Comment: Several years ago, I was the leader of an operationalized telecommunication cell. The purpose of the cell was to monitor the effectiveness and readiness of the telecommunications in support of the ongoing operations. The staff regularly turned over due to the operational tempo and I had to train new staff quickly. I did so by preparing a series of technical briefs on topics the cell dealt with. This brief was dealing with WiFi vulnerabilities.
Wireless Network Vulnerabilities Technical Brief
Networking standards are promulgated by the Institute of Electrical and Electronics Engineers, The IEEE consortium, and known as the 802.XX standard. Some of the commonly used standards follow:
- 802.03 - Ethernet
- 802.08 - Fiber Optic
- 802.11 - Wireless LAN
- 802.15.1 - Bluetooth
- 802.15.5 - Mesh Networks
- 802.16 WiMax (Broadband wireless)
Wi-Fi is short for ‘Wireless Fidelity’ and meets the specifications known as the 802.11 which includes A,B,G, and N variants. All variations of 802.11 are compatible with each other. The differences between each variant, Table 1.
Table 1: 802.11 Variant Traits | ||||
---|---|---|---|---|
Protocol | Frequency (GHz) | Data Rate (Mbit/s) | Range (ft) | |
A | 3.7 | < 54 | < 16,000 | |
B | 2.4 | < 11 | < 460 | |
G | 2.4 | < 54 | < 460 | |
N | 5 | < 150 | < 820 |
Employment of the 802.11 technologies is very similar to other networking technologies permuting; Peer-to-peer, Client-Server, and mobility between wireless networks. Interconnectivity between wireless networks over large geographic regions may be achieved by building larger WANs from integrated building block WANs. Connectivity is generally via an access point or point-to-point in an ad-hoc network.
A more recent concept is the WiFi 'Cloud' which is a virtualized network that brokers services. There are two variants; Cloud Enabled Networks (CEN) and Cloud Based Networks (CBN). CENs are hybrid in that they require some network devices to remain outside the cloud. CBNs virtualize everything within in the cloud and often runs on thin client having only marginal hardware for connectivity. Both may service connectivity via WiFi.
Security
Many companies and private citizens have adopted the use of WiFi technology but not without consequences. Wi-Fi security has two methods of authentication services. The default is ‘open system’ and is the simplest with password security. Shared key authentication requires independent distribution of the secret shared key and authentication knowledge by legitimate devices via a Wired Equivalent Privacy (WEP). WEP is more secure than ‘open system’ but also has weaknesses that may be exploited. WEP exchanges authentication data that potentially exposes the encryption scheme due to predictable patterns and static decryption keys.
Most Wi-Fi networks are open systems. Wi-Fi systems are extremely vulnerable to unauthorized access and an entire sub-culture has evolved to exploit these wireless systems. WiFi in the early days was susceptible to a technique known as WarDriving which is the equipage and practice of identifying wireless networks by driving through areas to locate the networks. Once a network is identified the bandwidth is typically pirated or hijacked. Today, free WiFi access is so pervasive that war driving is not practiced much. However, other malicious activities could occur due to other inherent vulnerabilities.
In general, most hacker methods on wired networks also apply to wireless networks. For example, gaining access and escalating privilege methods such as password cracking may be employed. Denial-of-Service (DoS) attacks prevent access to network resources by overwhelming network services and choking transmissions. Typical DoS attacks include:
- Application DoS Attacks: The goal of this type of attack is to prevent users from accessing a network service by forcing the service to fulfill overwhelming transactions. For example, flooding a server with service request.
- Transport DoS Attacks: This attack targets the operating system by sending an excessive number of connection requests causing the system to lockup.
- Network DoS Attacks: Large amounts of data overwhelm the victim network infrastructure. A ping flood attack is one example.
- Data-link DoS Attacks: Unique to wireless networks because physical networks have intelligence designed to prevent such attacks. Essentially, repeated frame headers with no payload are sent then are rebroadcasted to the point the media is overwhelmed.
- Physical DoS Attacks: This kind of attack is normally rare. However, with wireless technologies a device can be built to saturate the electromagnetic spectrum and disrupt communications with noise.
- Man-in-the-Middle attacks require access to the victim network either by ‘tapping’ a physical path on the network or reception of radio frequency traffic. Some of these attack include:
- Eavesdropping: Illicit unauthorized receipt of a data communication stream for the purpose of analyzing and monitoring.
- Manipulation: The ability to collect, modify, and then re-transmit modified data.
- ARP Poisoning: The ability to force network traffic through a malicious machine by associating the hostile machines MAC address with the legitimate machines IP address thus impostering the victim.
The electromagnetic spectrum introduces a few newer techniques unique to the wireless environment.
- Antenna Diversity Attack: Arrayed antennas are used to improve signal strength. However, they can be misconfigured easily and this creates vulnerabilities. If the antennas cover different areas, an attacker on one antenna can imposter someone on the other then garrauntee that his signal is stronger forcing the victim to be ignored by the system.
- Malicious Access Points: An attacker can easily spoof access points and either deny network access or monitor activity based on signal strength.
Wifi has the advantage of mobility and reduced infrastructure requirements. However, there are increased risks associated with WiFi. Careful design and architecture will reduce the risk. Utilizing Virtual Private Networks, VPNs, and registration of permitted MAC Addresses improves the security. Also turning off discovery and not broadcasting the SSID will strengthen the security. The trade off is limiting access to only those who know and are aware of the WiFi network.
No comments:
Post a Comment