Wireless Network Security

• Describe the different types of wireless network attacks

• List the vulnerabilities in IEEE 802.11 security
• Explain the solutions for securing a wireless network
Introduction
• Because of the nature of wireless transmissions and the
vulnerabilities of early wireless networking standards, wireless
networks have been prime targets for attackers.
• There have been significant changes in wireless network security,
however, to the point that today wireless security technology and
standards provide users with security comparable to that their wired
counterparts enjoy.
Wireless Attacks
• There are several attacks that can be directed against wireless data
systems. These attacks can be directed against:
• Bluetooth systems,
• Near field communication devices,
• Wireless local area networks.
Bluetooth Attacks
• Bluetooth is a Personal Area Network (PAN) technology designed for
data communication over short distances.
Bluetooth Attacks
• There are two types of Bluetooth network topologies. The first is a
piconet. The second is scatternet.
Bluejacking
• Bluejacking is an attack that sends unsolicited messages to
Bluetoothenabled devices.
• Bluejacking is usually considered more annoying than harmful
because no data is stolen; however, many Bluetooth users resent
receiving unsolicited messages.
Bluesnarfing
• Bluesnarfing is an attack that accesses unauthorized information from
a wireless device through a Bluetooth connection, often between cell
phones and laptop computers.
• In a bluesnarfing attack, the attacker copies emails, calendars, contact
lists, cell phone pictures, or videos by connecting to the Bluetooth
device without the owner’s knowledge or permission
• To prevent bluesnarfing, Bluetooth devices should be turned off when
not being used or when in a room with unknown people.
• Another option is to set Bluetooth on the device as undiscoverable,
which keeps Bluetooth turned on, yet it cannot be detected by
another device.
Near Field Communication (NFC) Attacks
• NFC is a set of standards primarily for smartphones and smart cards
that can be used to establish communication between devices in
close proximity.
NFC risks and defenses
Wireless Local Area Network (WLAN) Attacks
• A wireless local area network (WLAN) is designed to replace or
supplement a wired local area network (LAN).
Rogue Access Point
• A rogue AP is an unauthorized AP that allows an attacker to bypass
many of the network security configurations and opens the network
and its users to attacks.
• For example, Hannah purchases an inexpensive consumer wireless
router and secretly brings it into her office and connects it to the
wired network.
• Hannah unintentionally has provided open access to an attacker
sitting in his car in the parking lot who picks up the wireless signal.
This attacker can then circumvent the security protections of the
company’s network.
Evil Twin
• An evil twin is an AP that is set up by an attacker. This AP is designed
to mimic an authorized AP, so a user’s mobile device like a laptop or
tablet will unknowingly connect to this evil twin instead. Attackers can
then capture the transmissions from users to the evil twin AP.
Intercepting Wireless Data
• One of the most common wireless attacks is intercepting and reading
data (packet sniffing) that is being transmitted. An attacker can pick
up the RF signal from an open or misconfigured AP and read any
confidential wireless transmissions.
Wireless Replay Attack
• The attacker captures the data that is being transmitted (such as
usernames and passwords), records it, and then sends it on to the
original recipient.
• An attacker’s application could examine incoming wireless packets,
and, if the packet data matches a pattern specified in a configuration
file, inject custom content onto the network to redirect traffic to an
attacker’s server.
• In yet another type of attack, a routing protocol attack, the attacker
injects specific packets into the network to redirect a traffic stream
through another router that is controlled by the attacker.
Wireless Denial of Service Attack
• Attackers can likewise use intentional RF interference to flood the RF
spectrum with enough interference to prevent a device from
effectively communicating with the AP.
• This wireless DoS attack prevents the transmission of data to or from
network devices.
• In one type of wireless DoS attack, an attacker can intentionally flood
the RF spectrum with extraneous RF signal “noise” that creates
interference and prevents communications from occurring.
Vulnerabilities of IEEE Wireless Security
• Wired Equivalent Privacy (WEP)
• Wi-Fi Protected Setup (WPS)
• MAC Address Filtering
• Disabling SSID Broadcasts
Wired Equivalent Privacy (WEP)
• Short encryption keys
• WEP implementation violates the cardinal rule of cryptography:
anything that creates a detectable pattern must be avoided at all
costs. The implementation of WEP creates a detectable pattern for
attackers.
Wi-Fi Protected Setup (WPS)
• Wi-Fi Protected Setup (WPS) is an optional means of configuring
security on wireless local area networks.
• There are two common WPS methods: PIN and push button.
• Flaws in WPS using the PIN method
• There is no lockout limit for entering PINs, so an attacker can make an
unlimited number of PIN attempts.
• The last PIN character is only a checksum.
• The wireless router reports the validity of the first and second halves of the
PIN separately, so essentially an attacker has to break only two short PIN
values.
MAC Address Filtering
• The MAC address is a unique 48-bit number that is “burned” into the
network interface card adapter when it is manufactured.
• A wireless client device’s MAC address is entered into software
running on the AP, which then is used to permit or deny a device from
connecting to the network.
• Filtering by MAC address has several vulnerabilities:
• MAC addresses are initially exchanged between wireless devices and the AP
in an unencrypted format.
• Managing a large number of MAC addresses can pose significant challenges
Disabling SSID Broadcasts
• Require the user to enter the SSID manually on the wireless device to
connect to the AP.
• This feather has some limitations:
• The SSID can be easily discovered
• Prevent users from being able to freely roam from one AP coverage area to
another.
• It is not always possible or convenient to turn off SSID beaconing
Wireless Security Solutions
• Wi-Fi Protected Access (WPA)
• Wi-Fi Protected Access 2 (WPA2)
• Wi-Fi Protected Access 3 (WPA3)
• Additional Wireless Security Protections
Wi-Fi Protected Access (WPA)
• In October 2003 it introduced its own Wi-Fi Protected Access (WPA).
One of the design goals of WPA was to fit into the existing WEP
engine without requiring extensive hardware upgrades or
replacements.
• The heart and soul of WPA is a newer encryption technology called
Temporal Key Integrity Protocol (TKIP).
• Authentication for WPA Personal is accomplished by using a pre-
shared key (PSK)
• The vulnerabilities in WPA center around two areas, namely, key
management and passphrases.
Wi-Fi Protected Access 2 (WPA2)
• In September 2004, the Wi-Fi Alliance introduced Wi-Fi Protected
Access 2 (WPA2), which was the second generation of WPA security.
• The WPA2 standard addresses encryption by using the Advanced
Encryption Standard (AES) block cipher.
• Authentication for the WPA2 Enterprise model uses the IEEE 802.1x
standard. It is important that the communication between the
supplicant, authenticator, and authentication server in an IEEE 802.1x
configuration be secure.
• A framework for transporting the authentication protocols is known
as the Extensible Authentication Protocol (EAP).
KRACK attacks on WPA2
• Serious weaknesses in WPA2 is found in 2017. An attacker within
range of a victim can exploit these weaknesses
using key reinstallation attacks (KRACKs). Attackers can use this novel
attack technique to read information that was previously assumed to
be safely encrypted. This can be abused to steal sensitive information
such as credit card numbers, passwords, chat messages, emails,
photos, and so on
WPA3
• A new security protocol called WPA3, an updated standard that
provides more security — and a very timely upgrade in a world that’s
increasingly threatened by data hacks and wireless data theft.
• WPA3 adds four new features to the encryption process to keep it
current:
• Better guest access encryption: WPA3 adds what it calls individualized data
encryption, which means that your individual connection to an open wireless
network will be encrypted, even if that network is not protected by an
overarching password.
• Updated handshake: The updated standard uses a new type of handshake
that adds extra protection against password-crackers and similar brute force
types of hacking.
• Better relations with the Internet of Things: WPA3 includes new
measures to configure security for devices without screens.
• 192-bit security suite: it’s extra-advanced security that uses CNSA
(Commercial National Security Algorithm). That means it meets
requirements for high-level government work, defense agencies, and
super secret industrial projects.
Additional Wireless Security Protections
• A captive portal AP uses a standard web browser to provide
information, and gives the wireless user the opportunity to agree to a
policy or present valid login credentials, providing a higher degree of
security.
• Rogue AP Discovery Tools
• Power Level Controls
• Antennas
• Site Surveys
Summary
• Two of the common attacks on wireless Bluetooth technology are
bluejacking, which is sending unsolicited messages, and bluesnarfing,
or accessing unauthorized information from a wireless device through
a Bluetooth connection.
• Near field communication (NFC) is a set of standards primarily for
smartphones and smart cards that can be used to establish
communication between devices in close proximity. . There are risks
with using NFC contactless payment systems because of the nature of
this technology.
Summary
• RF signal can easily extend past the protective perimeter of a building
and because an AP can provide unauthorized entry points into the
network, WLANs are frequently the target of attackers.
• A rogue AP is an unauthorized AP that allows an attacker to bypass
network security and opens the network and its users to attacks. An
evil twin is an AP that is set up by an attacker to mimic an authorized
AP and capture the transmissions from users
• In wireless replay attacks, attackers capture the data that is being
transmitted, record it, and then send it on to the original recipient
without their presence being detected.
• Attackers can perform a wireless DoS attack that prevents the
transmission of data to or from network devices.
• Wired Equivalent Privacy (WEP) was designed to ensure that only
authorized parties can view transmitted wireless information by
encrypting transmissions. WEP has several security vulnerabilities.
• WPA replaces WEP with the Temporal Key Integrity Protocol (TKIP),
which uses a longer key and dynamically generates a new key for each
packet that is created. Vulnerabilities still exist in WPA in two areas:
key management and passphrases.
• Wi-Fi Protected Access 2 (WPA2) is the second generation of WPA
security. Encryption under WPA2 is accomplished by using AES-CCMP.
• A new security protocol called WPA3, an updated standard that
provides more security.
• Other steps can be taken to protect a wireless network include Portal
AP, Rogue AP Discovery Tools, Power Level Controls, Antennas, Site
Surveys