5 GHz band
12, 8 not overlapping, 20 MHz each
up to 54 Mbps 25-75 feet
802.11b
2.4 GHz band
14, 3 not overlapping, 22 MHz each
up to 11 Mbps
100-150 feet
802.11g
2.4 GHz band 14, 3 not overlapping, 22 MHz each 54 Mbps 100-150 feet
802.11n
2.4 or 5 GHz bands, or both with multiple antennas 14, 3 not overlapping, 20 or 40 MHz each
65 to 600 Mbps 100-150 feet
802.11ac
5 GHz band 5, up to 80 MHz wide
78 Mbps to 433 Mbps/data stream
115-460 feet

Because the facts about these technologies vary from installation to installation, you will want to treat the claims of vendors with some skepticism. Be aware of the names of the standards, their frequencies, and their relative shortcomings.

  • 802.11a never became popular due its short range
  • 802.11b was replaced by 802.11g due to g's improved throughput
  • 802.11n increased throughput again, as does 802.11ac, but ac has not been around long enough to say how much better it will be

A typical wireless LAN adapter does not have a standard LAN jack (an RJ-45 is standard for Ethernets), but does have some kind of radio antenna, which may not be visible. A Wireless Access Point (WAP or just AP) typically has three components:

  • one or more antennas and one or more radio transceivers, depending on the standard being used
  • software to connect devices attached to the network of the WAP to each other; devices that join the WAP's network are assigned IP addresses from the WAP
  • a network port to connect the WAP to a wired network, bridging the two networks

The text also discusses other standards. It has four pages on Bluetooth, followed by material on more standards and problems.

Bluetooth - A Bluetooth system is meant for short range, temporary communication between devices no more than ten meters (33 feet) apart. The text tells us that it is for Personal Area Networks (PANs), that use two topologies. Let's learn some terms along with the two topology types.

  • master - the device controlling the flow of data through a Bluetooth connection
  • slave - a device connected to a Bluetooth master
  • active slave - a slave that is transmitting data
  • parked slave - a slave that is not transmitting data
  • piconet - a Bluetooth connection between at least one master and one slave; typically the connection is automatic and data is shared between the devices
  • scatternet - if a device is attached to two or more overlapping piconets, it forms a link between them and the resulting network is a scatternet; this is one way to extend the size of a Bluetooth network

You should know about two Bluetooth attack types:

  • Bluejacking - this attack can send messages (text, images, sounds) to Bluetooth devices on a LAN; has been used for advertising in the past, but it has the potential to be more evil
  • Bluesnarfing - harvesting information from Bluetooth devices; the attacker may be able to copy any kind of information on the device; setting a device to undiscoverable status may prevent an attacker from finding that device and attacking it, but transmissions to and from the device will make it discoverable
  • Bluebugging - taking control of the device and using its services, essentially impersonating a device trusted by other devices

Near Field Communications (NFC) - This technology requires devices to be close enough to touch each other. A frequent example is a person holding their smart phone near a Point of Sale (POS) device that is pulling credit information from the phone. One of the points of such a short range technology is that is meant to be used only for trusted exchanges of information. Four vulnerabilities and a defense for each of them are in the table below:

NFC Problems
Vulnerability What it means Defense
Eavesdropping a transaction may be intercepted Use encryption where possible; do not use NFC when near anyone else.
Data Manipulation jamming of the transmissions; this is really just preventing the transaction Use a device that monitors for this activity.
Man in the middle attack attacker intercepts both sides of the transaction, impersonates one or both Use active-passive pairing, so each device can only send or only receive. (Note that this does NOT defeat an attack that buys more from the POS, which could be staged by the vendor.)
Theft a thief who steals the device can use it for purchases, or whatever it is configured to do Configure the device to require a PIN or password for the transaction.

Wireless LAN attacks are another topic in the text.

The text makes an argument that wireless networks are harder to defend because they can have many points at which a device may join or contact the network, as opposed to the more controlled number of entry points on a wired LAN. Each WAP becomes another switch from which an intruder may join the network. Each wireless device becomes a potential vulnerability that an attacker might exploit. We are warned specifically to configure the security settings for WAPs to reject unknown devices and users. Here are some wireless exploits that might be used:

  • rogue access point - a wireless access point that a user or an attacker has added to the network because he or she wanted to have wireless access to the company network. The label "rogue" means that it is unauthorized. The problem is that it is unprotected, unsecured, and provides access to the network like an open network jack would.
  • evil twin - a rogue access point that masquerades as a real, legitimate access point; the text calls this a wireless phishing attack; it seems to me that it is more like a man in the middle attack; see this story about a Dutch hacker doing a variation of this technique
  • intercepting wireless data - as described above, attackers can examine any packets they can capture, leading to their learning useful information about our network and our data
  • wireless replay - a wireless version of a standard replay attack, in which the attacker harvests an ID, credentials, and possibly a session ID from a network to impersonate a real user and device at a later time
  • wireless Denial of Service - the text makes a good point that we only have to deny users access to the radio frequencies involved in order to deny their access to a wireless network; several devices can typically cause radio interference on the 2.4 GHz bands: using this technique can be called RF jamming
  • disassociation attack - another DoS technique unique to wireless: the attacker can send frames to the WAP that spoof the addresses of devices already on the system, each frame asking to have the device dropped from the network (disassociation frames).

Some techniques are more useful against wireless LANs that have no security configurations. This seems less prevalent than in the recent past, but it is still possible here and there. Be aware of the terms war driving (driving around looking for unprotected access points) and war chalking (marking access points for later attack or for other intruders).

There are more wireless vulnerabilities. A classic encryption method that is typically still offered on most equipment is Wired Equivalent Privacy (WEP). It should no longer be used due to some major problems:

  • Short key length - 64 or 128 bits total, including the 24 bit initialization vector, so the actual key is 40 or 104 bits
  • Detectable patterns - examine the math in the text to get the idea that a system using WEP could be cracked in less than 7 hours, and probably less than 5.
  • When WEP was created, available computing power was unlikely to make it possible to crack it. That is no longer true.

We should probably never use Wi-Fi Protected Setup (WPS) which I have not encountered in these discussions before. The bottom line is that its security is also hackable, and it should be added to our "do not use" list.

You might think that MAC address filtering, limiting access to devices having specific MAC addresses might be a good idea. For wireless connections, this turns out to be less secure than we would like. MAC addresses are sent in clear text when associating (making a connection to a WAP), so they are easily discovered, then the attacker pretends to be an approved device. Controlling access by MAC address also becomes more difficult the more devices you allow to attach to the network. This is like the standard recommendation to use host files only if you have fewer than 10 hosts in your LAN. So this method becomes hard to manage as well as being less than secure.

It has been a standard recommendation for several years to configure your WAPs so they do not beacon. Beaconing is broadcasting your Service Set Identifier (SSID) which is the name of your WAP's wireless network. The concept has been that if there is no beacon, a user must actually know the SSID to request access through it. The problem is that network management packets are typically sent in clear text, and they will include the SSID, so a hacker can harvest it anyway.

The text suggest some standard protective measures on page 204.

  • firewalls on personal devices
  • antivirus and antimalware on all devices
  • VPN usage, especially when the temptation to use an unencrypted WAP is too strong
  • training users in the dangers that threaten their devices

On page 205, the text begins a discussion of wireless hacking tools. Several are listed, but its two favorites appear to be NetStumbler and inSSIDer. The text points out that NetStumber has not been updated in a while, and it only supports protocols through 802.11n. inSSIDer has an older free version, and a newer licensed version. Our author seems to like its interface. Both versions are downloadable for Windows, macOS, and Android. If you follow the links in this paragraph to download a copy, make sure you do not download anything else that the site wants to trick you into downloading.

The text discusses some defensive measures at the end of the chapter. Most have been discussed already.



Assignments

This week you do not appear to have anything due except proposed questions for the mid-term exam. Project Part 4 and Assignment 4 will be due on March 15th.