This lesson discusses security from the perspective of someone managing
a wireless network. Objectives important to this lesson:
Information security
Types of wireless attacks
Legacy security protections
Wireless vulnerabilities
Concepts:
Chapter 9
The author introduces the topics of this chapter with a story of a neighbor
hacking a residential wireless LAN, and victimizing its owners. In this
case, the attacker was traced and prosecuted but that is not always possible.
The text continues with some background on information security. It begins
with the standard listing of the three classic elements of IT security:
confidentiality - only those
who are supposed to access information may do so
integrity - only those who
are allowed to change, add to, or remove information may do so
availability - those who are
supposed to have access to information may access it as needed
The author expands on these classic points by explaining that we must
ensure that protective measures are
implemented and that we must protect the devices
and software processes that we
use to store, transmit, and manage our information. The element of security
for transmissions is the one that wireless technology is most concerned
with.
The text offers some bullet points about problems that make attacks easier,
more successful, and more numerous than in the past. The reasons are not
as important as simply realizing that security is an issue and it will
only get worse as technology improves, connections become more common,
and bad motives exist.
On page 324, the text begins a section about wireless attacks which is
broken into categories that don't help us as much as they might. Let's
try it again for the author. His first point is that there is a difference
between wired LANs and wireless LANs that affects their vulnerability
to attack. A wired LAN is protected by the actual walls of its buildings,
and the need for a wired connection to the LANs themselves to access their
networks. Wireless networks do not have those "hard edges". In theory,
they can be accessed by any device in range of an access point. Are you
afraid yet?
Let's move on to the first bullet list in this section, and consider
the author's list of attack vectors,
paths or means by which attackers might launch their attacks, that apply
to enterprise LANs (e.g. commercial,
corporate, government, or educational).
open or misconfigured AP -
An AP with no security set on it (an open
AP) is an invitation to an attacker; improper configuration (such
as choosing an encryption method that is easily defeated) can be almost
as inviting.
rogue AP - It is very common for people who understand a little
about networks to become responsible for compromising networks to which
they have legitimate access. I don't mean that all users do this, but
a significant number think it is fine to buy a wireless access point,
bring it to work, plug it into the network, and use that WAP to provide
wireless access for themselves and their friends. This is not fine because
such APs are typically unprotected, unmanaged, and provide easy access
to an attacker who finds the AP whether it is beaconing an SSID or not.
Attaching such a device to the network is a violation of security policy
in every environment where I have worked.
evil twin - When an attacker monitors broadcast transmissions,
one thing that the attacker will collect will be the identifying
information about real APs. In an ideal exploit, the attacker
sets up their own AP that masquerades
as a real AP. It then solicits connections from mobile users
and collects their information. This real information can be passed
on to the real AP, with the evil twin acting as a go between.
What's the point? The evil twin collects data from the network
and the users it is acting for, making this a man-in-the-middle
attack; see this
story about a Dutch hacker doing a variation of this technique
The text changes topics slightly to describe types of wireless attacks
(exploits) on the WLAN itself, based on their objectives:
reading data - As the text explains, an attacker who finds
an open or misconfigured AP and probably read or decode and
read its transmissions. An attacker who gains access through a rogue
AP can also read many transmissions from the wired network to which
the AP connects.
hijacking wireless connections - The text elaborates on the
man-in-the-middle attack described above, mentioning that such an attack
can be active or passive. In a passive attack,
the attacker simply gathers information from transmissions. In
an active attack, the attacker may alter information that
it passes along, or it may add its own payload (such as a virus)
to the packets it is passing.
inserting network traffic - Although the topic in the name
of this mission is covered in the bullet above, the text actually means
that the attacker inserts network routing commands to send traffic
to a server or router of its choosing (and one the attacker presumably
has compromised).
Denial of Service (DoS) - In this famous kind of attack,
the attacker prevents some device or devices from performing their proper
function. In the classic example, the attacker floods a network with
requests to log in, so that legitimate requests have no chance to be
processed.
The text describes a variation in which so many wireless
packets are sent to the network that all signals are effectively
blocked. It calls this RF jamming.
A DoS attack that is unique to wireless systems has the
attacker sending disauthentication and disassociation
packets to the AP that seem to be from devices that are currently
part of the network. As the text explains, this is possible because
the AP does not require proof of identity when it processes a packet,
believing the address that the packet contains must be true. The
spoofed packets effectively act as messages to the AP that
each of these devices has requested to leave the wireless network,
leaving them unable to transmit or receive any data across
it.
Another attack that is unique to wireless systems has the attacker
sending requests for long reservations to the AP. The attacker
can once again spoof a device already on the WLAN, and while
doing so, it sends an RTS packet with the maximum duration
value allowed: 32767. The attacker may send such packets
as each of the devices on the WLAN, establishing long transmission
times for each of them that they do not need to use. This will make
all the other stations on the WLAN wait to send requests
themselves until those reservations have expired.
The next topic is about attacks from the point of view of the stations
using a wireless LAN. There is no discussion of these attacks, perhaps
because they have already been discussed, but the author lists five different
tools that would be used to stage these attacks and the sort of threat
that a station faces from each of them. In the table on page 329, the
locations listed are not relevant. One could use each of these approaches
equally well in each of the suggested locations.
Tool Used
Action or Attack
What should a user do?
Wireless protocol analyzer
Capture unencrypted packets
Don't send sensitive data across a channel that is not secure.
Computer with wireless NIC
Pretend to be an AP, entice uses to join your WLAN, capture their
information
Connect to an AP you should be connecting to, not to another station
in an ad hoc set.
Computer with wireless NIC and software-based wireless AP (see pages
73 through 77
Evil Twin exploits: pretend to be a specific AP
Know the AP you should be connecting to. This is unlikely to be
possible.
Access Point in a general area
Evil Twin exploits: pretend to be an alternate AP in an expected
area
Watch out for APs with SSIDs similar to real wireless networks.
This is more possible, but the attacker only has to move up one row
in this table.
Computer with wireless NIC
Capture broadcast and multicast packets sent by mistake
Use wired or wireless connections, not both at the same time.
The author remarks that most home users fail to protect their home
networks. This is less common than it once was. I have noticed while
probing the area around my home that most home LANs are now using WPA
or WPA2 encryption instead of WEP, which is more easily hacked. I note
that Comcast is the most common provider in my area, and that there are
a number of unencrypted xfinitywifi SSIDs in the area. This is
not as dangerous as it sounds. These are typically guest accounts
that will not have rights to change anything on the network. However,
since such connections are unencrypted, anyone using them would have to
know that, and know that one should not send credit card numbers
or other sensitive data across such a connection.
Note that in the image below we only see one strong signal, on channel
6. It is my printer, and even it is expecting wireless signals to be encrypted
with a shared key using WPA2.
The author points out several dangers to having an unprotected
access point. They are the same at home as they are at work, but his point
is that users tend to protect their home equipment less often and
not as well as a professional might. Regardless of the improved default
protection on APs from most vendors, the author's point about protecting
other equipment on a home LAN is valid. If your network AP is your
only point of protection, you had better make sure it is as good as you
can make it.
There are two more sections of this chapter, discussing legacy security
features in all 802.11 versions, and their vulnerabilities.
Perhaps the author did it this way so we could skip ahead to the vulnerabilities
section. Let's try to combine the two sections, since the author scrambles
their order in the second one.
access control - As the text states, the phrase access control
means to allow or deny rights or privileges. With regard
to network access, it means that we will choose to allow
certain devices access to our network, and deny access by other
devices.
Since every device trying to access a network has a MAC address,
those addresses have often been used to filter requests to
join a network. The text illustrates a common way to display MAC
addresses. Each MAC address can be written as 12 hexadecimal
digits. The method shown in the text uses dashes between
consecutive pairs of digits. In the graphic displayed above, a similar
method is shown that uses colons between pairs of characters.
The first MAC address we see in the graphic above is 70:54:D2:08:56:E0.
In any MAC address, the three pairs on the left are a sequence
assigned to a NIC manufacturer. No other manufacturer is
supposed to use them. That is why the text refers to that series
of characters as the Organizationally Unique Identifier (OUI).
The three pairs on the right are the serial number of the
NIC itself, which the text calls the Individual Address Block
(IAB).
MAC address filtering in a wired or wireless network is
typically done by an administrator who configures a switch (wired
network) or an AP (wireless network) to allow access to particular
MAC addresses and to deny it to all other addresses.
This is called an implicit deny: if you are not on the list,
you can't come in.
The process can be done another way. If we are using an
implicit allow, the addresses we add to the filter list are
those we wish to deny access, and any other address
is allowed. In either case, the feature is activated by turning
on MAC address filtering, and making a list with the
software of the switch/AP itself.
Vulnerabilities of MAC address filtering are discussed
on page 337.
The larger a network is, the more it will change, and maintenance
of MAC address filters become time consuming.
MAC addresses and SSIDs are broadcast in unencrypted
form when devices are negotiating access. This means that an
eavesdropper can pick up valid addresses by reading such
traffic for a short while. An attacker can harvest this information
to disassociate devices from the WLAN, to spoof
those addresses for entry to the network, or both.
Wired Equivalent Privacy (WEP) - The text spends three
pages on a method that no one uses any more. Do you see WEP in the image
above? No one uses it because it was cracked and most hackers could
use a download to hack into the network of anyone using WEP. The important
part about WEP, other than not to use it, is that it is an early attempt
to use encryption of data. The author uses WEP as a reason to explain
cryptography in general, which I hope you have an idea about, since
we have been using the concept of encryption for some time in this text.
In case this is still new to you, here is some background:
plaintext, cleartext
- a message that has not been encrypted or has been decrypted
encrypt, encipher
- to change an ordinary message with a code or cipher system so
that the message is unreadable
decrypt, decipher
- to change and encrypted message to plaintext
cipher or code
- the difference between a cipher and a code is that a cipher uses
one symbol to stand for another, while a code can use a symbol to
stand for several symbols or words
Caesar cipher - Gaius
Julius Caesar was real, not just a character in one of Shakespeare's
plays. He is famous for several things, one of which is the creation
of a substitution cipher
that is incredibly easy to crack: he wrote down the Latin alphabet
on one line, then wrote it again on a second line, probably offset
by three characters (we can't be certain he did not vary the offset
value), which was used as an encrypting/decrypting tool. The two
lines below show what this would look like in English: abcdefghijklmnopqrstuvwxyz defghijklmnopqrstuvwxyzabc
key - This word can mean two things. One is the method
that is used to encrypt or decrypt a message. The
other is an alphanumeric string of characters that is used
in such a method to perform the encryption. The second is the kind
of key that is shared between devices in most wireless encryption
systems. In the graphic above (glad I captured it) WPA and WPA2
are two methods. PSK-CCMP and PSK-TKIP are two variants
of those methods.
There is a long discussion of WEP in the two sections of the text.
The bottom line is that technology has moved on, and WEP has not.
When it was implemented, computers were less powerful than they
are now, or will be in the future. The complexity of the method
used in WEP is no longer sufficient. It uses keys that are small
enough analyze in a relatively short time, which has been done.
It is cyclic: it uses a number as part of its key,
and the length of the number allows fewer than 17
million versions of it. That sounds like a lot, but in terms
of encrypting packets on a network, we could expect to see repeats
within 5 to 7 hours on most networks. Analyzing that data takes
us to a way to crack the keys, which makes WEP transparent to a
persistent hacker. This bullet list summarizes its problems:
Short key length - 64 or
128 bits total, including the 24 bit
initialization vector, so the actual key is 40 or 104 bits
Detectable patterns - examine the math in
the text to get the idea that a system using WEP could be cracked
in less than 7 hours, and probably less than 5.
When WEP was created, available computing power was unlikely
to make it possible to crack it. That is no longer true.
authentication - As previously explained, authentication is
done either by the open system method or the shared key
method. As you know, there is no security measure applied to
the open system method. It is often implemented as the default method
by the vendors of APs because the shared key method uses WEP
encryption, which you now
know is flawed. As the Cisco discussion behind the link in
the last sentence explains, the best choice is to use the open
system method, because it does not expose the shared key
that can actually be used in a better layer of authentication
once the device is associated with the WLAN.
Assignment: Chapter 9
Review Questions from Chapter 9, 1 - 20
Hands-on projects assigned in class.
Use the data from the Acrylic screen capture above. Pick three
different OUIs from that screen capture. Determine the vendors
associated with those OUIs and turn in that information to complete
this assignment.