Wireless Security: Attacks and Defenses

By | May 15, 2006

Perhaps the local system admin doesn´t thoroughly understand networking principles. Maybe s/he lacks the tools necessary to carefully monitor network traffic and detect anomalies that could indicate the presence of a rogue access point. Worst case, s/he might not even care. This can be extremely problematic in that network assets may be compromised, unbeknownst anyone in the organization. Your company should make sure that system administrators are well trained with a strong background in computer and network security.

In any system, the human components are the weakest link. Wireless networking is certainly no exception. Your organization should define strict policies and procedures related to wireless networking within a well-publicized company document. It is especially important with regard to wireless networking that employees are made aware of these rules. As you saw in the opening vignette, an unwitting employee with good intentions compromised company data without even knowing she had done so. Because wireless hardware is cheap and relatively easy to use, the risk of your network containing rogue access points is great. You should be sure to set standards for any wireless hardware configurations within the company network and perform routine network audits to ensure that there are no open doors. We will discuss more specifics of wireless networking policies and procedures in our discussions on defense methods.

Rogue Access Points – As discussed earlier, it is easy for even a novice to acquire equipment and set up a wireless network. If this is done from within another network, it creates what is known as a subnet, which can create back doors to its parent. There are many easily overlooked mistakes that can be made in configuring a wireless network, many of which novice users will overlook. Individuals who wish to intrude upon a network can also plant rogue access points themselves. Network administrators must make sure to implement strict polices regarding the deployment of wireless hardware, and audit their networks often with reliable tools to ensure that these rogue access points do not exist.

Warchalking – Another point of interest before moving on is something, which is possibly more of a compelling idea than a physical reality called warchalking. It is a modern version of the hobo sign language used to alert one another to places providing shelter, food, and potential trouble. Using a fairly universal hobo sign language, individuals mark structures that have hotspots associated with them. In many cases these symbols incorporate much information about each node and the type of security currently being implemented. According to John Hiler, a New Yorker who writes about blog culture on his microcontent news site http://www.microcontentnew.com, warchalking is a “perfect storm” of three major tech themes. “It´s got Wi-Fi. It´s got the tie-in to hobo language, which is really cool from a linguistics point of view. And it ties into the spirit of democracy, which was the original intention of the Web,” he said. “It´s the subversive idea of giving the finger to the local land-line monopoly.”

MAC Address Spoofing – Media Access Control (MAC) addresses act as personal identification numbers for verifying the identity of authorized clients on wireless networks. However, existing encryption standards are not foolproof. A hacker can pick off authorized MAC addresses and steal bandwidth, corrupt or download files, and wreak havoc on an entire network. While securing your wireless LAN by using an authorized list of MAC addresses for authentication will provide some security, they were never intended to be used in this way.

There are a few legitimate reasons and examples of why you would want to spoof your MAC address:

1. A firewall could be set up to only accept traffic from a certain MAC address at a certain time. An administrator could generate a list of MAC addresses that would change every certain number of days, hours, or even minutes. The user would have to set their MAC address within the time window to send packets to the firewall.

2. Some ISP´s keep track of the MAC address that a subscriber is using. They only allow registered addresses to connect to the Internet, and charge more money for additional IP clients. It might become inconvenient to be limited to a particular MAC address if a user needs to change the gateway or change cards in the gateway temporarily and would have to re-register a new MAC address just to move some equipment around for a few days.

Even if you are using encryption or virtual private networks (VPNs), MAC addresses are always in the air. With software such as Kismet or Ethereal┬«, a hacker can capture the MAC address of an authorized user. They can then change their MAC address to the valid user´s MAC address using any number of spoofing or cloning utilities, or even manually changing the Windows registry entry. Now the hacker can connect to the wireless LAN and bypass any MAC address filtering. Netstumbler┬« can also be used with a MAC spoofing utility or MAC address modifying utility such as SMAC to achieve the same results.

Noisy Neighbors – The proximity of other wireless networks and equipment to that of your own is of utmost importance, for these can be a cause of or noise within your network. Because we are dealing with radio waves passing through the air, unwanted radio signals can wander into our domain from outside sources such as cordless phones, microwave ovens, or the neighboring business´ 802.11 router. This noise, or interference can have a drastic effect on network performance and reliability.

Aside from the noise related issues, network users within an earshot of your access point could be consuming your bandwidth. Windows XP´s built-in Wireless Zero Configuration utility, for example, is set up by default to join the wireless network with the best signal. Once it has successfully connected, it stores the network SSID as a “preferred network” and will connect to it each time it comes within range. Though this is convenient in most circumstances for the network client, it can lead to unwanted network users. Even with WEP enabled, which can keep unwanted clients from joining your network; would-be clients knocking on the door, requesting connections, can consume significant bandwidth. Auditing and scanning your network, methods of which we will discuss later, can minimize noise from and overlapping of neighbor networks.

Caveat: Interference of this type was recently experienced at a conference in Las Vegas, Nevada. Attendees were invited to connect to the conference´s wireless network at a designated hotspot within the venue. One attendee in particular attempted to connect to the advertised access point for ten minutes before giving up and venturing to a nearby Starbucks coffee house where he paid $9.95 for a day´s access to T-Mobile. The problem at the conference center was due to two problems. First, there were some 35 active access points in the large display room, all using the same 802.11b/g frequencies and, thus, causing both interference and using overall bandwidth. Secondly, the little bandwidth that was left was being shared by dozens of users of these public access points.

Improper Design – Improper or unknown boundary definitions constitute another possibility for network design error. Wireless network interface cards (NIC) and routers come with a variety of antennas. Some antennas broadcast in a single direction, and while they are not very accommodating to the surrounding area, they definitely help narrow the boundaries. The real danger comes in omni-directional antennas that broadcast in all directions, providing easy-access to the wireless network. Below is an illustration giving an example of improper boundary definition for a wireless network.

Caveat: Both of these antenna installations are omni-directional. The one on the left is confined to a single floor and does not broadcast beyond the walls. The one the right, however, does both.

Notice how the second example in the illustration shows the access boundary of the wireless network extending outside the corporate structure in which the network has been implemented.

Insecure-by-default hardware, unqualified system administrators and coverage boundaries that are out of control make up the key characteristics of faulty wireless network design.

Man-In-The-Middle Attacks – Hailing from the early days of cryptography, man-in-the-middle attacks are an old strategy applied to a new technology. The key concept behind a MITM attack is exactly as it sounds, one entity with malicious intent intercepts a message between two communicating entities. The hijacker can then send the message onto the receiver as if it had never been delayed, and even alter the message´s content. Used in war, this could be a valuable tool for intercepting and altering the enemy´s message to suit the opposing side´s purposes. In World War II, if the Axis forces needed to send information to deployed troops, they would send it with a decryption key. This key would be the primary tool for decoding the message and properly deciphering it. If the Allies could intercept this message and break the code, then they would be executing a MITM attack. Upon successful completion of the attack, they´d have three options as to how they´d like to exploit the position.

The message could be intercepted, altered and sent onto the recipient with fraudulent information; The message could be blocked and prevented from proceeding any further; The message could simply be read and sent on its way without the recipient´s knowledge.

The concept for MITM attacks on wireless networks is the same.

Leave a Reply