Chapter 9-Wireless Network Security
Chapter 9-Wireless Network Security
Chapter 9-Wireless Network Security
2 ITIS 412
Introduction
Wireless data communications have revolutionized
computer networking
Wireless data networks found virtually everywhere
Wireless networks have been targets for attackers
Early wireless networking standards had
vulnerabilities
Changes in wireless network security yielded security
comparable to wired networks
3 ITIS 412
Wireless Attacks
Several attacks can be directed against wireless data
systems
Attacks can be directed against:
Bluetooth systems
Near field communication devices
Wireless local area networks
4 ITIS 412
Bluetooth
Bluetooth - Wireless technology uses short-range
radio frequency (RF) transmissions
Provides for rapid, ad-hoc device pairings
Enables users to connect wirelessly to wide range of
computing and telecommunications devices
Bluetooth is a Personal Area Network (PAN)
technology data communication over short distances
Provides virtually instantaneous connections between
Bluetooth-enabled device and receiver
Current version Bluetooth v4.0
5 ITIS 412
6 ITIS 412
Bluetooth Topologies
Two types of Bluetooth network topologies:
Piconet – Established when two Bluetooth devices
come within range of each other
Scatternet - Group of piconets in which connections
exist between different piconets
7 ITIS 412
Bluetooth Piconet
8 ITIS 412
Bluetooth Scatternet
9 ITIS 412
Bluejacking
Attack that sends unsolicited messages to Bluetooth-
enabled devices
Can be text messages, images, or sounds
Considered more annoying than harmful
No data is stolen
10 ITIS 412
Bluesnarfing
Unauthorized access to wireless information through
Bluetooth connection
Often between cell phones and laptops
Attacker copies e-mails, contacts, or other data by
connecting to Bluetooth device without owner’s
knowledge
11 ITIS 412
Near Field Communication (NFC)
Low speed and low power technology for
smartphones and smart cards
Used to establish communication between devices in
close proximity
Once devices tapped together or brought within
several centimeters each other two-way
communication established
NFC’s ease of use opened door for wide range of
practical short-range communications
12 ITIS 412
NFC Contactless Payment
NFC devices increasingly used in contactless payment
systems so consumer can pay for purchase by tapping
store’s payment terminal with smartphone
Users store credit card and/or store loyalty card
information in “virtual wallet” in the smartphone to
pay for purchases at NFC-enabled point-of-sale (PoS)
checkout device
NFC contactless payment systems has risks because
of the nature of this technology
13 ITIS 412
Contactless Payment System
14 ITIS 412
NFC risks and defenses
15 ITIS 412
Wireless Local Area Network (WLAN)
Designed to replace or supplement wired local area
network (LAN)
Tablets, laptop computers, smartphones, and printers
within 460 feet (140 meters) of centrally located
connection device
Can send and receive information from 54 Mbps to 7
Gbps
16 ITIS 412
IEEE WLANs
Institute of Electrical and Electronics Engineers
(IEEE) - Most influential organization for computer
networking and wireless communications
Dates back 1884
Began developing network architecture standards in
1980s
In 1997 released IEEE 802.11standard for wireless
local area networks (WLANs)
Today multiple IEEE 802.11 WLAN standards
17 ITIS 412
IEEE WLAN Standards
18 ITIS 412
WLAN Hardware
Wireless client network interface card adapter -
Performs same functions as wired adapter with
antenna that sends and receives signals
Access point (AP) consists of:
Antenna and radio transmitter/receiver to send and
receive wireless signals
Special bridging software to interface wireless
devices to other devices
Wired network interface that allows to connect by
cable to a standard wired network
19 ITIS 412
AP Functions
AP has two basic functions:
1. Acts as “base station” for the wireless network: all
wireless devices with wireless NIC transmit to AP,
which in turn, redirects signal (if necessary) to other
wireless devices
2. Acts as bridge between wireless and wired networks
so AP can be connected to the wired network by a
cable, allowing all wireless devices access through
AP to wired network (and vice versa)
20 ITIS 412
Access point (AP) In WLAN
21 ITIS 412
Home WLAN Hardware
For a small office or home another device is
commonly used
Device combines multiple features into a single
hardware device:
AP
Firewall
Router
Dynamic host configuration protocol (DHCP) server
Devices are residential WLAN gateways but often
called wireless routers
22 ITIS 412
WLAN Enterprise Attacks
In traditional wired network well-defined boundary
(“hard edge”) protects data and resources
Two types of hard edges:
24 ITIS 412
Blurred Edges
Introduction of WLANs in enterprises has changed
hard edges to “blurred edges”
Instead of network hard edge with single data entry
point, WLAN can contain multiple entry points
Because RF signals extend beyond boundaries of
building, walls cannot be considered as a hard edge to
keep away attackers
25 ITIS 412
Network Blurred Edge
26 ITIS 412
Additional WLAN Enterprise Attacks
In addition to creating multiple entry points, several
different wireless attacks can be directed at enterprise:
Rogue access points
Evil twins
Intercepting wireless data
Wireless replay attacks
Wireless denial of service attacks
27 ITIS 412
Rogue Access Points
Unauthorized AP allows attacker to bypass network
security configurations and opens network and users
to attacks
Attacker who can access network through rogue
access point is behind firewall and network
protections
28 ITIS 412
Evil Twin AP
Set up by attacker
Mimics authorized AP
Authorized user unknowingly connects to evil twin
Attackers then capture transmissions from users to
evil twin AP
29 ITIS 412
Rogue Access Point and Evil Twin Attacks
30 ITIS 412
Intercepting Wireless Data
One of most common wireless attacks is intercepting
and reading data (packet sniffing) being transmitted
Attacker can pick up RF signal from open or
misconfigured AP and read any confidential wireless
transmissions
If attacker manages to connect to enterprise wired
network through rogue AP, also could read broadcast
and multicast wired network traffic that leaks from
wired network to wireless network
31 ITIS 412
Wireless Replay Attack
Wireless attack can “hijack” wireless connection to
perform wireless man-in-the-middle attack
Makes it appear that wireless device and network
computers are communicating with each other, when
actually they sending and receiving data through evil
twin AP ( “man-in-the-middle”)
Wireless replay - Attacker captures data being
transmitted, records, and then sends to original
recipient without attacker’s presence being detected
32 ITIS 412
Wireless Denial of Service Attack
RF jamming - Using intentional RF interference to
flood RF spectrum with enough interference to
prevent device from effectively communicating with
AP
Another wireless DoS attack takes advantage of an
IEEE 802.11 design weakness
Different types of frames can be “spoofed” by an
attacker to prevent client from being able to remain
connected to WLAN
33 ITIS 412
Wireless Home Attacks
Home users face several risks from attacks on their
insecure wireless networks:
Data theft
Read wireless transmissions
Inject malware
Download harmful content
34 ITIS 412
War Driving
War driving - Searching for wireless signals from
automobile or on foot using portable computing
device
War chalking - Documenting and advertising
location of wireless LANs for others
Previously done by drawing on sidewalks or walls
around network area
Today, locations are posted on Web sites
35 ITIS 412
War Chalking Symbols
36 ITIS 412
War driving tools
37 ITIS 412
Vulnerabilities of IEEE Wireless Security
Original IEEE 802.11 committee recognized wireless
transmissions could be vulnerable
Implemented several wireless security protections in
standard while left others to WLAN vendor’s
discretion
Protections were vulnerable and led to multiple
attacks
38 ITIS 412
Categories of Vulnerabilities
Four categories vulnerabilities:
Wired Equivalent Privacy (WEP)
Wi-Fi Protected Setup (WPS)
MAC address filtering
SSID broadcasting
39 ITIS 412
Wired Equivalent Privacy (WEP)
Wired Equivalent Privacy (WEP) - IEEE 802.11
security protocol designed to ensure that only
authorized parties can view transmitted wireless
information by encrypting transmissions
WEP relies on shared secret key known only by
wireless client and AP
Initialization vector (IV) - 24-bit value that changes
each time packet is encrypted and combined with
shared secret key
40 ITIS 412
WEP Vulnerabilities
WEP security vulnerabilities:
WEP limited by length of IV of only 24 bits
WEP creates detectable pattern that can provide
attacker with valuable information to break
encryption
41 ITIS 412
Wi-Fi Protected Setup (WPS)
Optional means of configuring security on wireless
local area networks
Designed to help users with limited knowledge of
security to quickly and easily implement security on
their WLANs
Accomplished by pushing button or entering PIN
Design and implementation flaws in WPS using PIN
method makes it vulnerable
No lockout limit for entering pin
42 ITIS 412
MAC Address Filtering
Method of controlling WLAN by limiting devices that
can access AP
Media Access Control (MAC) address filtering -
Used by nearly all wireless AP vendors that permits or
blocks device based on MAC address
Vulnerabilities of MAC address filtering:
Addresses exchanged in unencrypted format
Attacker can see address of approved device and
substitute it on his own device
Managing large number of addresses is challenging
43 ITIS 412
MAC Address Filtering
44 ITIS 412
Disabling SSID Broadcasts
Service Set Identifier (SSID) - User-supplied
network name of wireless network
Normally SSID is broadcast so that any device can see
it
Broadcast can be restricted with intent that only those
users that know the “secret” SSID in advance would
be allowed to access the network
Provides only a weak degree of security and has
several limitations
45 ITIS 412
Wireless Security Solutions
As result of wireless security vulnerabilities in IEEE
and Wi-Fi Alliance technologies, both organizations
worked to create comprehensive security solutions
IEEE - 802.11i
Wi-Fi Alliance - Wi-Fi Protected Access (WPA) and
Wi-Fi Protected Access 2 (WPA2)
WPA and WPA2 are primary wireless security
solutions today
46 ITIS 412
Wi-Fi Protected Access (WPA)
Security solution introduced by Wi-Fi Alliance.
Design goal to fit into existing WEP engine without
requiring extensive hardware upgrades or
replacements
Addresses both encryption and authentication
Two modes of WPA
WPA Personal - Designed for individuals or small
office/home office (SOHO) settings, which typically
have 10 or fewer employees
WPA Enterprise - Intended for larger enterprises,
schools, and government agencies
47 ITIS 412
WPA TKIP and PSK
Temporal Key Integrity Protocol (TKIP) –
Encryption technology “wrapper” around WEP by
adding additional layer of security but still preserving
WEP’s basic functionality
Preshared Key (PSK) Authentication - Secret value
manually entered on both AP and each wireless device
(essentially identical to “shared secret” used in WEP)
Because secret key not widely known, it may be
assumed that only approved devices have key value
48 ITIS 412
WPA Vulnerabilities
Vulnerabilities in WPA:
Key management
Key sharing done manually without security
protection
Keys must be changed on regular basis
Key must be disclosed to guest users
Passphrases
PSK passphrases fewer than 20 characters subject
to cracking
49 ITIS 412
Wi-Fi Protected Access 2 (WPA2)
Second generation of WPA security
Based on final IEEE 802.11i standard
Primary difference WPA2 allows wireless clients
using TKIP to operate in same WLAN
Like WPA are two modes WPA2:
WPA2 Personal
WPA2 Enterprise
50 ITIS 412
CCMP
Counter Mode with Cipher Block Chaining
Message Authentication Code Protocol (CCMP) -
Encryption protocol for WPA2
Specifies use of CCM (general-purpose cipher mode
algorithm providing data privacy) with AES
Cipher Block Chaining Message Authentication Code
(CBC-MAC) component of CCMP provides data
integrity and authentication
CCM not require specific block cipher used, but AES
is mandated by WPA2 (CCMP for WLANs often
designated AES-CCMP)
51 ITIS 412
Extensible Authentication Protocol (EAP)
Authentication for WPA2 Enterprise model uses IEEE
802.1x standard
Extensible Authentication Protocol (EAP) -
Framework for transporting authentication protocols
EAP created as more secure alternative than weak
Challenge-Handshake Authentication Protocol
(CHAP) or Password Authentication Protocol
(PAP)
EAP is framework but not authentication protocol
52 ITIS 412
EAP Protocols
Two common EAP protocols:
Lightweight EAP (LEAP) - Proprietary EAP
method developed by Cisco Systems requires
mutual authentication using Cisco client software;
Cisco now recommends that users migrate to a more
secure EAP than LEAP
Protected EAP (PEAP) - Designed to simplify the
deployment of 802.1x by using Microsoft Windows
logins and passwords; considered more flexible
EAP scheme because it creates an encrypted channel
between client and authentication server
53 ITIS 412
EAP Protocols Supported By WPA2
Enterprise
54 ITIS 412
Additional Wireless Security Protections
Public area served by WLAN usually advertises itself
or wants user to read and accept Acceptable Use
Policy (AUP) before using WLAN
Captive portal AP - Uses standard web browser to:
Provide information
Give wireless user opportunity to agree to policy
Present valid login credentials
55 ITIS 412
Rogue AP Detection
Several methods to detect rogue AP:
Wireless device probe - Standard wireless device
(portable laptop computer) can be configured as
wireless probe
Desktop probe – Desktop computer used as probe
Access point probe – APs can detect neighboring
APs
Dedicated probe – Exclusively monitor RF
frequency for transmissions
56 ITIS 412
Power Levels and Placement
Some APs allow adjustment of power level that
device transmits
Reducing power allows less signal to reach outsiders
Antenna placement can provide security
Locate near center of coverage area
Place high on wall to reduce signal obstructions and
deter theft
57 ITIS 412
Site Survey
In-depth examination and analysis of wireless LAN
site
Several reasons for conducting a site survey (example:
achieving best possible performance from WLAN)
Can also can be used to enhance security of WLAN
Survey can provide optimum location of APs so
minimum amount of signal extends past boundaries of
organization to be accessible to attackers
58 ITIS 412