ITIS 412: Information Security

Chapter 9: Wireless Network

Security
Instructor: Dr. Dalal Alarayed
Email: dalarayed@uob.edu.bh
Objectives
 Describe the different types of wireless network
attacks
 List the vulnerabilities in IEEE 802.11 security
 Explain the solutions for securing a wireless network

2 ITIS 412
Introduction
 Wireless data communications have revolutionized
computer networking
 Wireless data networks found virtually everywhere
 Wireless networks have been targets for attackers
 Early wireless networking standards had
vulnerabilities
 Changes in wireless network security yielded security
comparable to wired networks

3 ITIS 412
Wireless Attacks
 Several attacks can be directed against wireless data
systems
 Attacks can be directed against:
 Bluetooth systems
 Near field communication devices
 Wireless local area networks

4 ITIS 412
Bluetooth
 Bluetooth - Wireless technology uses short-range
radio frequency (RF) transmissions
 Provides for rapid, ad-hoc device pairings
 Enables users to connect wirelessly to wide range of
computing and telecommunications devices
 Bluetooth is a Personal Area Network (PAN)
technology data communication over short distances
 Provides virtually instantaneous connections between
Bluetooth-enabled device and receiver
 Current version Bluetooth v4.0

5 ITIS 412
6 ITIS 412
Bluetooth Topologies
 Two types of Bluetooth network topologies:
 Piconet – Established when two Bluetooth devices
come within range of each other
 Scatternet - Group of piconets in which connections
exist between different piconets

7 ITIS 412
Bluetooth Piconet

8 ITIS 412
Bluetooth Scatternet

9 ITIS 412
Bluejacking
 Attack that sends unsolicited messages to Bluetooth-
enabled devices
 Can be text messages, images, or sounds
 Considered more annoying than harmful
 No data is stolen

10 ITIS 412
Bluesnarfing
 Unauthorized access to wireless information through
Bluetooth connection
 Often between cell phones and laptops
 Attacker copies e-mails, contacts, or other data by
connecting to Bluetooth device without owner’s
knowledge

11 ITIS 412
Near Field Communication (NFC)
 Low speed and low power technology for
smartphones and smart cards
 Used to establish communication between devices in
close proximity
 Once devices tapped together or brought within
several centimeters each other two-way
communication established
 NFC’s ease of use opened door for wide range of
practical short-range communications

12 ITIS 412
NFC Contactless Payment
 NFC devices increasingly used in contactless payment
systems so consumer can pay for purchase by tapping
store’s payment terminal with smartphone
 Users store credit card and/or store loyalty card
information in “virtual wallet” in the smartphone to
pay for purchases at NFC-enabled point-of-sale (PoS)
checkout device
 NFC contactless payment systems has risks because
of the nature of this technology

13 ITIS 412
Contactless Payment System

14 ITIS 412
NFC risks and defenses

15 ITIS 412
Wireless Local Area Network (WLAN)
 Designed to replace or supplement wired local area
network (LAN)
 Tablets, laptop computers, smartphones, and printers
within 460 feet (140 meters) of centrally located
connection device
 Can send and receive information from 54 Mbps to 7
Gbps

16 ITIS 412
IEEE WLANs
 Institute of Electrical and Electronics Engineers
(IEEE) - Most influential organization for computer
networking and wireless communications
 Dates back 1884
 Began developing network architecture standards in
1980s
 In 1997 released IEEE 802.11standard for wireless
local area networks (WLANs)
 Today multiple IEEE 802.11 WLAN standards

17 ITIS 412
IEEE WLAN Standards

18 ITIS 412
WLAN Hardware
 Wireless client network interface card adapter -
Performs same functions as wired adapter with
antenna that sends and receives signals
 Access point (AP) consists of:
 Antenna and radio transmitter/receiver to send and
receive wireless signals
 Special bridging software to interface wireless
devices to other devices
 Wired network interface that allows to connect by
cable to a standard wired network

19 ITIS 412
AP Functions
 AP has two basic functions:
1. Acts as “base station” for the wireless network: all
wireless devices with wireless NIC transmit to AP,
which in turn, redirects signal (if necessary) to other
wireless devices
2. Acts as bridge between wireless and wired networks
so AP can be connected to the wired network by a
cable, allowing all wireless devices access through
AP to wired network (and vice versa)

20 ITIS 412
Access point (AP) In WLAN

21 ITIS 412
Home WLAN Hardware
 For a small office or home another device is
commonly used
 Device combines multiple features into a single
hardware device:
 AP
 Firewall
 Router
 Dynamic host configuration protocol (DHCP) server
 Devices are residential WLAN gateways but often
called wireless routers

22 ITIS 412
WLAN Enterprise Attacks
 In traditional wired network well-defined boundary
(“hard edge”) protects data and resources
 Two types of hard edges:

1. Network hard edge: Wired network typically has one

point through which data must pass from an external
network to secure internal network; single data entry
point makes it easier to defend against attacks
because any attack must likewise pass through one
point
2. Walls of building: Walls keep out unauthorized
personnel who cannot physically access computing
23 devices or network equipment ITIS 412
Network
Hard Edge

24 ITIS 412
Blurred Edges
 Introduction of WLANs in enterprises has changed
hard edges to “blurred edges”
 Instead of network hard edge with single data entry
point, WLAN can contain multiple entry points
 Because RF signals extend beyond boundaries of
building, walls cannot be considered as a hard edge to
keep away attackers

25 ITIS 412
Network Blurred Edge

26 ITIS 412
Additional WLAN Enterprise Attacks
 In addition to creating multiple entry points, several
different wireless attacks can be directed at enterprise:
 Rogue access points
 Evil twins
 Intercepting wireless data
 Wireless replay attacks
 Wireless denial of service attacks

27 ITIS 412
Rogue Access Points
 Unauthorized AP allows attacker to bypass network
security configurations and opens network and users
to attacks
 Attacker who can access network through rogue
access point is behind firewall and network
protections

28 ITIS 412
Evil Twin AP
 Set up by attacker
 Mimics authorized AP
 Authorized user unknowingly connects to evil twin
 Attackers then capture transmissions from users to
evil twin AP

29 ITIS 412
Rogue Access Point and Evil Twin Attacks

30 ITIS 412
Intercepting Wireless Data
 One of most common wireless attacks is intercepting
and reading data (packet sniffing) being transmitted
 Attacker can pick up RF signal from open or
misconfigured AP and read any confidential wireless
transmissions
 If attacker manages to connect to enterprise wired
network through rogue AP, also could read broadcast
and multicast wired network traffic that leaks from
wired network to wireless network

31 ITIS 412
Wireless Replay Attack
 Wireless attack can “hijack” wireless connection to
perform wireless man-in-the-middle attack
 Makes it appear that wireless device and network
computers are communicating with each other, when
actually they sending and receiving data through evil
twin AP ( “man-in-the-middle”)
 Wireless replay - Attacker captures data being
transmitted, records, and then sends to original
recipient without attacker’s presence being detected

32 ITIS 412
Wireless Denial of Service Attack
 RF jamming - Using intentional RF interference to
flood RF spectrum with enough interference to
prevent device from effectively communicating with
AP
 Another wireless DoS attack takes advantage of an
IEEE 802.11 design weakness
 Different types of frames can be “spoofed” by an
attacker to prevent client from being able to remain
connected to WLAN

33 ITIS 412
Wireless Home Attacks
 Home users face several risks from attacks on their
insecure wireless networks:
 Data theft
 Read wireless transmissions
 Inject malware
 Download harmful content

34 ITIS 412
War Driving
 War driving - Searching for wireless signals from
automobile or on foot using portable computing
device
 War chalking - Documenting and advertising
location of wireless LANs for others
 Previously done by drawing on sidewalks or walls
around network area
 Today, locations are posted on Web sites

35 ITIS 412
War Chalking Symbols

36 ITIS 412
War driving tools

37 ITIS 412
Vulnerabilities of IEEE Wireless Security
 Original IEEE 802.11 committee recognized wireless
transmissions could be vulnerable
 Implemented several wireless security protections in
standard while left others to WLAN vendor’s
discretion
 Protections were vulnerable and led to multiple
attacks

38 ITIS 412
Categories of Vulnerabilities
 Four categories vulnerabilities:
 Wired Equivalent Privacy (WEP)
 Wi-Fi Protected Setup (WPS)
 MAC address filtering
 SSID broadcasting

39 ITIS 412
Wired Equivalent Privacy (WEP)
 Wired Equivalent Privacy (WEP) - IEEE 802.11
security protocol designed to ensure that only
authorized parties can view transmitted wireless
information by encrypting transmissions
 WEP relies on shared secret key known only by
wireless client and AP
 Initialization vector (IV) - 24-bit value that changes
each time packet is encrypted and combined with
shared secret key

40 ITIS 412
WEP Vulnerabilities
 WEP security vulnerabilities:
 WEP limited by length of IV of only 24 bits
 WEP creates detectable pattern that can provide
attacker with valuable information to break
encryption

41 ITIS 412
Wi-Fi Protected Setup (WPS)
 Optional means of configuring security on wireless
local area networks
 Designed to help users with limited knowledge of
security to quickly and easily implement security on
their WLANs
 Accomplished by pushing button or entering PIN
 Design and implementation flaws in WPS using PIN
method makes it vulnerable
 No lockout limit for entering pin

42 ITIS 412
MAC Address Filtering
 Method of controlling WLAN by limiting devices that
can access AP
 Media Access Control (MAC) address filtering -
Used by nearly all wireless AP vendors that permits or
blocks device based on MAC address
 Vulnerabilities of MAC address filtering:
 Addresses exchanged in unencrypted format
 Attacker can see address of approved device and
substitute it on his own device
 Managing large number of addresses is challenging

43 ITIS 412
MAC Address Filtering

44 ITIS 412
Disabling SSID Broadcasts
 Service Set Identifier (SSID) - User-supplied
network name of wireless network
 Normally SSID is broadcast so that any device can see
it
 Broadcast can be restricted with intent that only those
users that know the “secret” SSID in advance would
be allowed to access the network
 Provides only a weak degree of security and has
several limitations

45 ITIS 412
Wireless Security Solutions
 As result of wireless security vulnerabilities in IEEE
and Wi-Fi Alliance technologies, both organizations
worked to create comprehensive security solutions
 IEEE - 802.11i
 Wi-Fi Alliance - Wi-Fi Protected Access (WPA) and
Wi-Fi Protected Access 2 (WPA2)
 WPA and WPA2 are primary wireless security
solutions today

46 ITIS 412
Wi-Fi Protected Access (WPA)
 Security solution introduced by Wi-Fi Alliance.
 Design goal to fit into existing WEP engine without
requiring extensive hardware upgrades or
replacements
 Addresses both encryption and authentication
 Two modes of WPA
 WPA Personal - Designed for individuals or small
office/home office (SOHO) settings, which typically
have 10 or fewer employees
 WPA Enterprise - Intended for larger enterprises,
schools, and government agencies
47 ITIS 412
WPA TKIP and PSK
 Temporal Key Integrity Protocol (TKIP) –
Encryption technology “wrapper” around WEP by
adding additional layer of security but still preserving
WEP’s basic functionality
 Preshared Key (PSK) Authentication - Secret value
manually entered on both AP and each wireless device
(essentially identical to “shared secret” used in WEP)
 Because secret key not widely known, it may be
assumed that only approved devices have key value

48 ITIS 412
WPA Vulnerabilities
 Vulnerabilities in WPA:
 Key management
 Key sharing done manually without security
protection
 Keys must be changed on regular basis
 Key must be disclosed to guest users
 Passphrases
 PSK passphrases fewer than 20 characters subject
to cracking

49 ITIS 412
Wi-Fi Protected Access 2 (WPA2)
 Second generation of WPA security
 Based on final IEEE 802.11i standard
 Primary difference WPA2 allows wireless clients
using TKIP to operate in same WLAN
 Like WPA are two modes WPA2:
 WPA2 Personal
 WPA2 Enterprise

50 ITIS 412
CCMP
 Counter Mode with Cipher Block Chaining
Message Authentication Code Protocol (CCMP) -
Encryption protocol for WPA2
 Specifies use of CCM (general-purpose cipher mode
algorithm providing data privacy) with AES
 Cipher Block Chaining Message Authentication Code
(CBC-MAC) component of CCMP provides data
integrity and authentication
 CCM not require specific block cipher used, but AES
is mandated by WPA2 (CCMP for WLANs often
designated AES-CCMP)
51 ITIS 412
Extensible Authentication Protocol (EAP)
 Authentication for WPA2 Enterprise model uses IEEE
802.1x standard
 Extensible Authentication Protocol (EAP) -
Framework for transporting authentication protocols
 EAP created as more secure alternative than weak
Challenge-Handshake Authentication Protocol
(CHAP) or Password Authentication Protocol
(PAP)
 EAP is framework but not authentication protocol

52 ITIS 412
EAP Protocols
 Two common EAP protocols:
 Lightweight EAP (LEAP) - Proprietary EAP
method developed by Cisco Systems requires
mutual authentication using Cisco client software;
Cisco now recommends that users migrate to a more
secure EAP than LEAP
 Protected EAP (PEAP) - Designed to simplify the
deployment of 802.1x by using Microsoft Windows
logins and passwords; considered more flexible
EAP scheme because it creates an encrypted channel
between client and authentication server
53 ITIS 412
EAP Protocols Supported By WPA2
Enterprise

54 ITIS 412
Additional Wireless Security Protections
 Public area served by WLAN usually advertises itself
or wants user to read and accept Acceptable Use
Policy (AUP) before using WLAN
 Captive portal AP - Uses standard web browser to:
 Provide information
 Give wireless user opportunity to agree to policy
 Present valid login credentials

55 ITIS 412
Rogue AP Detection
 Several methods to detect rogue AP:
 Wireless device probe - Standard wireless device
(portable laptop computer) can be configured as
wireless probe
 Desktop probe – Desktop computer used as probe
 Access point probe – APs can detect neighboring
APs
 Dedicated probe – Exclusively monitor RF
frequency for transmissions

56 ITIS 412
Power Levels and Placement
 Some APs allow adjustment of power level that
device transmits
 Reducing power allows less signal to reach outsiders
 Antenna placement can provide security
 Locate near center of coverage area
 Place high on wall to reduce signal obstructions and
deter theft

57 ITIS 412
Site Survey
 In-depth examination and analysis of wireless LAN
site
 Several reasons for conducting a site survey (example:
achieving best possible performance from WLAN)
 Can also can be used to enhance security of WLAN
 Survey can provide optimum location of APs so
minimum amount of signal extends past boundaries of
organization to be accessible to attackers

58 ITIS 412